If you have 40 char pswd and attacker knows length how long to crack?

Discussion in 'privacy technology' started by Klawdek, Sep 27, 2010.

Thread Status:
Not open for further replies.
  1. Klawdek

    Klawdek Registered Member

    Joined:
    Sep 27, 2010
    Posts:
    16
    OK we are assuming a product like Truecrypt that uses an accepted encryption algorithm like AES. And, a strong password is used (no words, sequences of 3 characters, includes upper and lower case and special symbols).

    If the attacker knows the strong password is 40 characters how long to brute force it?

    A more realistic scenario is the attacker does not know the length but knows you would not have used anything less than 20 characters so he starts with 20 character in his brute force attack. How long to crack 40 character strong password when attacker starts with 20 characters?
     
  2. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,275
    Location:
    Here, There and Everywhere
    Your question cannot be answered with any kind of specificity. There are too many variables. The answer could range from "who knows" (NSA) to probably hundreds of years with current technology. In other words, it depends on the computing power you're throwing at it. I think probably only the NSA has the capability to brute force the above scenario in our lifetime.
     
  3. redcell

    redcell Registered Member

    Joined:
    Sep 27, 2010
    Posts:
    126
    My password is 70+ characters long and plan to double it soon. I recommend you do the same.
     
  4. Jav

    Jav Guest

  5. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    If you are using all ASCII printable characters as your character set (94 possible characters excluding the spacebar) and you chose the password completely at random (say with a secure RNG or a set of dice), then it would have 262 bits of entropy.

    A modern GPU (like Nvidia Teslas) can calculate a billion or so passwords per second. If you put one of these GPU's on every square inch of the earth's land surface, it would take it 6.8 x 10^44 years to brute force your 40 character password (on average). The universe itself is only 1.3 x 10^10 years old, so it would take exponentially longer than the age of the universe even if all computers on earth worked on it at once.

    In other words, you're safe.
     
  6. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,103
    Try using the tool known as Thor's Godly Privacy aka TGP (apparently Windows only) which is referenced in the article Crypto tool predicts password cracking time.

    Or, more easily, TGP can be tried online here which is an interesting read aside from being able to test your password strength. Note: this web page supports https, and recommends not to use real passwords in the test.

    How Passwords Get Cracked. It has a table of how long it takes with various lengths of passwords.

    40 and 70+ characters is overkill. Use both upper+lower case characters, numbers and special characters, and you should be good to go with 12-14 characters depending on how paranoid you are. I have found it is easy to remember a password if you construct an easy to remember sentence (with the above character recommendations). Of course, the time it takes to crack a password depends on three main things, the length and complexity of your password, the speed of the hacker’s computer, and the speed of the hacker’s Internet connection. So, all in all, it depends on if your computer/storage device has been physically seized, and the amount of resources those trying to crack your password have to throw at the problem.

    -- Tom
     
    Last edited: Sep 29, 2010
  7. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Re - https://www.hammerofgod.com/passwordcheck.aspx

    I got some wierd results o_O

    Chose about:config as the PW to see how 2 words and a character faired.

    Selected 10k per sec

    10k.gif

    Selected 1B per sec

    1b.gif

    Unless i'm reading it incorrectly etc, the 10k is years better, when it should be the other way round :eek:

    Even so at only 10k i find hard to believe it would take as long it says ?

    @ lotuseclat79

    Thanks for the link :thumb:
     
  8. redcell

    redcell Registered Member

    Joined:
    Sep 27, 2010
    Posts:
    126
  9. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    994
    Location:
    Hawaii
    It's not just a matter of how fast you can calculate a password list. Each potential password also has to be tested for validity by running it through the various algorithms, number of rounds, etc., and this will consume significant computational resources that can slow down a brute-force attack by thousands or even millions of cycles. If the password requires 10,000 iterations before it will generate the key then the brute-forcer must follow the same path during each password attempt. Many encryption products utilize this type of strategy in order to increase resistance to brute-force attacks.

    For example, my fastest home PC (a Pentium dual-core) can generate thousands of passwords per second, but because of the computational overhead it can only test 4 pw/second against an encrypted TrueCrypt container. Even a "bananadog" password would take quite awhile to crack under these conditions.

    Of course, an attacker with deep pockets and specialized hardware could run the attack much, much faster, especially if he ran it on thousands or millions of CPUs in parallel.
     
  10. Warlockz

    Warlockz Registered Member

    Joined:
    Oct 30, 2008
    Posts:
    642

    ? The Grid ?

     
  11. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    To reiterate what I said above, I will post a screenshot of a little password generating app that I wrote for fun. It gives brute forcing times once the password is generated. Here is an example of a 40 character password (using A-Z, a-z, 0-9 as the character set).
     

    Attached Files:

  12. TheMozart

    TheMozart Former Poster

    Joined:
    Jan 6, 2010
    Posts:
    1,486
    I am going to send you an encrypted .rar file that contains just 12 characters as password, and you crack it and tell me what it says in the text file that is in the encrypted .rar file. I look forward to your reply.

    Where can I send you the rar file, or you want me to upload it somewhere?
     
  13. Warlockz

    Warlockz Registered Member

    Joined:
    Oct 30, 2008
    Posts:
    642
    And today's Technology isn't going to advance and Encryption is bulletproof o_O LMAO "Instead of relying on today's theory's one should be ready for tomorrows Facts"

    cool app tho rookcifer, Windows users may want to try PasswordG which is an awesome portable free password generator!

    Keyfiles are a plus
     
    Last edited: Sep 30, 2010
  14. Chuck57

    Chuck57 Registered Member

    Joined:
    Sep 2, 2002
    Posts:
    1,422
    Location:
    New Mexico, USA
    Seventy to 140 character passwordo_Oo_Oo_O My question is, how does someone remember such a thing?

    I use a 20 character password, upper and lower case letters, numbers and symbols - which I can usually remember. Sometimes I mix something up and have to try again, and again.

    Finally, if a good 12 or 20 character password takes 'x' number of years to break, isn't that enough. In 99.99% of cases, who is going to continue to try and crack something for several or 5 yrs? I can't even envision a govt working for more than a year to access secure files - unless you're Al Quaeda. Any secure information is usually out of date and irrelevant after several, maybe 5 yrs.
     
  15. Justin Troutman

    Justin Troutman Cryptography Expert

    Joined:
    Dec 23, 2007
    Posts:
    226
    Location:
    North Carolina, USA / Minas Gerais, BR
    Do you find this easily manageable? Key management is perhaps the toughest of cryptographic challenges, and a policy like that doesn't make it any easier.

    Out of curiosity, would you mind sharing what you use?

    What I've found with several of these password strength detectors is that one shouldn't expect them to take into account the contextual information that can be gathered about a person to aid with guessing their passwords. In other words, actual words, or groups of words, may yield seemingly secure results, but are rather easy to predict.

    For instance, I know a lot of fellow Duke fans, who are rather savvy when it comes to the social Internet, but not so much when it comes to the technology behind it. Some of them think Mike Krzyzewski is the 13th disciple, and undoubtedly use his namesake to secure their miscellany. "coachmikekrzyzewski," let's say.

    At TGP's alleged 3,345,228,630.34 years to crack, you'd think they'd be right, but I can't really hold TGP responsible for not realizing the information leaked by that grouping of symbols, when it merely analyzes those symbols independently. All in all, it's nice to have tools that try to gauge this, as long as we understand their limitations.
     
  16. TheMozart

    TheMozart Former Poster

    Joined:
    Jan 6, 2010
    Posts:
    1,486
    I noticed that redcell is too chicken to take up my challenge and break my 12 character password, because his 70+ password recommendation is based on fanaticism , nothing more. :thumbd:

    My challenge is for anyone. And even if you had access to government agency systems and can run multiple PC's trying to brute force attack my 12 character rar encrypted file, you would still need more years to crack it and you and I will be long gone and dead by the time the systems crack it.

    Anyone up for the challenge?
     
  17. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Comments on my Post # 7 if you please ;)
     
  18. Justin Troutman

    Justin Troutman Cryptography Expert

    Joined:
    Dec 23, 2007
    Posts:
    226
    Location:
    North Carolina, USA / Minas Gerais, BR
    Let's just say I'm quite ready for basketball season. ;)
     
  19. TheMozart

    TheMozart Former Poster

    Joined:
    Jan 6, 2010
    Posts:
    1,486
    Nobody willing to crack my rar, 12 character encrypted file?

    I thought it was not good to have 12 characters for a password, so why is nobody wanting to take the challenge?
     
  20. Warlockz

    Warlockz Registered Member

    Joined:
    Oct 30, 2008
    Posts:
    642
    Because nobody cares dude. One time I challenged people here to crack a 7zip encrypted file because 7zip uses AES 256, I used to think it was the ish, all they said was it proves nothing, then after 7zipin encrypten loads of files to save disk space I went to un7zip the suckers only to find out half the data had been corrupted in many of the files I got 80% maby and the rest would say wrong password in the error report, Ill never use 7crap again, ill stick with winrar.

    To make a long argument short, you shouldn't have to Challenge people to prove your encryption software if you truly trust it.
     
    Last edited: Oct 1, 2010
  21. TheMozart

    TheMozart Former Poster

    Joined:
    Jan 6, 2010
    Posts:
    1,486
    Some people obviously do care because they are using 70+ character passwords which is a joke and built on ignorance and hysteria.

    I can encrypt an RAR file using 256bit key + 12 character password and nobody on Earth can crack it until we are all long gone and dead.
     
  22. Warlockz

    Warlockz Registered Member

    Joined:
    Oct 30, 2008
    Posts:
    642
    I think that whatever makes them comfortable makes them comfortable, not you, and why would you tell someone to weaken their password? The fact of the matter is If somebody really wants your passwords their going to try to install some sort of Keylogger on your machine.
     
  23. Warlockz

    Warlockz Registered Member

    Joined:
    Oct 30, 2008
    Posts:
    642
    Thats what the Feds did in many of their cases, and yes they got access to their Targets Encrypted files:cool: Not tryin to be an x, but it seems like your Trolling

     
  24. TheMozart

    TheMozart Former Poster

    Joined:
    Jan 6, 2010
    Posts:
    1,486
    Very serious. Willing to try to break my encrypted file? It only has 12 character password which many people seem to claim will not suffice.

    Ready for the challenge or you too chicken?
     
  25. TheMozart

    TheMozart Former Poster

    Joined:
    Jan 6, 2010
    Posts:
    1,486
    I am telling people to SHORTEN their passwords because anything above a 12 character non-dictionary password is overkill and built on fanaticism and hysteria and ignorance. Shortening a password from 70 to 12 will NOT weaken it at all, because nobody can crack it anyway.

    Shortening a password to 3 character and using a word such as cat, would weaken it, but not using a 12 character non-dictionary password, because a 12 character non-dictionary password is rock solid and nobody on Earth can crack it before you are long gone and dead. And the person(s) cracking it will be long gone and dead too, and their children too, before they can crack it.
     
Loading...
Thread Status:
Not open for further replies.