password security

Cory Kempf cory at gloom.UUCP
Wed Dec 21 05:24:28 AEST 1988 

In article <4420 at xenna.Encore.COM> bzs at Encore.COM (Barry Shein) writes:
>
>Given a 100 character character set and 8 characters in a password
>the search space is 100^8 which is:
>
>	10,000,000,000,000,000

Except for one little problem... I don't think that the average
secretary is capable of remembering a password like 'z&B_= ^W4'
If she is given the chance to select a password for herself (I am
using the female form 'cause the secretary here is female), she
is most likely going to choose one that can be found in either a
dictionary or a list of names.  (For that matter, so will a lot 
of people who 'know better').  As has been shown, the search 
space is considerably reduced... to the point that on a machine
with 20 users, the chances of finding a valid password are fairly
good.  By increasing the number of significant characters, the
chances of an easily guessed password drop.  

>Currently even fast DES implementations on fast processors can't seem
>to hit 1,000 encryptions per second although it's probably possible,
>let's allow 20,000 encryptions per second, a brute force search would
>now take:
>	500,000,000,000
>500 billion seconds or almost 16,000 years. Even improving *that* by a
>factor of 1,000 (ie. 20,000,000 encryptions per second) wouldn't leave
>much hope for the cracker (16 continuous machine-years.)

I wonder... with Thinking Machine's offer to allow people on the
internet to access a Connection Machine, has anyone tried to write
an algm. for brute force password testing for such a machine?  (ie 
with 64k processors, each at 1000 encryptions a second it is down
to about 3 mos. -- unfortunately, I don't know enough about the
connection machine and DES to know how reasonable this is... (mean
time 'till success would be around 1.5 months -- shorter if the seach
is set up with a bit of forethought (ie start with unshifted keys, then
shifted, then control, etc]

Besides, it would make me feel better if someone who managed to 
watch me key in a password (I try to avoid this) had to catch
more than 8 characters...

+C
-- 
Cory (...your bravest dreams, your worst nightmare...) Kempf
UUCP: encore.com!gloom!cory
	"...it's a mistake in the making."	-KT

More information about the Comp.unix.wizards mailing list