I would love to see some basic option to configure what your assumption is for compute resources to apply.
Maybe a drop box with a couple of presets predicated on example configurations. E.g. a choice of "A modern desktop", "A modern multi-proc server", "A modern single HPC Server", "a distributed 10-server array", and [insert one of the top 10 from the current list of supercomputers here, preferably one government owned] I think the password strength tool is almost as useful (when mature) as the rest of the offering. -W -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Murda Sent: Thursday, July 15, 2010 7:33 PM To: [email protected] Subject: RE: TGP Password Strength Checker online I like the idea behind the tool, somewhat, but I don't know how exact it can be. I think Alexander's reasoning below has some strength behind it. Is it something like trying to predict when a random number might come up. Keep rolling an n-faced die for long enough and sometimes your number may come up near the 'beginning' or near the 'end'. Who can say? Obviously, that all depends on how the program is actually implemented to brute force. Is it purely sequentially? Which also makes me wonder, what is the 'seconds to crack' based on? A single machine? An array of distributed machines etc? I think you can give some 'good' idea of how strong the passphrase is but maybe not as exact as you hope. I could be wrong(and often am). -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Alexander Klimov Sent: Wednesday, July 14, 2010 6:54 PM To: [email protected] Subject: Re: TGP Password Strength Checker online On Tue, 13 Jul 2010, Thor (Hammer of God) wrote: > However, what IS different is that you can actually get an idea of > exactly how many iterations it will take to crack both a particular > password specifically and the keyspace it "lives" in, apply that to > actual TIME required to crack it. I like that part, and have found it > to be valuable, so here it is in case you do as well. An incorrect precise number is worse than no number at all: if you assure user that it takes 129,052,722,140 iterations to guess password "password", or 2,322,220,814,264,750,000 to guess "qwerty123456", it only misleads. The real attackers start guessing not from "a", but in the most-probable-first order. What is this order depends on the traits of the mark: the first password to try, can as well be "password", "qwerty123456", or "salasana". -- Regards, ASK
