Xref: utzoo sci.crypt:1408 comp.unix.wizards:13609 news.sysadmin:1975
Path: utzoo!attcan!uunet!lll-winken!lll-lcc!ames!mailrus!husc6!bu-cs!encore!bzs
From: bzs@Encore.COM (Barry Shein)
Newsgroups: sci.crypt,comp.unix.wizards,news.sysadmin
Subject: Re: password security
Message-ID: <4444@xenna.Encore.COM>
Date: 21 Dec 88 00:44:33 GMT
References: <11013@ulysses.homer.nj.att.com> <2308@cuuxb.ATT.COM> <4420@xenna.Encore.COM> <259@gloom.UUCP>
Organization: Encore Computer Corp, Marlboro, MA
Lines: 46
In-reply-to: cory@gloom.UUCP's message of 20 Dec 88 19:24:28 GMT
Posting-Front-End: GNU Emacs 18.41.15 of Tue Jun  9 1987 on xenna (berkeley-unix)


From: cory@gloom.UUCP (Cory Kempf)
>>Given a 100 character character set and 8 characters in a password
>>the search space is 100^8 which is:
>>
>>	10,000,000,000,000,000
>
>Except for one little problem... I don't think that the average
>secretary is capable of remembering a password like 'z&B_= ^W4'

The average secretary I know is bright enough to understand rules like
"use two short words with some upper-case letters and/or digits thrown
in and separated by a punctuation, like "Hey!Jude" "FidoIS#1". Very
hard to guess, very easy to remember, next...

>>500 billion seconds or almost 16,000 years. Even improving *that* by a
>>factor of 1,000 (ie. 20,000,000 encryptions per second) wouldn't leave
>>much hope for the cracker (16 continuous machine-years.)
>
>I wonder... with Thinking Machine's offer to allow people on the
>internet to access a Connection Machine, has anyone tried to write
>an algm. for brute force password testing for such a machine?  (ie 
>with 64k processors, each at 1000 encryptions a second it is down
>to about 3 mos. -- unfortunately, I don't know enough about the
>connection machine and DES to know how reasonable this is... (mean
>time 'till success would be around 1.5 months -- shorter if the seach
>is set up with a bit of forethought (ie start with unshifted keys, then
>shifted, then control, etc]

Cargo cult worship, each CM processor is not very fast (that's part of
the point, use lots of small processors and try to beat the
price-performance curves), I mean, we can fantasize and postulate a
machine which *can* break a password in some reasonable amount of time
at which point of course it becomes doable.  But it doesn't exist, so
what's the point?

>Besides, it would make me feel better if someone who managed to 
>watch me key in a password (I try to avoid this) had to catch
>more than 8 characters...

Well, if what we're really talking about is making you and others
*feel* better rather than trying to understand security a little
better and gauge effective methods to obtain reasonable security
levels then that explains everything. Perhaps security would be
improved on your system by throwing back a good double of Scotch?

	-Barry Shein, ||Encore||