Bob Dubner
(Super Imperial Member)
08/06/16 12:47 AM
Password Security....should you change it often?

Ward, this conversation is -- sort of -- demonstrating why even 8-character
passwords are no longer considered automatically safe.

As I said elsewhere, modern cracking programs on GPU equipped computers can
try about 2.8 billion passwords per second. 26**8 is about 209 billion, and
such a program would take about 75 seconds to go through all of them.

So, yeah, 1,045 times that would be 22 hours.

And as Nancy points out, the bad guys would have created a dictionary of all
of those possibilities. I haven't really designed a system, but suppose the
hash is 256 bits. Storing 209 billion of those would be about 7 terabytes,
which is about $200 of disk storage these days. Fussing and fiddling with
hash storage techniques means that it would take a few milliseconds to come
up with a your password. And that covers *every* possible 8-character
lower-case password for a particular hashing algorithm.

Again, I am not the first person to figure this out; modern password
encryption has grown complicated for the express purpose of reducing
vulnerability to dictionary attacks. Googling "rainbow table" will give you
an idea about how the ever-escalating arms war in passwords and password
crackers has evolved.

Passwords are an area where the bad guys have infinite time and infinite
resources to break the efforts of the good guys. Strange and wonderful
things happen as a result. So my back of the envelope guesswork here is
naive and criminally incomplete; the bad guys are much more advanced than I
am after thinking about it for almost fifteen whole minutes.

Contact Us AVSIG

Powered by UBB.threads™ 6.5.5

Logout   Main Index    AVSIG Aviation Forum