On Tue, Apr 26, Aaron Toponce wrote: > On Tue, Apr 26, 2011 at 10:49:36AM -0600, Eric Wald wrote: >> Over 25,000 reasonable straight-line passwords; double that to include >> spirals. Certainly with range for a dictionary attack, but it would >> take long enough that I could re-print the card, print a new card, and >> change all of my most important passwords before you're likely to have >> cracked even one account. > > No, not by a long shot. Because the length of your password could be > infinite, this makes the number of possibilities infinite, even in one > direction. But even using limited length, say 20, you still have billions > upons billions of combinations based on starting location, and direction > traveled. No dictionary attack is feasible with this card.
Perhaps my math is faulty, but I'm having a hard time finding billions of possible passwords unless you're willing to accept 500-character passwords with loads of repetition. I'm counting 29 columns, 8 rows, 8 straight-line directions, and 8 spiral directions. I could see using the 8 hippogonal directions, too, but that's a stretch. For length, I'm assuming that anything below 8 characters is ridiculously short for someone security-conscious enough to use such a card, and 30 characters (wrapping back to the starting column) is a reasonable upper limit. That gives me 29*8 = 232 starting positions, 8+8+8 = 24 directions, and len [8..30] = 23 lengths, for 128,064 potential passwords. That's just barely larger than my /usr/share/dict/words dictionary. My 25,000 figure above was assuming only 8 directions, and 13 or 14 reasonable password lengths, which should take care of the most likely usage scenarios; a cracker could very easily attempt those first, before expanding to the hundred thousand less-likely candidates, much less the shorter, longer, or crazy-path candidates. On the other hand, I can accept the "billions upon billions" figure for the crazy-path idea. If the direction of the path is allowed to change for each character, then that gives you 1.5 billion 8-character passwords even if the direction always has to be orthogonal and away from the previous character. 14 characters gets you to a trillion passwords; 157 quadrillion if you include diagonals. Granted, these figures allow overlapping paths and wrapping around the edges, which would be less likely in a real use case; far more likely is that someone takes a password in one direction for a while, switching once or twice before finishing. At the extreme case, one could claim over a decillion passwords by allowing any character after any other, but that assumes that each of the 232 characters are unique. - Eric /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
