Re: SQL audit
- From: Yong Huang <yong321@xxxxxxxxx>
- To: jkstill@xxxxxxxxx
- Date: Wed, 23 Dec 2009 09:19:19 -0800 (PST)
> A minimum length limit. I think 8 is fairly common.
I did some research on *ethical* password retrieval (or really, cracking,
if you don't mind the tone of the word). See
http://yong321.freeshell.org/oranotes/PasswordRetrieval.txt
An 8-alphanumeric case-insensitive password can be retrieved on a single
PC in about a month in the worst case. Here's the relevant part:
* What are some ballpark figures for the time to guess longer passwords?
As you saw, it took the 2.6 GHz machine about 50 seconds to reach "test1"
in a 5-char word brute force crack. The Perl program is written in a way
to provide strings in alphabetic order. So if the password were "zz999",
it would definitely take longer, perhaps a little over 1 minute. If you
add another alphanumeric character to guess a 6-char password, you add
one more layer of for-loop. Since the complete alphanumeric character is
36 characters, a rough estimate of runtime is 40 minutes. To guess a
7-char password, it's 40 x 36 = 1440 min or 24 hours. To guess an 8-char
password, it's 36 days. All these assume that the execution is on one
computer only, the first 2 chars are letters, the remaining are
alphanumeric, the password is very "unlucky" to use letters close to the
end of the alphabet and digits close to 9. That is, these time estimates
are the worst case scenarios. On the other hand, the password may be
extremely "lucky" to be found within the first few seconds.
Yong Huang
--
//www.freelists.org/webpage/oracle-l
Other related posts:
