Chris Berry wrote: > > Assume windows 2000 NTLMv2 > > A faily common answer for a good password would be something like > > JX.27vf > > I'm curious about something like this though > > thisisalongpassword > > Or > > theusgotbeatbygermany > > Are these bad passwords, and if so why?
Once we fix a maximum password length and the kinds of characters allowed in such passwords then there are only so many of these kinds of passwords. Call this the password space. If all the passwords are equally likely and the password space has n elements, then choosing a password of this type at random, we only expect a 1 in n chance of success. When n , the password space, is large this probability quickly gets small. When n is very large, it will even take fast computers a long time to test enough cases to get a reasonable chance of success. If we have passwords of length 2 using only lower case letters from the english alphabet then the password space is 26*26 or 676. While on one guess 1/676 isn't a great probability , it is easy for even a human to check all 676 cases. Now suppose that almost all humans that use length 2 passwords only choose vowels. Then the chance of random guessing is 1 in 25 (aeiou*2), which is much better. This analogy scales for passwords of lenght 19. Now if we use just alphanumeric characters (upper case and lower case) we get ([a-z]+[A-Z]+[0-9])**19 = 62**19 , which is 11361668153983839080134359106715648 which is a lot of cases to check, and a very low probablility of success on a random guess. However , when I implement my password cracker, I expect that very few human beings are able to memorize a random string of 19 alphanumeric characters. So I am going to search for phrases and expressions that are easy to remember, that I can find in movie or book titles and so on. If you look at "crack" programs and see how they operate, with dictionaries and so on , you will see how this works. To summarize this brief argument. In so far as the password thisisalongpassword has 19 letters, it is a strong password. But as a 19 length password, it is weak in some sense. Check out discussions of cryptographic key length for more detail in this vein. Chris
