jam wrote:
Daniel talks about 'brute forcing' a password:
say [EMAIL PROTECTED]&*()_/?] and 6 chars passwords
6**70 umm 70 * log (2) and 10**8 brute forces / sec
thats 10 to the power 60 secs! Sorry the universe went flat.
Or collapsed to a singularity.
As Bruce Schneier points out here:
http://www.schneier.com/blog/archives/2007/01/choosing_secure.html
most passwords are much more limited in variety than the 6**70
in your estimate.
That article discusses offline password cracking, but many of the
points he raises apply to online password cracking.
* a surpiring number of admins leave the password unchanged as
installed out of the box
* there are passwords out there that are simply 'password'
And,
"When attacking programs with deliberately slow ramp-ups, it's
important to make every guess count. A simple six-character
lowercase exhaustive character attack, "aaaaaa" through "zzzzzz,"
has more than 308 million combinations. And it's generally
unproductive, because the program spends most of its time
testing improbable passwords like "pqzrwj."
According to Eric Thompson of AccessData, a typical password
consists of a root plus an appendage. A root isn't necessarily
a dictionary word, but it's something pronounceable. An appendage
is either a suffix (90 percent of the time) or a prefix (10 percent
of the time).
So the first attack PRTK performs is to test a dictionary of about
1,000 common passwords, things like "letmein," "password," "123456"
and so on. Then it tests them each with about 100 common suffix
appendages: "1," "4u," "69," "abc," "!" and so on. Believe it or not,
it recovers about 24 percent of all passwords with these 100,000
combinations."
I am running a server that was getting heaps of password cracking
attempts on SSH port 22. Since changing the port, the attempts
have stopped.
cheers
rickw
--
________________________________________________________________
Rick Welykochy || Praxis Services || Internet Driving Instructor
The user's going to pick dancing pigs over security every time.
-- Bruce Schneier
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
