Xref: utzoo sci.crypt:1406 comp.unix.wizards:13599 news.sysadmin:1973 Path: utzoo!utgpu!watmath!clyde!att!osu-cis!tut.cis.ohio-state.edu!bloom-beacon!bu-cs!encore!gloom!cory From: cory@gloom.UUCP (Cory Kempf) Newsgroups: sci.crypt,comp.unix.wizards,news.sysadmin Subject: password security Message-ID: <259@gloom.UUCP> Date: 20 Dec 88 19:24:28 GMT References: <11013@ulysses.homer.nj.att.com> <2308@cuuxb.ATT.COM> <4420@xenna.Encore.COM> Reply-To: cory@gloom.UUCP (Cory Kempf) Organization: Alloy Computer Products, Framingham Mass. Lines: 47 In article <4420@xenna.Encore.COM> bzs@Encore.COM (Barry Shein) writes: > >Given a 100 character character set and 8 characters in a password >the search space is 100^8 which is: > > 10,000,000,000,000,000 Except for one little problem... I don't think that the average secretary is capable of remembering a password like 'z&B_= ^W4' If she is given the chance to select a password for herself (I am using the female form 'cause the secretary here is female), she is most likely going to choose one that can be found in either a dictionary or a list of names. (For that matter, so will a lot of people who 'know better'). As has been shown, the search space is considerably reduced... to the point that on a machine with 20 users, the chances of finding a valid password are fairly good. By increasing the number of significant characters, the chances of an easily guessed password drop. >Currently even fast DES implementations on fast processors can't seem >to hit 1,000 encryptions per second although it's probably possible, >let's allow 20,000 encryptions per second, a brute force search would >now take: > 500,000,000,000 >500 billion seconds or almost 16,000 years. Even improving *that* by a >factor of 1,000 (ie. 20,000,000 encryptions per second) wouldn't leave >much hope for the cracker (16 continuous machine-years.) I wonder... with Thinking Machine's offer to allow people on the internet to access a Connection Machine, has anyone tried to write an algm. for brute force password testing for such a machine? (ie with 64k processors, each at 1000 encryptions a second it is down to about 3 mos. -- unfortunately, I don't know enough about the connection machine and DES to know how reasonable this is... (mean time 'till success would be around 1.5 months -- shorter if the seach is set up with a bit of forethought (ie start with unshifted keys, then shifted, then control, etc] Besides, it would make me feel better if someone who managed to watch me key in a password (I try to avoid this) had to catch more than 8 characters... +C -- Cory (...your bravest dreams, your worst nightmare...) Kempf UUCP: encore.com!gloom!cory "...it's a mistake in the making." -KT