Great password

[markem]

Quote:

Originally Posted by CigarNut

How is it that you have employee passwords -- which should be one-way encrypted -- in clear text?

You 'crack' them by encoding them (MD5 or SHA-1 these days) and comparing the resulting ciphertext with the stored one. This is the same way that the logon process verifies that you entered the correct password.

[CigarNut]

Quote:

Originally Posted by markem

You 'crack' them by encoding them (MD5 or SHA-1 these days) and comparing the resulting ciphertext with the stored one. This is the same way that the logon process verifies that you entered the correct password.

My guess is that he did not crack this one...

[RUNYYFan]

Quote:

Originally Posted by AdamJoshua

I'm sorry but I just love this thread and the turn it took.

So true. Great job markem!

[8zeros]

It's just a joke.
Hey Mark, that formula doesn't seem to take into account that after each guess the pool of guesses gets smaller, thereby increasing your chance of a lucky guess each time. Not that it would matter on a 52 character password.

[markem]

Quote:

Originally Posted by 8zeros

It's just a joke.
Hey Mark, that formula doesn't seem to take into account that after each guess the pool of guesses gets smaller, thereby increasing your chance of a lucky guess each time. Not that it would matter on a 52 character password.

The algorithm is for the average time over a random collection of passwords. As stated before, it isn't a floor since 1 is the true minimum. It is also possible that it will take substantially more than the average since, well, it's an average and for it to be an average there has to be at least one data point above the average.

The value of (50**52) is the list of all passwords within that space (technically one could argue that it is 50**53 but that's not as important in this case). This value represents the 'closure' or fully enumerated list of possible combinations within the space from 1 character up to 50 character passwords including all possible combinations. Once again, the crypto math is a little bit more than this, but this approximation is close enough for hand grenades and atom bombs.

[markem]

Okay, students, we've looked at the brute force method, not let's look at a slight improvement on that approach.

The English language has 1,025,110 words, more or less. This means that for Anderson's formula, the value of 'N' just got really small.

Anderson’s Formula P>=TG/N
P – Probability of guessing a password
T – Time
G – No. of guesses in a time period
N – No. of possible passwords

So going back to our example of the likelihood of cracking a password in less that a year, we have:


P >= (3.1536*10**7)*50000)/(52**50) // old calculation with very large denominator

P >= (3.1536*10**7)*50000)/(1025110**9) // new calculation with very small denominator

P>= 1.54*10**(-3) which is 1.54%

This looks ominous because by making a very small change to the search algorithm, the chances of cracking the password with no other information than that the password consists of English language words leaves us with a dramatic increase in the probability to break the password. If we know that the password is a list of names (people and place) then it comes down far faster. We can easily approach 100% chance of success just by learning a bit more about the person we wish to crack. One trivial modification is to only check words with the first letter capitalized, which changes (1025110**9) to ~(505022**9).

For example, here is a list of towns that I have lived in since I was 21 as a password:

ButteSaltLakeCityRedmondKentBellevueBeaverton

Heck, I could also toss in a zip code or two. However, a local sysadmin, who may have access to my resume in the HR database, would know to make these place names a priority (along with names of references, relatives, etc).