[Discuss] On "Simple" Brute Forcing Passwords Not Being Simple

Kent Borg kentborg at borg.org
Sat Feb 25 14:05:23 EST 2017


A hint at the sort of things that the secretive TLAs must have put a hell of a lot of thought into:


  Using Ordered Markov Chains and User Information 
  to Speed Up Password Cracking https://t.co/rNk6BR1Yaa

  https://twitter.com/newsycombinator/status/835520068700221441


Once a passphrase gets slightly long the naïve search space gets impossibly large, even if the passphrase isn't inherently very good. ("May the force be with you.") But with some careful thought more likely passwords can be tried sooner than others. 

Go ahead. Fantasize spending a few million dollars on GPU cracking gear. (Now you are invincible!) But do the math on how big the search space is to find a 20-character passphrase. 

Once you try to do the math you'll notice the very description "20-characters" suddenly becomes pretty vague. Reasonable people won't agree on how many digits are in the answer, let alone a precise value. But one thing should be clear: It is a really big number.

You can't try all the combinations. Spend billions, and you still can't. No one can. You have to prioritize…

Very interesting problem. A lot of fun to think about.

-kb
-- 
Sent from my Turing machine.


More information about the Discuss mailing list