I would say 2 things, to be confirmed by some expert :
1) In systems like NT4, only the 8 first digits are encrypted, the rest of
the password is stored in the clear. In your case "VX.97tf" is then much
secured than "theusgot" (68^7 compared to (8digits words number) + (7digits
word number + 68) + (6digits word number * 2 digits word number) + (6
digits word number * 68^2)...)
(note that the number of solutions using brute force is easy to calculate,
but not the one in dictionnary-based attacks, especially when the number of
digits is knew, and especially if some semantic rules are used)
More simply one can suppose that "theusgot" can be guessed more easily by a
cracker soft than "VX.97tf", don't you think so ?
2) If the number of encrypted digits is more than 8, obviously the strength
of your password has something ("something", not "everything" !) to see
with its length. So in your case, you should compare the strength of "
theusgotbeatbygermany" to "kjdASFD234$&%$#sfsCS>".
To summarize:
there are rules that you forgot in how to measure the strength of the
password (for example the length of it, how many characters are encrypted,
and others I don't know),
and
when you compare 2 things, take the same rules to compare them (I can
guarantee you that the password "theusgotbeatbygermany" is more secure than
the randomly generated password ";". I just forgot the length has its
importance)
my 2 cents, not explaining the whole thing, but bringing some ideas...
seb
Chris Berry
<compjma@hotmail. To:
[EMAIL PROTECTED]
com> cc:
Subject: Password Strength II
2002/06/28 08:48
I've gotten quite a few responses saying no because the passwords I asked
about previously (theusgotbeatbygermany vs. VX.97tf) had dictionary words
in it, which is what I've always told my users in the past, however I was
doing some math and it makes it look different, maybe someone here can
point out my error.
In a brute force attack the longer password will always be better, we're
all agreed on that, however hackers are smarter than that and will try
dictionary and hybrid attacks first. So this is what I think the odds are
approximately:
VX.97tf has to be brute forced so 68^7=6x10^12 certainly a big number and
good to go in my book.
theusgotbeatbygermany doesn't have to be brute forced, and is susceptible
to a dictionary attack so instead of letters the possiblity is based on
individual words which is 6, the LC4 program standard dictionary has 29000
entries (approximately) so we're looking at 29000^6=5x10^26 A BIGGER
NUMBER! (not to mention making it impossible to store in a LM hash)
Am I missing something?
