Home page logo
/

basics logo Security Basics mailing list archives

Re: Suggested "safe" password length
From: Tomas Wolf <tomas () skip cz>
Date: Sun, 16 Nov 2003 00:53:30 -0700

Hello,

I would like to point out that sometimes it is not about the lenght only... It is about character selection and cipher used.

Let us see some theory about it. If I would have a password of one character I would have a choice from around ~100 ASCII characters (I don't remember the right count of legal password characters). To break this one I would have ~100 options of what character it could be. If I wold restrict myself to numerics only, I would have only ten (10) legal, different choices (0-9), if we go with only alphabetical we have 26 different posibilites per character. By increasing the number of letters, one increases (theoreticaly) the possible combinations that "bruteforce" must go through. Let me note, that any dictionary words actually decrease the strength of a password. But let's get back to the theory - so if we have only numerical values as a password we have 10^1 = 10; if we have two letter password with only numerical values we get 10^2 = 100 possible combinations this must be devided by 2 to get AVERAGE possibilities before the password cracker finds the right combination. Let's compare it to alphabetic only: one character is 26^1 = 26 possible values; two character is 26^2 = 676 / 2 = 338 AVERAGE tries to get two letter, alphabetic-only password. So if we look at it from this point password like "12345678" has 10^8 = 100,000,000 posibilities, while "oH_nO" has base of lower and upper case alphabetical letters (26+26) & also special character (~30 characters). Sum of these will give us ~ 82 possible variants for one character... Therefore "oH_nO" is: 82^5 = 3,707,398,432 possible combinations...
So as one can see, length is not always the key :-)...

Another element that is brought to the game is the processing power of todays average computer... My 1.7Ghz can try ~1,500,000 combination per second. That doesn't take much to get to 100,000,000 combinations of numeric-only password.

Cracking algorythms play some role in cracking. Using the most probable in combination with the less probable, one can get the result early... If one uses some uncommon character as a starter, it might be discovered later (or earlier if logarythm gives :-) ). Distributed cracking also helps... If we would have a machine for each letter in the alphabet, then one would be able to distribute the task and break it down into manageable chunks... Each machine would have assigned what starting letter to start with, this way one can eliminate one power of the whole equation.

 But that is a little off the topic... Isn't it :-)

Anyway, I might have forgoten something... But I hope even this will be of some help...
Tomas

Ashish Sharma wrote:

Hi,
I wanted to have an idea about what should be the suggested range of
password lengths and if there is any upper bound.
I was told that there is a range upto which your password is encrypted
and beyond which the characters are futile. I work on a linux environment
with md5 encryption of passwords enabled.
TIA
Ashish

---------------------------------------------------------------------------
Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
The Presidio integrates PGP data encryption and XML Web Services security to simplify the management and deployment of PGP and reduce overall PGP costs by up to 80%. FREE WHITEPAPER & 30 Day Trial - http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 ----------------------------------------------------------------------------






---------------------------------------------------------------------------
Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
The Presidio integrates PGP data encryption and XML Web Services security to simplify the management and deployment of PGP and reduce overall PGP costs by up to 80%. FREE WHITEPAPER & 30 Day Trial - http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 ----------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]