If you have 40 char pswd and attacker knows length how long to crack?

Discussion in 'privacy technology' started by Klawdek, Sep 27, 2010.

Not open for further replies.
1. KlawdekRegistered Member

Joined:
Sep 27, 2010
Posts:
16
OK we are assuming a product like Truecrypt that uses an accepted encryption algorithm like AES. And, a strong password is used (no words, sequences of 3 characters, includes upper and lower case and special symbols).

If the attacker knows the strong password is 40 characters how long to brute force it?

A more realistic scenario is the attacker does not know the length but knows you would not have used anything less than 20 characters so he starts with 20 character in his brute force attack. How long to crack 40 character strong password when attacker starts with 20 characters?

2. LockBoxRegistered Member

Joined:
Nov 20, 2004
Posts:
2,275
Location:
Here, There and Everywhere
Your question cannot be answered with any kind of specificity. There are too many variables. The answer could range from "who knows" (NSA) to probably hundreds of years with current technology. In other words, it depends on the computing power you're throwing at it. I think probably only the NSA has the capability to brute force the above scenario in our lifetime.

3. redcellRegistered Member

Joined:
Sep 27, 2010
Posts:
126
My password is 70+ characters long and plan to double it soon. I recommend you do the same.

5. chronomaticRegistered Member

Joined:
Apr 9, 2009
Posts:
1,343
If you are using all ASCII printable characters as your character set (94 possible characters excluding the spacebar) and you chose the password completely at random (say with a secure RNG or a set of dice), then it would have 262 bits of entropy.

A modern GPU (like Nvidia Teslas) can calculate a billion or so passwords per second. If you put one of these GPU's on every square inch of the earth's land surface, it would take it 6.8 x 10^44 years to brute force your 40 character password (on average). The universe itself is only 1.3 x 10^10 years old, so it would take exponentially longer than the age of the universe even if all computers on earth worked on it at once.

In other words, you're safe.

6. lotuseclat79Registered Member

Joined:
Jun 16, 2005
Posts:
5,028
Try using the tool known as Thor's Godly Privacy aka TGP (apparently Windows only) which is referenced in the article Crypto tool predicts password cracking time.

Or, more easily, TGP can be tried online here which is an interesting read aside from being able to test your password strength. Note: this web page supports https, and recommends not to use real passwords in the test.

How Passwords Get Cracked. It has a table of how long it takes with various lengths of passwords.

40 and 70+ characters is overkill. Use both upper+lower case characters, numbers and special characters, and you should be good to go with 12-14 characters depending on how paranoid you are. I have found it is easy to remember a password if you construct an easy to remember sentence (with the above character recommendations). Of course, the time it takes to crack a password depends on three main things, the length and complexity of your password, the speed of the hacker’s computer, and the speed of the hacker’s Internet connection. So, all in all, it depends on if your computer/storage device has been physically seized, and the amount of resources those trying to crack your password have to throw at the problem.

-- Tom

Last edited: Sep 29, 2010
7. CloneRangerRegistered Member

Joined:
Jan 4, 2006
Posts:
4,833

I got some wierd results

Chose about:config as the PW to see how 2 words and a character faired.

Selected 10k per sec

Selected 1B per sec

Unless i'm reading it incorrectly etc, the 10k is years better, when it should be the other way round

Even so at only 10k i find hard to believe it would take as long it says ?

@ lotuseclat79

Joined:
Sep 27, 2010
Posts:
126
9. dantzRegistered Member

Joined:
Jan 19, 2007
Posts:
991
Location:
Hawaii
It's not just a matter of how fast you can calculate a password list. Each potential password also has to be tested for validity by running it through the various algorithms, number of rounds, etc., and this will consume significant computational resources that can slow down a brute-force attack by thousands or even millions of cycles. If the password requires 10,000 iterations before it will generate the key then the brute-forcer must follow the same path during each password attempt. Many encryption products utilize this type of strategy in order to increase resistance to brute-force attacks.

For example, my fastest home PC (a Pentium dual-core) can generate thousands of passwords per second, but because of the computational overhead it can only test 4 pw/second against an encrypted TrueCrypt container. Even a "bananadog" password would take quite awhile to crack under these conditions.

Of course, an attacker with deep pockets and specialized hardware could run the attack much, much faster, especially if he ran it on thousands or millions of CPUs in parallel.

Joined:
Oct 30, 2008
Posts:
642

? The Grid ?

11. chronomaticRegistered Member

Joined:
Apr 9, 2009
Posts:
1,343
To reiterate what I said above, I will post a screenshot of a little password generating app that I wrote for fun. It gives brute forcing times once the password is generated. Here is an example of a 40 character password (using A-Z, a-z, 0-9 as the character set).

File size:
96.5 KB
Views:
1,656
12. TheMozartFormer Poster

Joined:
Jan 6, 2010
Posts:
1,486
I am going to send you an encrypted .rar file that contains just 12 characters as password, and you crack it and tell me what it says in the text file that is in the encrypted .rar file. I look forward to your reply.

Where can I send you the rar file, or you want me to upload it somewhere?

13. WarlockzRegistered Member

Joined:
Oct 30, 2008
Posts:
642
And today's Technology isn't going to advance and Encryption is bulletproof LMAO "Instead of relying on today's theory's one should be ready for tomorrows Facts"

cool app tho rookcifer, Windows users may want to try PasswordG which is an awesome portable free password generator!

Keyfiles are a plus

Last edited: Sep 30, 2010
14. Chuck57Registered Member

Joined:
Sep 2, 2002
Posts:
1,422
Location:
New Mexico, USA
Seventy to 140 character password My question is, how does someone remember such a thing?

I use a 20 character password, upper and lower case letters, numbers and symbols - which I can usually remember. Sometimes I mix something up and have to try again, and again.

Finally, if a good 12 or 20 character password takes 'x' number of years to break, isn't that enough. In 99.99% of cases, who is going to continue to try and crack something for several or 5 yrs? I can't even envision a govt working for more than a year to access secure files - unless you're Al Quaeda. Any secure information is usually out of date and irrelevant after several, maybe 5 yrs.

15. Justin TroutmanCryptography Expert

Joined:
Dec 23, 2007
Posts:
226
Location:
North Carolina, USA / Minas Gerais, BR
Do you find this easily manageable? Key management is perhaps the toughest of cryptographic challenges, and a policy like that doesn't make it any easier.

Out of curiosity, would you mind sharing what you use?

What I've found with several of these password strength detectors is that one shouldn't expect them to take into account the contextual information that can be gathered about a person to aid with guessing their passwords. In other words, actual words, or groups of words, may yield seemingly secure results, but are rather easy to predict.

For instance, I know a lot of fellow Duke fans, who are rather savvy when it comes to the social Internet, but not so much when it comes to the technology behind it. Some of them think Mike Krzyzewski is the 13th disciple, and undoubtedly use his namesake to secure their miscellany. "coachmikekrzyzewski," let's say.

At TGP's alleged 3,345,228,630.34 years to crack, you'd think they'd be right, but I can't really hold TGP responsible for not realizing the information leaked by that grouping of symbols, when it merely analyzes those symbols independently. All in all, it's nice to have tools that try to gauge this, as long as we understand their limitations.

16. TheMozartFormer Poster

Joined:
Jan 6, 2010
Posts:
1,486
I noticed that redcell is too chicken to take up my challenge and break my 12 character password, because his 70+ password recommendation is based on fanaticism , nothing more.

My challenge is for anyone. And even if you had access to government agency systems and can run multiple PC's trying to brute force attack my 12 character rar encrypted file, you would still need more years to crack it and you and I will be long gone and dead by the time the systems crack it.

Anyone up for the challenge?

Joined:
Jan 4, 2006
Posts:
4,833

18. Justin TroutmanCryptography Expert

Joined:
Dec 23, 2007
Posts:
226
Location:
North Carolina, USA / Minas Gerais, BR

19. TheMozartFormer Poster

Joined:
Jan 6, 2010
Posts:
1,486
Nobody willing to crack my rar, 12 character encrypted file?

I thought it was not good to have 12 characters for a password, so why is nobody wanting to take the challenge?

20. WarlockzRegistered Member

Joined:
Oct 30, 2008
Posts:
642
Because nobody cares dude. One time I challenged people here to crack a 7zip encrypted file because 7zip uses AES 256, I used to think it was the ish, all they said was it proves nothing, then after 7zipin encrypten loads of files to save disk space I went to un7zip the suckers only to find out half the data had been corrupted in many of the files I got 80% maby and the rest would say wrong password in the error report, Ill never use 7crap again, ill stick with winrar.

To make a long argument short, you shouldn't have to Challenge people to prove your encryption software if you truly trust it.

Last edited: Oct 1, 2010
21. TheMozartFormer Poster

Joined:
Jan 6, 2010
Posts:
1,486
Some people obviously do care because they are using 70+ character passwords which is a joke and built on ignorance and hysteria.

I can encrypt an RAR file using 256bit key + 12 character password and nobody on Earth can crack it until we are all long gone and dead.

22. WarlockzRegistered Member

Joined:
Oct 30, 2008
Posts:
642
I think that whatever makes them comfortable makes them comfortable, not you, and why would you tell someone to weaken their password? The fact of the matter is If somebody really wants your passwords their going to try to install some sort of Keylogger on your machine.

23. WarlockzRegistered Member

Joined:
Oct 30, 2008
Posts:
642
Thats what the Feds did in many of their cases, and yes they got access to their Targets Encrypted files Not tryin to be an x, but it seems like your Trolling

24. TheMozartFormer Poster

Joined:
Jan 6, 2010
Posts:
1,486
Very serious. Willing to try to break my encrypted file? It only has 12 character password which many people seem to claim will not suffice.

Ready for the challenge or you too chicken?

25. TheMozartFormer Poster

Joined:
Jan 6, 2010
Posts:
1,486
I am telling people to SHORTEN their passwords because anything above a 12 character non-dictionary password is overkill and built on fanaticism and hysteria and ignorance. Shortening a password from 70 to 12 will NOT weaken it at all, because nobody can crack it anyway.

Shortening a password to 3 character and using a word such as cat, would weaken it, but not using a 12 character non-dictionary password, because a 12 character non-dictionary password is rock solid and nobody on Earth can crack it before you are long gone and dead. And the person(s) cracking it will be long gone and dead too, and their children too, before they can crack it.