..and that is why password length is more important than than the keyspace (possible characters).
-Jeff On Thu, Feb 10, 2011 at 4:32 PM, Kurt Buff <[email protected]> wrote: > If you have the right rainbow tables. > > Rainbow tables get more expensive for each character you add to the > length of the password/passphrase, for any given character set - on > the close order of (x^y plus a tiny bit of overhead), where x is the > number of characters in your character set, and y is the length of the > password/passphrase. > > Kurt > > On Thu, Feb 10, 2011 at 13:22, Don Ely <[email protected]> wrote: > > At roughly 3 characters per minute, you can extrapolate that out to 20 > > seconds per extra character.... :) > > > > On Thu, Feb 10, 2011 at 1:13 PM, Jonathan <[email protected]> wrote: > >> > >> And how many additional minutes does each additional character above 15 > >> add? > >> > >> Jonathan - Thumb typed from my HTC Droid Incredible (and yes, it really > >> is) on the Verizon network. > >> > >> On Feb 10, 2011 4:09 PM, "Michael B. Smith" <[email protected]> > wrote: > >> > Anything under 15 characters I can crack in under 5 minutes. > >> > > >> > Anything. > >> > > >> > Regards, > >> > > >> > Michael B. Smith > >> > Consultant and Exchange MVP > >> > http://TheEssentialExchange.com > >> > > >> > From: MMF [mailto:[email protected]] > >> > Sent: Thursday, February 10, 2011 4:05 PM > >> > To: NT System Admin Issues > >> > Subject: RE: IPhone attack reveals passwords in six minutes > >> > > >> > How about a nursery rhyme but use the first letter of each word. > >> > Example: Hickory Dickery Dock The Mouse Ran Up The Clock would be: > >> > hddtmrutc. > >> > > >> > Murray > >> > > >> > ________________________________ > >> > From: William Robbins [mailto:[email protected]] > >> > Sent: Thursday, February 10, 2011 12:52 PM > >> > To: NT System Admin Issues > >> > Subject: Re: IPhone attack reveals passwords in six minutes > >> > +1 I use song lyrics also. > >> > > >> > - WJR > >> > > >> > On Thu, Feb 10, 2011 at 12:49, David Lum > >> > <[email protected]<mailto:[email protected]>> wrote: > >> > One method is to take acronyms from your favorite hobby and string > them > >> > together Example: NetBEUI CPU is 45GHz 14Kbps > >> > NetBEUICPUis45GHz14Kbps. 25 characters, upper and lower case and I'm > >> > going to guess random enough. Surely acronym's are different when it > comes > >> > to a dictionary attack? Need to change it? Flip the order of the > acronyms. > >> > > >> > Personally I use a passphrase with correct punctuation - it gives > upper > >> > case, lower case, and special character. These becomes frustrating > when you > >> > go to a website that gives you something dumb like 12character > maximum, in > >> > which case use the hobby acronym's. > >> > > >> > My $0.02 > >> > Dave > >> > > >> > From: Don Ely [mailto:[email protected]<mailto:[email protected]>] > >> > Sent: Thursday, February 10, 2011 10:29 AM > >> > > >> > To: NT System Admin Issues > >> > Subject: Re: IPhone attack reveals passwords in six minutes > >> > > >> > I must not be human... Most of my high security accounts have > passwords > >> > of 20+ random characters and I have them memorized... > >> > On Thu, Feb 10, 2011 at 10:25 AM, Ben Scott > >> > <[email protected]<mailto:[email protected]>> wrote: > >> > On Thu, Feb 10, 2011 at 12:31 PM, Matthew W. Ross > >> > <[email protected]<mailto:[email protected]>> wrote: > >> >>> If data is encrypted with strong crypto, and that crypto's secret > >> >>> key is not stored on the device, then that data can generally be > >> >>> considered safe even if the device is stolen. > >> >>> > >> >>> In English, that means if the security depends on a strong password > >> >>> the user must enter (and not on some magic the manufacturer has > >> >>> "hidden" inside the device), the password-protected data is safe. > >> >> > >> >> ... Isn't that only partially true? I mean, if the encrypted data is > >> >> stolen, > >> >> isn't it reasonable to believe it can be cracked given enough > time/cpu > >> >> power? > >> > You're basically correct. > >> > > >> > Given good algorithms and implementations, the strength of your > >> > security depends on the strength of the key. If the password is an > >> > English word, then yah, it's going to be straightforward to crack in > >> > minutes or hours with a dictionary attack. If it's a a combination of > >> > words and other characters, it's harder, but still within reason for > >> > days, weeks, or months. Once you go to truly random characters, it's > >> > dependent on the length. But even 10 characters might be crackable in > >> > several years given commercially available technology. (I'm not up on > >> > current predictions, so numbers may be off for times.) > >> > > >> > A truly random 256-bit symmetric key could theoretically be cracked > >> > given enough time, but time to brute-force (given known technology) is > >> > generally given in billions of years. It has been theorized that new > >> > technology (especially "quantum computing") could drastically cut into > >> > that, but it remains to be seen if such things are actually possible > >> > or not. > >> > > >> > But 256 bits is a lot. Printable ASCII is roughly 96 characters. > >> > That fits in roughly six and a half bits. So your passcode would need > >> > to be around 40 characters long, and *completely* random (no words or > >> > patterns), for it to be in that neighborhood. It's not realistic to > >> > expect humans to do that. > >> > > >> > -- Ben > >> > > >> > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > >> > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > >> > > >> > --- > >> > To manage subscriptions click here: > >> > http://lyris.sunbelt-software.com/read/my_forums/ > >> > or send an email to > >> > [email protected]<mailto: > [email protected]> > >> > with the body: unsubscribe ntsysadmin > >> > > >> > > >> > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > >> > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > >> > > >> > --- > >> > To manage subscriptions click here: > >> > http://lyris.sunbelt-software.com/read/my_forums/ > >> > or send an email to > >> > [email protected]<mailto: > [email protected]> > >> > with the body: unsubscribe ntsysadmin > >> > > >> > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > >> > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > >> > > >> > --- > >> > To manage subscriptions click here: > >> > http://lyris.sunbelt-software.com/read/my_forums/ > >> > or send an email to > >> > [email protected]<mailto: > [email protected]> > >> > with the body: unsubscribe ntsysadmin > >> > > >> > > >> > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > >> > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > >> > > >> > --- > >> > To manage subscriptions click here: > >> > http://lyris.sunbelt-software.com/read/my_forums/ > >> > or send an email to > >> > [email protected]<mailto: > [email protected]> > >> > with the body: unsubscribe ntsysadmin > >> > > >> > ________________________________ > >> > > >> > No virus found in this message. > >> > Checked by AVG - www.avg.com<http://www.avg.com> > >> > Version: 10.0.1204 / Virus Database: 1435/3434 - Release Date: > 02/10/11 > >> > > >> > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > >> > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > >> > > >> > --- > >> > To manage subscriptions click here: > >> > http://lyris.sunbelt-software.com/read/my_forums/ > >> > or send an email to > >> > [email protected]<mailto: > [email protected]> > >> > with the body: unsubscribe ntsysadmin > >> > > >> > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > >> > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > >> > > >> > --- > >> > To manage subscriptions click here: > >> > http://lyris.sunbelt-software.com/read/my_forums/ > >> > or send an email to [email protected] > >> > with the body: unsubscribe ntsysadmin > >> > >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > >> > >> --- > >> To manage subscriptions click here: > >> http://lyris.sunbelt-software.com/read/my_forums/ > >> or send an email to [email protected] > >> with the body: unsubscribe ntsysadmin > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > > --- > > To manage subscriptions click here: > > http://lyris.sunbelt-software.com/read/my_forums/ > > or send an email to [email protected] > > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
