The way L0phtcrack works is: a simple dictionary attack, followed by an appended dictionary attack (appending 1,2,3...etc to the ends of words), it follows this with a brute force attack that is extremely fast. It can crack an 9 digit password with alpha,numeric, and symbols in less than 4 days on a fast computer. ( the password tested was "1Dethmch^"). Tested on a 1 ghz AMD with 500 megs of ram.
----- Original Message ----- From: "Srakkt-Hriarh" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Wednesday, June 26, 2002 1:37 PM Subject: Re: Fwd: L0phtcrack3 Metrics > On Friday 21 June 2002 08:07 pm, [EMAIL PROTECTED] wrote: > > > It is worthwhile to note that as a brute-force cracking tool, LC3 is > > > going through all the possible password permutations within the > > > searchspace regardless of case of the letters therein. Indeed, if the > > > attacker can limit the searchspace to all passwords containing only > > > lowercase alphanumerics, > > > > This actually surprises me. I would expect that most attackers would try a > > dictionary and simple permutation scan first, and I would have expected > > that most brute-force cracking tools would start with the 'easy' scans > > (lower case only, lower case and numbers, mixed case and numbers) before > > attempting the 500-times harder scan through every possible character. > > Either my numbers are wrong, your understanding of l0phtcrack is wrong, or > > the guys at l0pht are stupid! I have to look into this!! > > In this case, it would seem that the second assertion is the accurate one. >