[gameprogrammer] Re: Algo to break any password?

• From: Paul Smith <bob@xxxxxxxxxxxxxxx>
• To: Game Programmer List <gameprogrammer@xxxxxxxxxxxxx>
• Date: Sun, 18 Jul 2004 19:51:16 +0100

On Sun, 2004-07-18 at 18:24, Kevin Jenkins wrote:
> I was thinking of this last night.  It seems like a way you can beat any
> password based security measure.  Please tell me if I'm wrong.
> 
> s2c: Encyrption data (nonce, public key, whatever).
> c2s: Hash containing the password.
> 
> I have a packetsniffer on a router inbetween them.
> 
> I don't try to break the hash.  Instead, I run whatever algo the client was
> using to generate the hash using every possible password until our hashes
> match.  Short of using an algo that takes several minutes to generate a
> single hash, I can run through all reasonable passwords pretty quick.  If I
> assume the passwords are alpha-numeric then I can do it even faster.
> 
> So it seems like a packetsniffer can beat any security measure.  Am I wrong?

This is exactly the reason why you shouldn't pick a password made up of
words from the dictionary, and you should always use a password of a
decent length, and you shouldn't use the same password for many
different things.

Still, an 8 character alphamueric password has 36^8 combinations to look
up, that's 2821109907456 different combinations.  I don't know how many
you could work through per second, but at 10000 per second you're
talking about 9 years to crack one password.  You'd better hope that
it's not just someone's password to check on the webcam of their pet.

(OK, I've ignored some odd effects, like the fact that you don't need to
search the entire password space to find the password, if you used some
clever algorithm you might be able to practically guarantee finding the
password searching only half of the space - that's still 4.5 years
though)

By contrast, a purely alphabetical password of only 6 characters would
be found in about 9 hours if you could search 10000 passwords per second
- isn't that a staggering thought?  Use numbers and 2 extra characters,
change the time to crack your password from 9 hours to 9 years.

Ever wondered why you often protect your ssh keys with an entire pass
phrase, punctuation and all?

> 
> 
> 
> ---------------------
> To unsubscribe go to http://gameprogrammer.com/mailinglist.html



---------------------
To unsubscribe go to http://gameprogrammer.com/mailinglist.html

• References:
  • [gameprogrammer] Re: Linux equivalent of CreateDirectory
    • From: Jason Clark
  • [gameprogrammer] Frequency table for standard english for huffman encoding tree
    • From: Kevin Jenkins
  • [gameprogrammer] Re: Frequency table for standard english for huffman encoding tree
    • From: Alan Wolfe
  • [gameprogrammer] Re: Frequency table for standard english for huffman encoding tree
    • From: Kevin Jenkins
  • [gameprogrammer] Re: Frequency table for standard english for huffman encoding tree
    • From: Alan Wolfe
  • [gameprogrammer] Algo to break any password?
    • From: Kevin Jenkins

Other related posts:

• » [gameprogrammer] Algo to break any password?
• » [gameprogrammer] Re: Algo to break any password?
• » [gameprogrammer] Re: Algo to break any password?

1. Home
2. gameprogrammer
3. Archive
4. 07-2004

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---