From owner-freebsd-stable  Fri Mar  3  7:51:57 2000
Delivered-To: freebsd-stable@freebsd.org
Received: from speedy.rtfm.com (speedy.rtfm.com [216.98.239.228])
	by hub.freebsd.org (Postfix) with ESMTP id CF57737C0B8
	for <freebsd-stable@FreeBSD.ORG>; Fri,  3 Mar 2000 07:51:37 -0800 (PST)
	(envelope-from ekr@rtfm.com)
Received: from romeo.rtfm.com (romeo.rtfm.com [216.98.239.227]) by speedy.rtfm.com (8.9.1/8.6.4) with ESMTP id HAA25468; Fri, 3 Mar 2000 07:52:54 -0800 (PST)
Received: (ekr@localhost) by romeo.rtfm.com (8.9.3/8.6.4) id HAA36521; Fri, 3 Mar 2000 07:53:15 -0800 (PST)
To: Kuzak <kuzak@kuzak.net>
Cc: freebsd-stable@FreeBSD.ORG
Subject: Re: Password Length
References: <38BF10BF.86D1EA83@duwde.com.br> <Pine.BSF.4.10.10003021939150.15588-100000@tetron02.tetronsoftware.com> <38BF10BF.86D1EA83@duwde.com.br> <200003030819.e238Jjp32583@alpha.dgweb.com>
From: EKR <ekr@rtfm.com>
Mime-Version: 1.0 (generated by tm-edit 7.108)
Content-Type: text/plain; charset=US-ASCII
Date: 03 Mar 2000 07:53:15 -0800
In-Reply-To: Kuzak's message of "Fri, 03 Mar 2000 00:08:40 -0800"
Message-ID: <kjvh34caok.fsf@romeo.rtfm.com>
Lines: 38
X-Mailer: Gnus v5.6.45/XEmacs 20.4 - "Emerald"
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

Kuzak <kuzak@kuzak.net> writes:
> Well don't forget that a password of length 8 that
> is case sensitive and allows for special characters
> offers something like ~73! permutations which is
> damn near close to number of atoms estimated to
> be in the universe.. It should be more than adiquate
> to simply require your users to not use all one case
> or just alphanumeric passwords.. just make them
> include at least one special character..
This isn't even close to correct.

Passwords are ASCII, so the total number of 8-byte 8^8=2^64.

It should be obvious by inspection that 8^8 << 73!
Incidentally, the number of atoms in a glass of water
is on the order of 10^25 >> 8^8.

Moreover, Unix crypt() only uses the low order 7 bits. This is
required because DES (the underlying algorithm) takes a 56 bit key.

It's possible (though time consuming) to exhaustively search
the space of all passwords. It's known to be possible to exhaustively
search DES. DES keys have been exhaustively searched in distributed
software systems in 41 days. crypt() iterates the algorithm 25 times
to add some security, but this places an upper bound of 2000 days
on the process.

DES keys have been cracked in hardware in 22 hours. However,
crypt() contains some countermeasures designed to make hardware
implementations less efficient. However, I'd expect that a hardware
crypt() cracker could be built that would do the job in < 3 months.

Moreover, all this assumes that the keys are really selected
from a 56-bit space. It's almost impossible to make them do
so, which is why Crack is so effective.

-Ekr



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message