Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I know you guys like to do these mathematical calculations that prove that it's impossible to crack this, but I think there should be a field that deals with the human aspect. I'm quite positive that most people will use very weak passwords, either from a dictionary, or from their personal details (birthday, son/daughter's name, etc). The above calculations apply to the best case scenario, but this is never the case.
FWIW, it's essentially irrelevant to consider the minimum length for purposes of calculating runtime. A better way to approach things is to include one more character than there really is as a sort of "null" byte (e.g., a 7-character password can be considered to be an 8-character password with one byte set to NULL).
Your value for 12-36, 94 character set is about 2^235.981. Using the 95 "character set" for length 36 (e.g., 95^36) is about 2^236.514. As you can see, it's pretty close. If you want to get really precise, use the original character set for the minimum length and the +1 for the remaining characters. For example, 94^12*95^(36-12) yields a value of 2^236.332. Of course, just using 94 characters for 36 places (94^36) yields 2^235.965.
The reality is that the largest term dwarfs the smaller terms by so much that it becomes the dominating factor. You can see that in the A-Y values you posted, each one increases by 2 digits, or an approximate factor of 100.
Thanks for the tips, Matir!
Quote:
Originally Posted by H_TeXMeX_H
I know you guys like to do these mathematical calculations that prove that it's impossible to crack this, but I think there should be a field that deals with the human aspect. I'm quite positive that most people will use very weak passwords, either from a dictionary, or from their personal details (birthday, son/daughter's name, etc). The above calculations apply to the best case scenario, but this is never the case.
The formula I googled simply tells you the total possibilities for a password, given the character set and the policy's min/max length. This should not be interpreted as an attempt to prove/disprove how crackable/uncrackable a password is. Rather, it's a way to gauge how much work a brute force attack may need to do when it encounters a strong password. I do understand that unfortunately most human-generated weak passwords won't even need a brute force attack to get cracked, but the article linked in the OP isn't about dictionary or guessing attacks AFAICT.
As win32sux says, the article was about brute forcing.
If you want to look at the "randomness" (called entropy) of a given password, look at Shannon Entropy and the NIST 800-63 guidelines. For a user chosen password, the first character gives you 4 bits, characters 2-8 buy 2 bits each, 9-20 are 1.5 bpc (bits per character) and 21+ are only worth a single bit each. (These values assume the system doesn't enforce dictionary checking or composition rules.) A random ASCII password, by the way, is about 6.5-6.6 bpc. As you can see, humans choose poor passwords, myself included. I just like to make the password secure enough that people who aren't targeting me specifically will give up. (Excluding system passwords, root passwords, banking applications, etc.) But my password to, say, New York Times online, is, in comparison, pitifully weak.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.