Date: 03 Mar 2000 07:53:15 -0800 From: EKR <ekr@rtfm.com> To: Kuzak <kuzak@kuzak.net> Cc: freebsd-stable@FreeBSD.ORG Subject: Re: Password Length Message-ID: <kjvh34caok.fsf@romeo.rtfm.com> In-Reply-To: Kuzak's message of "Fri, 03 Mar 2000 00:08:40 -0800" References: <38BF10BF.86D1EA83@duwde.com.br> <Pine.BSF.4.10.10003021939150.15588-100000@tetron02.tetronsoftware.com> <38BF10BF.86D1EA83@duwde.com.br> <200003030819.e238Jjp32583@alpha.dgweb.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Kuzak <kuzak@kuzak.net> writes: > Well don't forget that a password of length 8 that > is case sensitive and allows for special characters > offers something like ~73! permutations which is > damn near close to number of atoms estimated to > be in the universe.. It should be more than adiquate > to simply require your users to not use all one case > or just alphanumeric passwords.. just make them > include at least one special character.. This isn't even close to correct. Passwords are ASCII, so the total number of 8-byte 8^8=2^64. It should be obvious by inspection that 8^8 << 73! Incidentally, the number of atoms in a glass of water is on the order of 10^25 >> 8^8. Moreover, Unix crypt() only uses the low order 7 bits. This is required because DES (the underlying algorithm) takes a 56 bit key. It's possible (though time consuming) to exhaustively search the space of all passwords. It's known to be possible to exhaustively search DES. DES keys have been exhaustively searched in distributed software systems in 41 days. crypt() iterates the algorithm 25 times to add some security, but this places an upper bound of 2000 days on the process. DES keys have been cracked in hardware in 22 hours. However, crypt() contains some countermeasures designed to make hardware implementations less efficient. However, I'd expect that a hardware crypt() cracker could be built that would do the job in < 3 months. Moreover, all this assumes that the keys are really selected from a 56-bit space. It's almost impossible to make them do so, which is why Crack is so effective. -Ekr To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?kjvh34caok.fsf>