Hey Keith - great find, thanks. This one was interesting. As one can imagine, calculating the precise number of iterations to hit a specific password is not exactly easy, particularly given the different "base" character sets that I try to programmatically qualify. As such, I have to carve out different base strings to index in order to find the particular index of any particular character in any particular string. Your passphrase was recognized as base 36, meaning a-z lowercase and 0-9. However, it was indexing based on a base string of a-z,A-Z, and 0-9 as if it was a base 62 instead of base 36. As such, if it were base 62, that number would be correct, though it was comparing to a base 36 for the total keyspace.
I've added logic now to explicitly carve out base string indexes for each individual base group (10, 26, 36, 62, 72, and 96). It now behaves much better and aligns the "this password" base with the "keyspace" base as it should. The implementation in TGP operated the same way, and I've changed that as well, so thank you very much for your feedback. I've received some other really cool feedback from the community regarding features which will be implemented shortly. Thanks again. t >-----Original Message----- >From: Keith Langmead [mailto:[email protected]] >Sent: Thursday, July 15, 2010 4:01 AM >To: Thor (Hammer of God); [email protected] >Subject: RE: TGP Password Strength Checker online > >Hi Thor, > >Thanks for posting that, it definitely looks like a tool that will come in >handy. >That said, unless I'm missing something obvious I think you might have the >labels for the results the wrong way around, since when checking a random >password it will apparently take longer to crack my password than to crack the >entire keyspace! > >Password Used : 53dsfkzabwvg (not a real one obviously) Iterations this >password: 7,839,264,032,113,450,000 Years to crack this password: 248.58 >Iterations for entire keyspace: 4,873,763,662,273,660,000 Years to crack entire >keyspace: 154.55 > >Keith > >-----Original Message----- >From: [email protected] [mailto:[email protected]] >On Behalf Of Thor (Hammer of God) >Sent: 13 July 2010 06:08 >To: [email protected] >Subject: TGP Password Strength Checker online > >I've been thinking about standing up the Password Strength Checker tool in >TGP online, so here it is: > >https://www.hammerofgod.com/passwordcheck.aspx > >For those not familiar with it, I wanted to come up with a better way of >classifying what a "strong" password was (and wasn't). Admins can have >"complex" password requirements, but they don't equate to any quantifyable >strength of a password/phrase. Like with any math-based tool that attempts >to do the thinking for a person, there are certain assumptions one must make >about base keyspace derived from a passwords characters, and this is no >different. However, what IS different is that you can actually get an idea of >exactly how many iterations it will take to crack both a particular password >specifically and the keyspace it "lives" in, apply that to actual TIME >required to >crack it. I like that part, and have found it to be valuable, so here it is >in case >you do as well. The fully skinny on what I'm doing here can be found at >http://www.hammerofgod.com/tgp.aspx#password . > >Timothy "Thor" Mullen >Hammer of God >[email protected] >www.hammerofgod.com > > > >-- >E-Mail sent using Agility Mail - www.agilitymail.co.uk
