If you have 40 char pswd and attacker knows length how long to crack?

Discussion in 'privacy technology' started by Klawdek, Sep 27, 2010.

Thread Status:
Not open for further replies.
  1. TheMozart

    TheMozart Former Poster

    Joined:
    Jan 6, 2010
    Posts:
    1,486
    How did the Feds get the keylogger on the persons PC in the first place lol
     
  2. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,328
    Location:
    Here, There and Everywhere
    Actually, it was 'redcell' who said he had a 70-character password and planned to double it. Third post in the thread. Ridiculous, but he's the one who said it.
     
  3. hierophant

    hierophant Registered Member

    Joined:
    Dec 18, 2009
    Posts:
    854
    It's not about him, IMHO, except (arguably) for PooseyII.

    Could someone please translate this to English? Is PooseyII agreeing with TheMozart? That's how I read it, anyway.

    Why not just PLONK Wilders altogether?
     
  4. Warlockz

    Warlockz Registered Member

    Joined:
    Oct 30, 2008
    Posts:
    642
    :cautious:

    Do-not-feed-the-troll.png
     
    Last edited: Oct 2, 2010
  5. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    Can anybody ? comment on what i found in my Post # 7 when i tested. If you please ;)
     
  6. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,390
    Hi CloneRanger,

    For Class A: 10,000/sec: takes 20,693,496,017.00 years to crack.
    For Class F: 1,000,000,000/sec: takes 206,934.96 years to crack.

    Essentially, Class F's speed is 10^9 and Class A's speed is 10^4, and Class A takes 10^5
    years longer to crack because it is slower, and Class F takes 10^5 years less to crack because it is faster.

    What was weird about the result?

    -- Tom
     
  7. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,328
    Location:
    Here, There and Everywhere
    Has anybody mentioned keyfiles in this thread? Mother's Little Helper of cryptography.
     
  8. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,328
    Location:
    Here, There and Everywhere
    Look at a random password. What makes the human mind incapable of creating that? From a mathematical perspective that's simple chance. It's random - that's all - and the human mind is certainly capable of that. For example:

    3)nJ/G8e8&4b^_K%

    There was no rhyme or reason to the above. It's a random mix of letters, numbers, upper/lower case and KC. The 16-character password above is no easier to crack because it came from my typing (my mind) -than if an application programmed to do the same thing created it. Now, doing it consistently over a long period of time would be difficult, but with proper rest one could easily churn out random passwords. I'm curious what magic there is to mathematical randomness that would make the human mind incapable of producing a password like the above? Mine just did.
     
  9. RoamMaster

    RoamMaster Registered Member

    Joined:
    Oct 1, 2006
    Posts:
    50
    Simple math tells you that there is no need for long passwords. The only way someone is going to break through a 10+ character password is either dictionary combination(bananadog1 [example previously]), or more than likely an exploit. Whether that's a keylogger or some form of a bypass.

    I use dictionary combos for everything not financial. I do go ahead and use random passes for my bank, paypal, etc. However, even that is pretty much overkill. To bruteforce a random 10 character password(paypal's minimum) over an internet connection would take eons.

    If the NSA wanted to find out what was on Bin Laden's laptop, they wouldn't try to bruteforce the encryption password. They would try to find a way to extract it/bypass it.

    At the end of the day no one outside of a government agency with physical control of your hardware is even capable of breaking a dozen character password.
    And if the government has your computer and wants to find what's encrypted in it, you're already ***ked. It doesn't matter if they can't get inside. They'll make something up if need be ;)
     
  10. redcell

    redcell Registered Member

    Joined:
    Sep 27, 2010
    Posts:
    126

    Did I say anything about knowing how to crack password? o_O
     
  11. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    Nope. Computers are finite state machines and cannot produce truly random numbers (in the sense of radioactive decay or quantum processes). Computers are designed to be predictable, to utilize algorithms, etc. Now, it is true that a computer can use a PRNG to create what appears to be a random string which will pass tests for randomness, but if the attacker knows the seed to the PRNG he can predict the output with 100% certainty. The key is to use a truly unpredictable seed such as human mouse movements. Then the random numbers will be as strong as is possible without using a direct quantum source. And even then, most PRNG's rely on the strength of an algorithm like a hash function (SHA-1) or a cipher (AES). If either of these are broken, the whole PRNG falls apart. But as long as it stays secure, the numbers should be indistinguishable from a TRNG.
     
  12. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    My interpretation of the speeds between Classes :(

    Exactly, so it's not Just the amount of characters that's important, but which ones and how you distribute them. More of an art than science ;)

    Thanks to you both for posting :thumb:
     
  13. hierophant

    hierophant Registered Member

    Joined:
    Dec 18, 2009
    Posts:
    854
    Huh? How about radioactive decay? I suspect that one could hack a random-number generator from the Am in a smoke alarm. Let me google that ... yep.
     
  14. hierophant

    hierophant Registered Member

    Joined:
    Dec 18, 2009
    Posts:
    854
    Why on Earth would you want to attempt to "discuss" anything with him? One, he won't. And two, he doesn't actually know anything, IMHO. At best, he manages to appear knowledgeable. And in any case, he's a troll, intentionally or not.
     
    Last edited: Oct 3, 2010
  15. TheMozart

    TheMozart Former Poster

    Joined:
    Jan 6, 2010
    Posts:
    1,486
    So that's your reply? Too chicken to take the challenge I see :thumbd:
     
  16. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,328
    Location:
    Here, There and Everywhere
    Not that it's any big deal, but think about it a minute. The argument you make above is not in support of randomness (in anything) but against it. By definition, there can't be 'rules' for randomness. Believe it or not, all 16 characters could have been '7' and it still could have been random! The odds? Very long indeed. When you write, "Characters are limited to the ones on the keyboard...he used only 6....once each...too many special characters...", you are actually arguing for something very different from random number generation. A random number generator could have done each one of the above, because again, BY DEFINITION - it's random!
     
  17. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,328
    Location:
    Here, There and Everywhere
    Only slightly off-topic....I saw this and thought of how many of our threads are just like this....It's got to be some law of physics.

    How many forum members does it take to change a light bulb?

    1 to change the light bulb and to post that the light bulb has been changed

    14 to share similar experiences of changing light bulbs and how the light bulb could have been changed differently

    7 to caution about the dangers of changing light bulbs

    6 to argue over whether it’s “lightbulb” or “light bulb” …

    Another 6 to condemn those 6 as stupid

    2 industry professionals to inform the group that the proper term is “lamp”

    15 know-it-alls who claim they were in the industry, and that “light bulb” is perfectly correct

    19 to post that this forum is not about light bulbs and to please take this discussion to a light bulb forum

    11 to defend the posting to this forum saying that we all use light bulbs and therefore the posts are relevant to this forum

    36 to debate which method of changing light bulbs is superior, where to buy the best light bulbs, what brand of light bulbs work best, etc.

    5 People to post pics of their own light bulbs

    15 People to post “I can’t see the pix in my browser!”

    7 to post URL’s where one can see examples of different light bulbs

    4 to post that the URL’s were posted incorrectly and then post the corrected URL’s

    13 to link all posts to date, quote them in their entirety including all headers and signatures, and add “Me too” "Word" "What they said" etc.

    5 to post to the group that they will no longer post because they cannot handle the light bulb controversy

    4 to say “didn’t we go through this already a short time ago?”

    13 to say “do a search on light bulbs before posting questions about light bulbs”

    1 to bring politics into the discussion by adding that George W. isn’t the brightest bulb.

    4 more to get into personal attacks over their political views.

    1 moderator to lock the light bulb thread.

    1 forum lurker that didn't do a search and starts a thread a year from now on light bulbs and we start all over again.
     
  18. hierophant

    hierophant Registered Member

    Joined:
    Dec 18, 2009
    Posts:
    854
    Well, said adversary would first need to find me. And before that, they'd need to decide whether I'm worth finding.

    That's a good point. Anyone planning to attract such attention would probably kill them first, or die trying -- and would have backup. I don't fall in that category, fortunately.

    Physical security?
     
  19. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    @ LockBox

    Your Post # 57 was hilarious, every line was funny, and made laugh out loud :D But they were also "Illuminating" ;) and true. Often people wander off topic a little bit, which i don't always mind, done it myself :p but they usually soon come back round. But there are times when threads get to a stage where they don't even slightly resemble the first post !

    Surprisingly though, in amongst all the OT stuff, there can be some jewels of info etc, that might not otherwise have been posted. So i guess it depends on what's actually said, rather than just the amount of OT's.

    By the way, you missed of "Lamp" efficiency off your list :D

    *

    Re - Randomness

    Lots of info and real time tests you can do, including a SSL Random Password Generator. From what i saw, no special characters though :(

    GRC also has one which can use special characters, but it's pseudo random.

     
  20. Justin Troutman

    Justin Troutman Cryptography Expert

    Joined:
    Dec 23, 2007
    Posts:
    226
    Location:
    North Carolina, USA / Minas Gerais, BR
    Y'all might find this paper interesting, if you haven't already read it; it's "Protecting Secret Keys with Personal Entropy," by C. Ellison, C. Hall, R. Milbert, and B. Schneier.

     
  21. JRViejo

    JRViejo Super Moderator

    Joined:
    Jul 9, 2008
    Posts:
    97,429
    Location:
    U.S.A.
    Removed Off Topic post. Let's stick to the subject please. Thanks!
     
  22. Bensec

    Bensec Registered Member

    Joined:
    Aug 4, 2008
    Posts:
    177
    Location:
    China Changsha
    well, a fully random 40-char-long password itself poses another threat - lost/forget.

    if you store it somewhere other than your brain, you could easily lost control of it. only a superhuman can remember a 40-char-long ramdon string without the risk of forgetting it. meanwhile long password are more likely to be used on stuff that is not frequently used, which means easier to forget.

    actually, i dont think it practical. the 40chr long password will eventally become part of sth that needs extra protection. even concerns about microchip keyloggers, hardware trojans looks more practical to me :)
     
  23. TheGyre

    TheGyre Registered Member

    Joined:
    Oct 8, 2010
    Posts:
    11
    Location:
    near Washington D.C.
    Has anyone thought of memorizing a poem and then using a letter from each word as a character for a password?

    One could easily write a very long password by this approach with just the alphabet characters. Easily over 100 characters could be remembered. I just tested the idea myself with a relatively short poem I had memorized and got nearly 100 characters with just the alphabet and no random characters and capitalizations yet inserted.

    I notice flaws in this approach (one could say it's in its alpha stage); however, I feel that the simple nature of this method may point in a profitable general direction since it is so easily remembered. It's just a start. I figure most people don't memorize poems like me; however, songs and other works of words would also do well when memorized.

    I welcome all critiques as I am a total n00b at this.
     
  24. hierophant

    hierophant Registered Member

    Joined:
    Dec 18, 2009
    Posts:
    854
    I use a system much like that. I look for favorite passages with proper names and lots of punctuation, and assign each a nickname. Based on that, I get 20-40 character sequences. I then combine those sequences in ways that the nicknames form simple narratives. I can easily remember very long passwords.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.