OK, you sold me. ;) Please see updated options and documentation at:
http://www.hammerofgod.com/passwordcheck.aspx I give the classes of attack, but I don't have any real reference to what the classes represent nor could I find any (well, I found one, but it didn't seem accurate). So, if you would like to come up with some analogous references (as in, what it takes to get 1,000,000,000 per second) then let me know and I'll post them. t >-----Original Message----- >From: listbou...@securityfocus.com [mailto:listbou...@securityfocus.com] >On Behalf Of Wayne Anderson >Sent: Friday, July 16, 2010 9:28 PM >To: Thor (Hammer of God) TGP; 'Murda'; focus-ms@securityfocus.com; >'Serban Oprescu' >Subject: RE: TGP Password Strength Checker online > >I think this brings up a slightly more important question. > >What are you trying to accomplish here? >Who are you trying to reach with this? > >Please don't get me wrong. I like this application. It's free. It's >straightforward for someone already familiar with PKI mechanisms and similar >applications. It works as advertised at the moment. > >I think as the developer you have to think about whether you intend this to >be yet another niche application choice for those of us already in the security >profession (and assumedly familiar with other offerings in the >space) OR if, as I see this application having the potential to do, making >encryption more accessible for a lower-functional-capability user base. > >If the latter, then it brings up simplification of the UI (or at least a >config choice >to use a simple UI). And it also then brings up the point that I made. You >know what class F is. I know what class F is. That lower-class-of-user >doesn't >understand what class F is, what it means, how likely it is an attacker would >have access to a billion-permutations-per-second capable configuration to use >as a brute force platform, etc. Yes, absolutely, its words and graphics and >window dressing, but I think this application has great potential for those >interested in encryption but intimidated by the details of using real x509 PKI, >etc, etc. > >The other point that I would make here is even if the choice you make is that >you don't care about having the capability to make encryption more >accessible. Even if you say "I put this out there because there is a community >that might like to use this tool and I wanted to play with some ideas I had", >it >would be really useful for me to make the choice that I want to drop down to >class E (an average desktop hacker) or step it up to greater and greater >workload capability as the assumption for the capability of the opposition. > >It's your app, and I appreciate the work you have put in here. It's a great >release and much appreciated. I would be very curious if you wanted to >either directly or publicly comment on the intent question. > >-W > > >-----Original Message----- >From: Thor (Hammer of God) [mailto:t...@hammerofgod.com] On Behalf Of >Thor (Hammer of God) TGP >Sent: Friday, July 16, 2010 8:23 PM >To: wfra...@wynweb.net; 'Murda'; focus-ms@securityfocus.com; Serban >Oprescu >Subject: RE: TGP Password Strength Checker online > >+ Serban to merge thread: > >I actually thought about that when I was first coding up the tool: Given that >we already have Class A - F (10,000 - 1,000,000,000 passwords per second >respectively) I just decided to go with the worst case scenario for the user. >We really can't qualify exactly WHO is going to be attacking our passwords >(passphrases) so I think it just makes sense to approach it from a >more tactical standpoint. While it may not be the most practical >assumption, planning for a group of supercomputers working in conjunction >to crack your encrypted data and interacting with policy as if that is the >least >common denominator (even though it's not) seemed the best way to go. > >I can certainly add categories to the algorithm, but I don't really know how >valuable that would be. Using Class F as the base (though the highest >classification) will always yield a tangible, measurable time value >irrespective >of technology advances. At some point we'll be at Class Q, but then we'll just >add a few more zeros to the calculation if/when it becomes feasible. > >I'm more than happy to provide a drop-down box, but I really don't see the >"end-of-the-day" value. > >t > >>-----Original Message----- >>From: listbou...@securityfocus.com >>[mailto:listbou...@securityfocus.com] >>On Behalf Of Wayne Anderson >>Sent: Friday, July 16, 2010 10:40 AM >>To: 'Murda'; focus-ms@securityfocus.com >>Subject: RE: TGP Password Strength Checker online >> >>I would love to see some basic option to configure what your assumption >>is for compute resources to apply. >> >>Maybe a drop box with a couple of presets predicated on example >>configurations. E.g. a choice of "A modern desktop", "A modern >>multi-proc server", "A modern single HPC Server", "a distributed >>10-server array", and [insert one of the top 10 from the current list >>of supercomputers here, preferably one government owned] >> >>I think the password strength tool is almost as useful (when mature) as >>the rest of the offering. >> >>-W >> >>-----Original Message----- >>From: listbou...@securityfocus.com >>[mailto:listbou...@securityfocus.com] >>On Behalf Of Murda >>Sent: Thursday, July 15, 2010 7:33 PM >>To: focus-ms@securityfocus.com >>Subject: RE: TGP Password Strength Checker online >> >>I like the idea behind the tool, somewhat, but I don't know how exact >>it can be. I think Alexander's reasoning below has some strength behind >>it. Is it something like trying to predict when a random number might >>come up. Keep rolling an n-faced die for long enough and sometimes your >>number may come up near the 'beginning' or near the 'end'. Who can say? >>Obviously, that all depends on how the program is actually implemented >>to brute force. Is it purely sequentially? >>Which also makes me wonder, what is the 'seconds to crack' based on? A >>single machine? An array of distributed machines etc? >>I think you can give some 'good' idea of how strong the passphrase is >>but maybe not as exact as you hope. I could be wrong(and often am). >> >> >> >> >>-----Original Message----- >>From: listbou...@securityfocus.com >>[mailto:listbou...@securityfocus.com] >>On Behalf Of Alexander Klimov >>Sent: Wednesday, July 14, 2010 6:54 PM >>To: focus-ms@securityfocus.com >>Subject: Re: TGP Password Strength Checker online >> >>On Tue, 13 Jul 2010, Thor (Hammer of God) wrote: >>> However, what IS different is that you can actually get an idea of >>> exactly how many iterations it will take to crack both a particular >>> password specifically and the keyspace it "lives" in, apply that to >>> actual TIME required to crack it. I like that part, and have found >>> it to be valuable, so here it is in case you do as well. >> >>An incorrect precise number is worse than no number at all: if you >>assure user that it takes 129,052,722,140 iterations to guess password >>"password", or >>2,322,220,814,264,750,000 to guess "qwerty123456", it only misleads. >>The real attackers start guessing not from "a", but in the >most-probable-first order. >>What is this order depends on the traits of the mark: the first >>password to try, can as well be "password", "qwerty123456", or "salasana". >> >>-- >>Regards, >>ASK
