digg

Join DiggAbout

Discover the best of the web!
Learn more about Digg by taking the tour.

how fast can they crack your password

lockdown.co.uk — An interesting article on the speed at which passwords can by cracked. Comparing types of passwords.

Bury
show profanity settings
expand all
  • Latka, on 10/12/2007, -8/+6Sweet and scary!
    • carguy84, on 10/12/2007, -2/+23Remind me to change the combination on my luggage...
    • foolfromhell, on 10/12/2007, -0/+3Where is the program? i would like a shot at this...
      What about, knowing the personality of the person, some idiot who has a website about UFOs might have a password like "Alien".
    • ggko, on 10/12/2007, -0/+4>Remind me to change the combination on my luggage...

      Don't use 1-2-3-5, that's the next combination they'll try.
    • FlyingLlama, on 10/12/2007, -5/+4trust me the last password they'll ever think of using is "password".
    • DrRo183, on 10/12/2007, -1/+2No, the LAST password they'll think of is: idontknow
    • StratusFear, on 10/12/2007, -0/+0Agreed, very sweet, but very scary.
  • trump, on 10/12/2007, -2/+6class A would take 692 Years
    class F would take 60.5 hours
    I now love my password
    • p9s50W5k4GUD2c6, on 10/12/2007, -3/+33But "love' is only four letters. That will be cracked in 46 seconds!

      Yup - that's about right. Love cracks in 46 seconds.

      Joking aside: good article, great analysis.
    • hammydude, on 10/12/2007, -1/+50class A: 692 Years
      class F: 60.5 hours
      Finding years worth of personal information by dumpster diving in 10 minutes: Priceless
    • Kazanoe, on 10/12/2007, -1/+3I wish they gave some higher numbers, my password personally has 10 characters, and has a 'common symbol' in it, which they dont have written down.

      Given the information that 6 characters takes 13 mins, and 8 characters takes 2004 hours, I'm going to assume mine would take several years to crack using a Class F

      (assuming they didnt get my password within the first few million combinations)
    • TeacherOfHeroes, on 10/12/2007, -0/+19The way to figure it out is simple:

      1.) take the desired character set - say the 52 character one (UPPERS and lowers) and put it to the power of the number of characters in your password - in my case with a 19 character password its 52^19

      2.) Pick your class of attack - class F (the fastest listed) can do 1,000,000,000 (1 trillion) attacks per second. Now divide the previous answer by this number - for me its (52^19) / 1 000 000 000

      This is the number of seconds it would take to crack your password.

      3.) Divide your answer repeatedly by increments of time until you get it down to a nice managable number;
      / 60 - minutes
      / 60 - hours
      / 24 - days
      / 365 - years
      / 1000 - repeat for thousand, million, billion of years, etc...

      Mine's 12.4 Quadrillion years :)
    • squeevey, on 10/12/2007, -0/+5You only wish it that they used brute force to crack it.
      two words: RAINBOW CRACK
    • Pas3n7, on 10/12/2007, -3/+2woops, TeacherOfHeroes beat me to it.
    • 0x0000ff, on 10/12/2007, -0/+2edit: I need to type faster

      @Kazanoe:

      Your password would provide 66483263599150104576 combinations (96^10) -- which is 2108 years to calculate as a "class F"

      (which doesnt really mean anything)
    • jasqwerty, on 10/12/2007, -0/+1Well yah squeevey, but fail to miss some important points...

      1) Storage: Well, HDs are cheap, but putting enough of them together to crack a 12 length U/L Alphas. nums, common chars is going to be interesting.
      2) Indexing and proofing: How fast can you search your multi Yottabyte data set, and how well can you guarantee against bit rot? Constant CRC checking?
      3) It'll take a few centuries to generate it in the first place, OOPS?!?!
    • MasterDirk, on 10/12/2007, -0/+1Mine isn't on the charts, but given that it's over 20 characters with non-english letters and not-on-a-normal-keyboard characters I'd guess it'd take a while ;-)
    • brenthals, on 10/12/2007, -0/+1Class F 83.5 days, dugg and blogged.
  • tke248, on 10/12/2007, -1/+5Just one more reason I use Alt-chars

    http://digg.com/security/uncrackable_passwords
  • ubergmr, on 10/12/2007, -2/+34looks like "asdf" isn't as secure as I thought
    • chicken101, on 10/12/2007, -6/+4I could instanty crack your password with a pentium 100! Tehehe
    • bradbeattie, on 10/12/2007, -3/+10It's ubergmr@gmail.com, right? :P
  • chicken101, on 10/12/2007, -2/+68 200 Billion 242 Days 24 Days 2½ Days 348 Mins 35 Mins 3½ Mins

    I think I might change my password....
  • 9mmCensor, on 10/12/2007, -1/+4Unless they get luck and find it real quick.
  • bradbeattie, on 10/12/2007, -0/+8Article summary: use passwords of more than 8 mixed characters (upper and lower case, numbers, puncutation) and change your password every month or so.
    • ericsnels, on 10/12/2007, -0/+4To change my password every month or so would mean I would have post-it notes all over my monitor reminding me what my password is. Thats just crazy. (I did like the "Quadrillion Combinations" though)
    • yahoofrom, on 10/12/2007, -0/+1changing passwords monthly AND using different passwords for each sites, ... well then i don't see any other way to manage all those passwords other than having all the passwords written down in a paper (of course in somewhat encrypted form just in case).
      Wait a minute I think I found a cool way to manage passwords. yes. writing everything down on a paper in somehow encrypted form. a portable password manager!
  • bathroomninja, on 10/12/2007, -3/+2So here is a question. Most of my 12 passwords are at least 21 char's long (using caps, lower, special, numbers). How long would it take to break that?
    • chicken101, on 10/12/2007, -2/+19That must be a bitch to remember/type in.
    • kacymartin, on 10/12/2007, -1/+296^21 will give you the number of possible combinations.
      Then if you look at the bottom of the page it tells you each class and the number of passwords it can guess in a second so you just divide your number of possibilities by the guesses per second to see how many seconds it will take to crack your pass. Then just divide by 60 to get it to minutes and so on to get it to a reasonable scale.
    • mwebb1984, on 10/12/2007, -1/+1Nice :) mine arent that strong yet. My digg password ties with my brokerage password at 14 Cap/lowletters/numbers/other characters (but the digg one only has cap/lowletters and a number. That means my digg password would still take a Class F over 2 1/2 years to crack my digg password by brute force. Moral is: it's more likely for someone to hack your computer and drop a trojan than to crack it by brute force. (at least if you use that long of a "random" password -- one's with words or common placings of numbers, etc. would be much easier to crack using simple algorithms and dictionaries)
  • evilpig, on 10/12/2007, -4/+7Ah, No capital letter in the title. AHHHH NOO!
  • jczer68, on 10/12/2007, -0/+4I don't see a need for all the various classes... They could've just used the values for "class D" and assume this is what a password would typically be cracked with.

    So for passwords that take years to crack, I guess you can save the cracking progress so you can upgrade your computer then continue cracking the password.
  • jestershinra, on 10/12/2007, -0/+2The problem here is that these are maximum lengths--your password, at each level, would be cracked (by simple brute force process of elimination) within the allotted time frame. Obviously, how exactly yours is determined depends on the precise order of the attacking software, but you could have a password that's listed here to take a trillion years be cracked in, say, one year--it just depends on how it's cracked.
  • dpk87, on 10/12/2007, -4/+1Class A: 238 years

    Class F: 20 hours

    I guess my password isnt half bad.
  • 247365, on 10/12/2007, -0/+1Quick question, do you guys use one password for most sites or change it?
    • bioret, on 10/12/2007, -0/+1i use 3 different passwords, sometimes i use one and sometimes i use another
    • jczer68, on 10/12/2007, -0/+1I would tink it's a good idea to use different passwords for each site, in case the folks at one site decide to hack your account on other sites or someting.
    • cranium, on 10/12/2007, -1/+3I use a different password for every site. Basically, I've got a mental hash that combines the domain name with my basic password, but not in an obvious way.
    • mwebb1984, on 10/12/2007, -0/+2You should use a wholly different password for each site, unless maybe a group of site's accounts are very "unimportant." Unless you have very weak passwords, the biggest threats are that: 1) someone hacks your system and monitors it, thus obtaining passwords or 2) one of the websites/service providers/etc has a security breach and someone gains access to users' account infos. You can escape 2) with little damage if each password is wholly different. (of course remember some sites will just send your passwords to your email... so if your email's hacked.....)
    • spiffyman, on 10/12/2007, -0/+3I have a series of passwords from very weak to very strong. I only use the strong ones on stuff I care about.

      Strong passwords are a pain.

      Also, why would I want to possibly expose a strong password by using it on my Yahoo email or message board?
    • bsoric, on 10/12/2007, -0/+1I have different passwords for things like:
      Unencrypted Remote- Mostly websites like Digg that I log in over the school wireless
      Encrypted Remote- Things like email
      Unencrypted Local- Games
      Encrypted Local (Hashed)- Signins for various computers I use.
  • trash115, on 10/12/2007, -5/+0this is cool stuff
    where can i find a program where i can try and crack my own password?
    Any ideas anyone??
  • breakneckridge, on 10/12/2007, -2/+13The secret code is 1, 2, 3, 4

    That's amazing! That's the same code I have on my luggage!
    • hammydude, on 10/12/2007, -14/+2SPACE BALLS!!!!!1!!!!1!42!!!FORTY-TWO!!!!1!!
  • Flyngwalrus, on 10/12/2007, -8/+1I'm off the scales. My passwords rule!
  • Shizlak, on 10/12/2007, -1/+4Uhh, How is this relevant to anything? Class f for 96 possible characters, for instance, will go through 85 million possible combinations "instantly". What password system allows you to put in 85 million passwords at once? How would you get the computer to interface with the password input box? Windows XP locks you out after 5 or so password attempts, then you have to reset. Gmail makes you put in a character recognition thingy. Also, you will always be at the mercy of the server or computers slowness.. So tell me again, what the hell kind of password are they talking about cracking?
    • Jibberish, on 10/12/2007, -0/+3You don't. You take the file that contains the "encrypted" password off of the target computer and run the PW cracking program on another computer against the "encrypted file". More or less.

      You have to know which file on the target computer is the PW file though.
    • Shizlak, on 10/12/2007, -1/+3So someone would have to break into my house, and this does not apply to anything online. gotcha.

      Password cracking seems kind of trivial when people just ran off with your computer, tv, jewelery and all your other valuable possessions...
    • acceler8, on 10/12/2007, -1/+1It's a little less trivial when it's someone dumps the file from a computer at their place of business cracks a password, elevates their privileges and walks away with a crap load of you personal information.
    • Bhima, on 10/12/2007, -0/+3Or they could recover all the passwords from users of a given website... like Digg for example... I'm sure our Digg passwords are not stored in a very secure manner. Or look at the other choices... eBay, PayPal, On-line Banking... etc. All a professional has to do get the file with the password hashes.

      Incidentally if you read the article carefully you will see that it's fairly old, and that the data it uses is probably a little older. Moore's law has provided us with at least an order of magnitude speed increase. Coupled with the more advanced Time-Memory Trade-Off attacks and I think the whole table would fall to "Nearly Instant"... so given the password hashes of slashdot and digg you could have all of the passwords before lunch.
  • Durinthal, on 10/12/2007, -0/+1Going by that site, my most secure password would take about 1.3 * 10^27 years to break using the "class F" attack. The fact that I change it every 90 days doesn't help any either.
  • toveling, on 10/12/2007, -0/+1This is all highly dependant on what exactly is being cracked. Cracking a DES-encrypted file will go a lot faster than an AES-encrypted equivilant. And as was stated, this is all worst-case find times for brute forcing. If your password is AAAAAAAAA, it isn't going to take 600 years to crack. If your password is in a standard password dictionary (which, can be very large - a 250mb plaintext file), it is very easy to crack.
    • diecastbeatdown, on 10/12/2007, -0/+1also there are larger dictionaries out there and what are called rainbow tables. basically 80% of the time a password will be contained in these so after throwing the tables at it if you don't get your password then do a brute-force. but if your really concerned of course you'll need to do one-time use passwords and get them in a secure channel for any remote access.
  • evilpig, on 10/12/2007, -3/+1On my main email account, I use a password that will take CLASS F more then 2 years to crack.
    • hammydude, on 10/12/2007, -3/+4Yeah f that I'll just go dumpster diving :)
  • kevogod, on 10/12/2007, -2/+2@trump (meant to reply)
    Your password became less secure by disclosing this information. I now know to only use a password of length 8, mixed case, and numbers.
    • zoxed, on 10/12/2007, -1/+1> Your password became less secure by disclosing this information. I now know to only use a password of length 8, mixed case, and numbers.

      Unless he/she lied and it is actually 7 characters: then you will never get it !
  • breakneckridge, on 10/12/2007, -0/+4This doesn't take into account how quickly computers are getting faster. These are the lengths of time at the present, but in ten years it will take much shorter for the same password. What will we do for security then?
    • Bhima, on 10/12/2007, -0/+2If you look at the article closely you will see that's it's a little old Jan 2004 and the data used is a little older (Pentium 100). So just based on Moore's law we've surpassed this by at least an order of magnitude... Add to that new cracking methodologies like Time-Memory Trade-Offs and most of that table probably should just read "nearly instantaneous"
  • natch, on 10/12/2007, -0/+1An amazingly naive analysis for a security site. Doesn't take salt into account, for one thing; granted salt isn't always part of the picture, but at least mention it. And giving an example like B33r&Mug without mentioning dictionary attacks might lull some readers into a false sense of security. Also the page should mention the old "sniff the IP traffic after requesting a poorly-coded web site to email the forgotten password" attack and other similar types of attacks.
  • thepctech, on 10/12/2007, -1/+1how long to crack my fingerprint reader?
    • Shizlak, on 10/12/2007, -1/+215 mins to run to the store and buy silly puddy?
    • kevogod, on 10/12/2007, -0/+2The amount of time required to crack your fingerprint reader would be dependent on how the comparison data is stored. It would be more reasonable to find a security hole in the fingerprint reader itself than going after the fingerprint "password".
    • Mac2492, on 10/12/2007, -1/+7With a hammer, about a second - why?
    • jwigum, on 10/12/2007, -0/+1Well... Does your scanner check to see if the finger is attached, or if you're conscious? Or if you've washed your hands before using it?
  • xafan, on 10/12/2007, -5/+5This list is retarded. It's completely theoretical. It's assuming that you have a password cracker written in ASM which is also it's own bootable OS on a system where the RAM is instant. This is *also* assuming that your password is cleartext which it would not be.

    Call me when this list includes variables for network connections, encryption, OS drain, hardware drain and specific password cracker types.

    And yes, you're also retarded for digging this.
    • xafan, on 10/12/2007, -2/+1Oh and for those who think this list might be even slightly accurate. Go download Brutus (a rather popular protocol cracker), setup a local server some sort and try to crack it. I promise you cracking a 4 character password will not be "instant" even on a local connection.
  • xswag, on 10/12/2007, -0/+7Password selection rules
    CORPORATE DIRECTIVE NUMBER 88-570471

    In order to increase the security of all company computing facilities, and to avoid the possibility of unauthorized use of these facilities, new rules are being put into effect concerning the selection of passwords. All users of computing facilities are instructed to change their passwords to conform to these rules immediately.

    RULES FOR THE SELECTION OF PASSWORDS:

    1. A password must be at least six characters long, and must not contain two occurrences of a character in a row, or a sequence of two or more characters from the alphabet in forward or reverse order. Example: HGQQXP is an invalid password. GFEDCB is an invalid password.

    2. A password may not contain two or more letters in the same position as any previous password. Example: If a previous password was GKPWTZ, then NRPWHS would be invalid because PW occurs in the same position in both passwords.

    3. A password may not contain the name of a month or an abbreviation for a month. Example: MARCHBC is an invalid password. VWMARBC is an invalid password.

    4. A password may not contain the numeric representation of a month. Therefore, a password containing any number except zero is invalid. Example: WKBH3LG is invalid because it contains the numeric representation for the month of March.

    5. A password may not contain any words from any language. Thus, a password may not contain the letters A, or I, or sequences such as AT, ME, or TO because these are all words.

    6. A password may not contain sequences of two or more characters which are adjacent to each other on a keyboard in a horizontal, vertical, or diagonal direction. Example: QWERTY is an invalid password. GHNLWT is an invalid password because G and H are horizontally adjacent to each other. HUKWVM is an invalid password because H and U are diagonally adjacent to each other.

    7. A password may not contain the name of a person, place, or thing. Example: JOHNBOY is an invalid password.

    Because of the complexity of the password selection rules, there is actually only one password which passes all the tests. To make the selection of this password simpler for the user, it will be distributed to all supervisors. All users are instructed to obtain this password from his or her supervisor and begin using it immediately.




    Google
    Password Jokes

    I'm Feeling Lucky.
  • cranium, on 10/12/2007, -1/+5Phishing is still much easier than cracking.
  • xswag, on 10/12/2007, -0/+1Thats a pretty cool article. I'm a freak when it comes to passwords. I have to use a password manager to store them all because I could never remember a 18+ alpha numeric special char password. Especially all the sites that ask for them now. Its a good practice and you can carry around a usb key with all of them encrypted on it.
    I use Password Agent right now. If anyone has an alternative software title let me know.
  • Zeusandhera, on 10/12/2007, -0/+3Does a brute force password attack start in any particular area? Like with 0's or a's and work to the end of the Alphabet? If so, I want to change my password to zzzzzzzzzzzz
  • paroxsitic, on 10/12/2007, -0/+4Its my understanding that these are times if you knew the exact length of the password.

    96^8 = 7.2 Quadrillion

    It should be 7.2 Quadrillion plus the combos for 2, 3, 4, 5, 6, 7. If you were actually trying to brute-force a password you have no idea of its length, it would first go through the 2 character, then 3, then 4, than 5..

    But, for an example the password cracker would start with 000000000 and go to 999999999 (based on 10 chars) where as if someones password was 6 characters long, the cracker wouldn't even attempt it. It should attempt 00-99 first, then 000-999, then 0000-9999, etc.
    • svnft, on 10/12/2007, -1/+1you beat me to it, I need to type faster.
    • sc0ticus, on 10/12/2007, -0/+2This is theoretically correct, but it is a naive approach that is too linear, it wouldn't go from 0 to zzzzzzzzz. Password cracking (or deciphering in general) is not so cut and dry as this. There's alot more art to it. I'm sure there are frequency statistics available for the most common length of a password, second one, etc... So start with six letter combinations, then five letter combinations, then seven, then whatever is fourth.

      The second approach of going from 0-Z, etc... is also a bad approach, dictionary attacks use the common English words, variations such as 7 for T, 1 for L, etc...

      Finally, as much information about the target would be gathered to try other guesses.

      For more about cryptography in general, try the great book "The Code Book" by Simon Singh. It's a great introduction to a history of cryptography and the techniques from Caesar, the Enigma, to current day RSA/PGP.
    • paroxsitic, on 10/12/2007, -0/+1sc0ticus -

      You are probably right. I know nothing about cracking passwords or the like, I just noticed there would be more than just the passwords direct length combinations
    • paroxsitic, on 10/12/2007, -1/+1Accident
    • yahoofrom, on 10/12/2007, -0/+1But if you add 7.2 Quadrillion, 75 Trillion, 782 Billion, and blah blah, the sum is just 7.2 Quadrillion. (according to physicists way of calculation).
      Well, physicists will not use the word Quadrillion tho.
  • svnft, on 10/12/2007, -0/+0Maybe I'm looking at it wrong, but I think the numbers are flawed because it's assuming they would know how long the password is. If your password is 9, but they choose to start with 8 digit combinations it's going to take a lot longer. If your password is 12 and they started with 8...
  • anagoge, on 10/12/2007, -3/+4Dugg for the use of the word "sextillion".
  • thegreypilgrim, on 10/12/2007, -2/+1If you want a really strong password, head to GRC.com where Steve Gibson runs a password generator served over a secure connection...
    https://www.grc.com/pass
    A couple of his podcasts make very interesting listening on WEP/WPA and encryption in general.
  • Buelldozer, on 10/12/2007, -0/+2Am I the only person to notice that this article is over two years old AND most of it's "speed" guesses are built around a Pentium 100?
  • NeoNevermore, on 10/12/2007, -0/+1Can anyone imagine a brute force attack for MD5 hashes with a class F attack?
  • AhmedB, on 10/12/2007, -1/+2Ok secure password generator, 50 characters and here's the output....

    @9x!6s85@jC7!_7375NB5i6Xs!@Kl1xNZ9365Qb$gi9u3ffl!9

    How long would it take me to learn it?!
    • rayblasdel, on 10/12/2007, -0/+2Ack, that just looks scary. I draw pictures on the keyboard.
  • TimmyFranks, on 10/12/2007, -0/+1The problem is that different types of storage mediums take different lengths to crack. NTLM doesn't take very long if you have a Rainbow table with All the password already pregenerated.
  • macaholic, on 10/12/2007, -0/+3Class a = 302,603 years
    Class f= 3 years
    I'm not changing my password.

    (Why is class f the best if in schools and f is failing?) Sorry that didn't make much sense to me...
  • .Steven, on 10/12/2007, -0/+2((((((62^18) / 76 600 000 000) / 60) / 60) / 24) / 365.25) / 1 000 = 7.580846 x 10^10
    So... 7.580846E10 milleniums!!! (Using something faster than the Distributed.net's Project Bovine RC5-64)
    (And that is only my password for Digg!!! (THink more of around 256chars (not bits but bytes) using the whole ASCII Table)
    • .Steven, on 10/12/2007, -0/+1Oh.. yes I do have a very good memory.
  • kevin2735, on 10/12/2007, -0/+2Your password is only as strong as were you use it. Take a look a Windows Registery, specifically the Protected Storarge for Internet Explorer. I was able to access all of the passwords a user entered for accessing password protected sites in the Internet. This ultimatley allowed me access to highly encrypted files elsewhewre on the hard drive. People are lazy and will use the same credentials for everything.
    • H2Oloo, on 10/12/2007, -0/+3That's why the safest place to save your passwords is via pen and paper ... and I guess that is even insecure if you loose it.
  • karamba_kid, on 10/12/2007, -0/+1Watch out for key-katchers and insecure protocols. I also really hate when I enter my password into a instant message conversations by accident and press send :-[
  • yourowndisaster, on 10/12/2007, -0/+1I love my linux root password...

    20 19.9 Octillion 63 Quadrillion years 6.3 Quadrillion years 631 Trillion years 63.1 Trillion years 6.3 Trillion years 631 Billion years
  • whalesalad, on 10/12/2007, -1/+1Hah I cracked my principles password in a few hours. Most teachers took seconds.
    • bman212121, on 10/12/2007, -0/+2Unfortunately, this article is way off! It may hold true for a standard brute force, but it's no where near reality by using other types of attacks. Here is a good example. An article done by MS about the differences between Passwords and Passphrases goes into detail about how quick a password can actually be cracked using other methods. http://www.microsoft.com/technet/community/columns/secmgmt/sm1004.mspx

      Quote

      For instance, assume the passwords are non-dictionary words using 8 characters with at least three of the four character types, and they expire in 70 days. For an attacker with no prior knowledge of any of those passwords to guess one of them before it expires would require the computer to have a network bandwidth of 53,000 T-3 (44.736 Mbps each). This is required just to send the authentication traffic required to try half of all the possible passwords (assuming each is equally likely).

      A cracking attack against all possible 8-character passwords using the 76-character set will, based on that test rate, take 6 years. Of course, many of the passwords will be found in much less time, and any given password will statistically be found in half that time. If the passwords are only 7 characters cracking the full set will take only about 28 days.

      /END Quote

      This coming from 2004 as well. If you read on parts 2 http://www.microsoft.com/technet/community/columns/secmgmt/sm1104.mspx
      and 3 http://www.microsoft.com/technet/community/columns/secmgmt/sm1204.mspx
      it will give you a better idea of the actual randomness involved in passwords. A lot of passwords are not even close to random, like the b33r&MUG password, which could be represented as 3 parts, and only be as strong as a truly random 3 character password.
    • crass, on 10/12/2007, -0/+0@ Bman: "like the b33r&MUG password, which could be represented as 3 parts, and only be as strong as a truly random 3 character password."

      Are you saying that english, l33t, or other languages' words could be considered to be single characters? If you take a look at the article, you'll see that the security of a given password length (3 in your case), increases exponentially with the number of possible characters in the sample set. How many of these "characters", which are composed of words, do you think would be tested by such an attack? I can assure that there would be several hundred thousand, at least, using proper enlish language words only. This would yeild 3 to the several-hundred-thousand as the number of possible combinations for your "3 character" password.
  • anagami, on 07/02/2008, -1/+1What about interrupting net conections for some seconds when someone may be trying to guess a password? will it have to start all over? will it make the password uncrackable?
  • JulianTosh, on 10/12/2007, -0/+2None of this matters, especially to a government agency intent on invading your privacy. Why brute-force crack your 64 character password when they can legally force your OS manufacturer to install a backdoor to reveal your keystrokes or monitor the RF coming off your keyboard from the black helicopter hovering over your house?

    :|
  • swereska, on 10/12/2007, -0/+1Riiiiight, but a class A attack assumes 10,000 at temps per second. . .
    Quite a few sytems I've worked on will blindly lock a user out for between 3 and 360 min. after 3 incorrect attempts . . . say the average lock out is 30 min . . . an attack on a 2 digit number only pw is now over 16 hours. And who the hell has a 2 digit numbers only password? The combination below this box is 5 digits alpha numeric. Hell the combination on my luggage has 3 digits . . . (and they go in order)
    • thegreypilgrim, on 10/12/2007, -0/+3True dat.

      But some stuff can be brute force attacked "off-line" so the attempts per second/minute/hour are irrelevant. Take any wireless network for example - sniff a few packets, take em away for analysis/key-attack. A weak key can be cracked easily - return to the network and you're in - with a single valid response to a password/key challenge. However, use a long random ascii key, and your WPA encrypted network is as good as completely locked tight.
  • lukas88, on 10/12/2007, -0/+13 1/2 minutes, nice!

    Or anyone driving to my house with a good memory for street names= instant.

    I know my password sucks but anyone who wants to read my mail can. Or impersonate me on digg, not necessarily something out of my worst nightmare. Beats having to remember some hardass password every time.
  • Ignignokt01, on 10/12/2007, -0/+1woo im safe, because the password I use for practically everything is jk0ulz0Rk (even my important stuff like my paypal account!! theyll never get me!!!)


    jk guys :P
  • Ericular, on 10/12/2007, -0/+1Just watch out for rainbow tables with certain types of hashes. If you've already used distributed computing to precompute all possible password-hash relationships beforehand, you can crack virtually any LM or NTLM password in relatively no time.

    http://www.rainbowcrack.com
  • jasqwerty, on 10/12/2007, -0/+1He could have just given a simple formula.
    Charset size^length/class speed -> ( whatever time scale you want) -> answer
  • Fetching more discussions...
    Show 51 - 75 of 75 discussions
  •  

    Login or register to add a comment

    Create a new account or login to join in the conversation on Digg. You'll also be able to Digg stories to help promote things you like.


© Digg Inc. 2008 — Content posted by Digg users is dedicated to the public domain.
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.