On Sun, 2004-07-18 at 18:24, Kevin Jenkins wrote: > I was thinking of this last night. It seems like a way you can beat any > password based security measure. Please tell me if I'm wrong. > > s2c: Encyrption data (nonce, public key, whatever). > c2s: Hash containing the password. > > I have a packetsniffer on a router inbetween them. > > I don't try to break the hash. Instead, I run whatever algo the client was > using to generate the hash using every possible password until our hashes > match. Short of using an algo that takes several minutes to generate a > single hash, I can run through all reasonable passwords pretty quick. If I > assume the passwords are alpha-numeric then I can do it even faster. > > So it seems like a packetsniffer can beat any security measure. Am I wrong? This is exactly the reason why you shouldn't pick a password made up of words from the dictionary, and you should always use a password of a decent length, and you shouldn't use the same password for many different things. Still, an 8 character alphamueric password has 36^8 combinations to look up, that's 2821109907456 different combinations. I don't know how many you could work through per second, but at 10000 per second you're talking about 9 years to crack one password. You'd better hope that it's not just someone's password to check on the webcam of their pet. (OK, I've ignored some odd effects, like the fact that you don't need to search the entire password space to find the password, if you used some clever algorithm you might be able to practically guarantee finding the password searching only half of the space - that's still 4.5 years though) By contrast, a purely alphabetical password of only 6 characters would be found in about 9 hours if you could search 10000 passwords per second - isn't that a staggering thought? Use numbers and 2 extra characters, change the time to crack your password from 9 hours to 9 years. Ever wondered why you often protect your ssh keys with an entire pass phrase, punctuation and all? > > > > --------------------- > To unsubscribe go to http://gameprogrammer.com/mailinglist.html --------------------- To unsubscribe go to http://gameprogrammer.com/mailinglist.html