As you pointed out, a smart hacker will try the dictionary cracker first, so the VX.97tf password will be tried first with the dictionary, then brute force, so by your logic you should add both results to compare the password strengths.
At 11:48 PM 6/27/2002 +0000, Chris Berry wrote: >I've gotten quite a few responses saying no because the passwords I asked >about previously (theusgotbeatbygermany vs. VX.97tf) had dictionary words >in it, which is what I've always told my users in the past, however I was >doing some math and it makes it look different, maybe someone here can >point out my error. > >In a brute force attack the longer password will always be better, we're >all agreed on that, however hackers are smarter than that and will try >dictionary and hybrid attacks first. So this is what I think the odds are >approximately: > >VX.97tf has to be brute forced so 68^7=6x10^12 certainly a big number and >good to go in my book. > >theusgotbeatbygermany doesn't have to be brute forced, and is susceptible >to a dictionary attack so instead of letters the possiblity is based on >individual words which is 6, the LC4 program standard dictionary has 29000 >entries (approximately) so we're looking at 29000^6=5x10^26 A BIGGER >NUMBER! (not to mention making it impossible to store in a LM hash) > >Am I missing something?
