IWETHEY v. 0.3.0 | TODO
1,095 registered users | 0 active users | 0 LpH | Statistics
Login | Create New User
IWETHEY Banner

Welcome to IWETHEY!

IWETHEY Home / IWETHEY Board / Security Forum / You are an *incompetent* bad guy
Post #203,491
by ben_tilly
4/15/05 2:10:27 PM
Reply
New You are an *incompetent* bad guy
The competent ones have dictionaries of a few thousand likely passwords that they try on every login first. These will crack a significant fraction of accounts if there is no strong password policy, and running through them can be done reasonably fast.

Now suppose that there are 10 characters in the password, which could be upper case, lower case, or numbers. 62 possibilities. That is 62**10 possible combinations or 8.39299e17. Suppose that you are trying combinations at the rate of 1 billion per second. (You aren't, your CPU doesn't go nearly that fast.) Then it will only take you 8.39299e8 seconds to run through the possibilities. So after 13 years of hard work, the odds are still against you succeeding. Too bad the password was changed on you 12 years and 11 months ago!

Only incompetent bad guys use brute force on this problem unless the set of possible passwords is very limited.

Cheers,
Ben
I have come to believe that idealism without discipline is a quick road to disaster, while discipline without idealism is pointless. -- Aaron Ward (my brother)
Post #203,506
by Yendor
4/15/05 3:18:07 PM
Reply
New Granted...
...I'm *not* a bad guy. I'm not a security guy, either. But still, requiring "2 UC chars, 2 lc chars, and a byte of punctuation" reduces the number of possible permutations of passwords quite a bit.
-YendorMike

"They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety."
- Benjamin Franklin, 1759 Historical Review of Pennsylvania
Post #203,511
by Silverlock
4/15/05 4:01:40 PM
Reply
New Disagree
You are assuming that I am limiting the possible characters in a password given my scheme above. I submit that without the requirement of characters beyond lowercase letters, users will almost universally use *only* lowercase letters.

So, mathematically speaking you are correct. In the real world of messy humans I think my scheme will, practically speaking, expand the number of possible passwords.
-----------------------------------------
"In this world of sin and sorrow there is always something to be thankful for. As for me, I rejoice that I am not a Republican."
-- H. L. Mencken

Support our troops, Impeach Bush.
D. D. Richards
Post #203,513
by ben_tilly
4/15/05 4:39:52 PM
Reply
New But not enough to be even remotely useful
I have come to believe that idealism without discipline is a quick road to disaster, while discipline without idealism is pointless. -- Aaron Ward (my brother)
     Password policy letter - (Silverlock) - (29) - April 15, 2005, 09:46:33 AM EDT
         Disagree about the expiration - (hnick) - (22) - April 15, 2005, 10:43:10 AM EDT
             "feel free to adapt" - (Silverlock) - (21) - April 15, 2005, 11:50:01 AM EDT
                 Re: "feel free to adapt" - (Yendor) - (19) - April 15, 2005, 11:52:47 AM EDT
                     Are you sure about that? - (Silverlock) - (18) - April 15, 2005, 12:11:37 PM EDT
                         Let's say I'm a bad guy - (Yendor) - (17) - April 15, 2005, 12:32:00 PM EDT
                             On the other hand - (JayMehaffey) - April 15, 2005, 01:09:01 PM EDT
                             Account locked after 5 bad passwords - (Silverlock) - April 15, 2005, 01:42:53 PM EDT
                             You are an *incompetent* bad guy - (ben_tilly) - (3) - April 15, 2005, 02:10:27 PM EDT
                                 Granted... - (Yendor) - (2) - April 15, 2005, 03:18:07 PM EDT
                                     Disagree - (Silverlock) - April 15, 2005, 04:01:40 PM EDT
                                     But not enough to be even remotely useful -NT - (ben_tilly) - April 15, 2005, 04:39:52 PM EDT
                             Re: Let's say I'm a bad guy - (dws) - (10) - April 21, 2005, 07:47:02 PM EDT
                                 BINGO! - (hnick) - April 22, 2005, 07:44:21 AM EDT
                                 Yep, during security audit at gov agency I worked at - (tuberculosis) - April 22, 2005, 09:37:09 AM EDT
                                 What's the alternative? - (Silverlock) - (6) - April 22, 2005, 10:57:58 AM EDT
                                     Yeabut requiring frequent changes makes it worse. - (Another Scott) - (2) - April 22, 2005, 11:12:12 AM EDT
                                         As I said before - (Silverlock) - (1) - April 22, 2005, 11:44:09 AM EDT
                                             Understood. :-) -NT - (Another Scott) - April 22, 2005, 11:45:27 AM EDT
                                     single signon with a 90 day passwd expiration - (boxley) - (2) - April 22, 2005, 11:15:29 AM EDT
                                         Single signon is a happy dream - (Silverlock) - (1) - April 22, 2005, 11:46:37 AM EDT
                                             Problem with SSO - (jbrabeck) - April 22, 2005, 11:57:02 AM EDT
                                 Pretty much everyone will write it down anyways - (admin) - April 22, 2005, 01:48:35 PM EDT
                 Make the expiration longer than that. - (ben_tilly) - April 15, 2005, 02:12:00 PM EDT
         I, like it! Me being the password Nazi at work - (folkert) - April 15, 2005, 11:25:48 AM EDT
         And here - (jbrabeck) - April 15, 2005, 12:38:08 PM EDT
         Make 'em use Unicode. - (Another Scott) - (1) - April 15, 2005, 04:51:00 PM EDT
             We've been looking at several alternatives - (Silverlock) - April 15, 2005, 04:54:25 PM EDT
         Apart from the fact that passwords suck - (pwhysall) - April 15, 2005, 05:51:37 PM EDT
         Bit of a late reply... - (static) - May 6, 2005, 12:44:47 AM EDT

The LRPD wots of things you wot not of.
185 ms