jam wrote:

Daniel talks about 'brute forcing' a password:
say [EMAIL PROTECTED]&*()_/?] and 6 chars passwords

6**70 umm 70 * log (2) and 10**8 brute forces / sec

thats 10 to the power 60 secs! Sorry the universe went flat.

Or collapsed to a singularity.

As Bruce Schneier points out here:

http://www.schneier.com/blog/archives/2007/01/choosing_secure.html

most passwords are much more limited in variety than the 6**70
in your estimate.

That article discusses offline password cracking, but many of the
points he raises apply to online password cracking.

 * a surpiring number of admins leave the password unchanged as
   installed out of the box

 * there are passwords out there that are simply 'password'

And,

  "When attacking programs with deliberately slow ramp-ups, it's
   important to make every guess count. A simple six-character
   lowercase exhaustive character attack, "aaaaaa" through "zzzzzz,"
   has more than 308 million combinations. And it's generally
   unproductive, because the program spends most of its time
   testing improbable passwords like "pqzrwj."

   According to Eric Thompson of AccessData, a typical password
   consists of a root plus an appendage. A root isn't necessarily
   a dictionary word, but it's something pronounceable. An appendage
   is either a suffix (90 percent of the time) or a prefix (10 percent
   of the time).

   So the first attack PRTK performs is to test a dictionary of about
   1,000 common passwords, things like "letmein," "password," "123456"
   and so on. Then it tests them each with about 100 common suffix
   appendages: "1," "4u," "69," "abc," "!" and so on. Believe it or not,
   it recovers about 24 percent of all passwords with these 100,000
   combinations."

I am running a server that was getting heaps of password cracking
attempts on SSH port 22. Since changing the port, the attempts
have stopped.


cheers
rickw



--
________________________________________________________________
Rick Welykochy || Praxis Services || Internet Driving Instructor

The user's going to pick dancing pigs over security every time.
     -- Bruce Schneier
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

Reply via email to