From: pmacdona@sanjuan (Peter MacDonald) Subject: Re: Weird group problems under .99.3 Date: Sat, 16 Jan 1993 03:45:33 GMT
In article <1993Jan15.154829.13871@crd.ge.com> davidsen@crd.ge.com (bill davidsen) writes:
>In article <1j4jflINNa72@matt.ksu.ksu.edu>, probreak@matt.ksu.ksu.edu (James Michael Chacon) writes:
>
>| Obviously you've never seen crack. This program runs password guess's quickly
>| though the crypt code to generate encrypted passwords. Then it compares
>| them against the given guess.
>|
>| This can be done across multiple machines simultaneously to generate millions
>| of guess's quickly.
>
>Which is only useful on poorly chosen (in a dictionary) passwords.
>Assuming a reasonable password, you would have to try all possible
>combinations, which is still pretty impractical for a private
>individual.
>
>With 96 printing characters, and 8 character passwords, you have about
>10^15.8 possible values, and that assumes no control characters (they're
>legal) and only 8 characters (some versions allow more).
>
>Now assume that you can check 10 million possibilities per sec, with no
>breakdowns, etc, then in 22.8 years you could brute force break all
>passwords. Of course by then the passwords will have changes, so you
>better put the results in a BIG database as you go, and did I mention
>that there is a "salt" used in the process which means you actually have
>to 64 times more work?
>
>A well chosen password is still pretty safe from even a determined
>brute force attack. That doesn't mean that you can break the algorithm,
>just that brute force still isn't practical beyond the hundred million
>or so dictionary words with obvious perturbations.
>
This is the problem: there is no hard definition of a "well chosen password".
Password crackers can always eliminate most of the search field because
most people won't choose well.
>Of course modern systems have gone to shadow passwords, so there's less
>chance of having even a peek at the encrypted password, and that means
>you have to run at the speed of the system being cracked.
>
>--
>bill davidsen, GE Corp. R&D Center; Box 8; Schenectady NY 12345
> Keyboard controller has been disabled, press F1 to continue.