Re: Suggested "safe" password length

[Tomas Wolf <tomas () skip cz>]

Hello,

 I would like to point out that sometimes it is not about the lenght 
only... It is about character selection and cipher used.

 Let us see some theory about it. If I would have a password of one 
character I would have a choice from around ~100 ASCII characters (I 
don't remember the right count of legal password characters). To break 
this one I would have ~100 options of what character it could be. If I 
wold restrict myself to numerics only, I would have only ten (10) legal, 
different choices (0-9), if we go with only alphabetical we have 26 
different posibilites per character. By increasing the number of 
letters, one increases (theoreticaly) the possible combinations that 
"bruteforce" must go through. Let me note, that any dictionary words 
actually decrease the strength of a password. But let's get back to the 
theory - so if we have only numerical values as a password we have 10^1 
= 10; if we have two letter password with only numerical values we get 
10^2 = 100 possible combinations this must be devided by 2 to get 
AVERAGE possibilities before the password cracker finds the right 
combination. Let's compare it to alphabetic only: one character is 26^1 
= 26 possible values; two character is 26^2 = 676 / 2 = 338 AVERAGE 
tries to get two letter, alphabetic-only password. So if we look at it 
from this point password like "12345678" has 10^8 = 100,000,000 
posibilities, while "oH_nO" has base of lower and upper case 
alphabetical letters (26+26) & also special character (~30 characters). 
Sum of these will give us ~ 82 possible variants for one character... 
Therefore "oH_nO" is: 82^5 = 3,707,398,432 possible combinations...
So as one can see, length is not always the key :-)...

 Another element that is brought to the game is the processing power of 
todays average computer... My 1.7Ghz can try ~1,500,000 combination per 
second. That doesn't take much to get to 100,000,000 combinations of 
numeric-only password.

 Cracking algorythms play some role in cracking. Using the most 
probable in combination with the less probable, one can get the result 
early... If one uses some uncommon character as a starter, it might be 
discovered later (or earlier if logarythm gives :-) ).
 Distributed cracking also helps... If we would have a machine for each 
letter in the alphabet, then one would be able to distribute the task 
and break it down into manageable chunks... Each machine would have 
assigned what starting letter to start with, this way one can eliminate 
one power of the whole equation.

 But that is a little off the topic... Isn't it :-)

Anyway, I might have forgoten something... But I hope even this will be 
of some help...
Tomas

Ashish Sharma wrote:

> Hi,
> I wanted to have an idea about what should be the suggested range of
> password lengths and if there is any upper bound.
> I was told that there is a range upto which your password is encrypted
> and beyond which the characters are futile. I work on a linux environment
> with md5 encryption of passwords enabled.
> TIA
> Ashish
>
> ---------------------------------------------------------------------------
> Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
> The Presidio integrates PGP data encryption and XML Web Services security to 
> simplify the management and deployment of PGP and reduce overall PGP costs 
> by up to 80%.
> FREE WHITEPAPER & 30 Day Trial - 
> http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 
> ----------------------------------------------------------------------------



---------------------------------------------------------------------------
Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
The Presidio integrates PGP data encryption and XML Web Services security to 
simplify the management and deployment of PGP and reduce overall PGP costs 
by up to 80%.
FREE WHITEPAPER & 30 Day Trial - 
http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 
----------------------------------------------------------------------------