I dont know much about cracking passwords but i know mathmatically brute forcing a password is gauranteed results. However, it can take years to get even the smallest of passwords with only one computer. My big question is this...Would it be possible to link a bunch of computers together over the internet to create a sort of huge, and really fast brute forcing machine. I know this may sound silly so keep in mind i am no expert. I just know if you have enough processing power it can be done very quickly.
Eager to hear anyone's thoughts on this
scott

anyone replying please keep in mind that: http://www.linuxquestions.org/linux/rules.html

Personnally I would say it also depends on how you configure your computer when it receives a wrong password. If you configure it so that each time a wrong password is entered you cannot enter a new one before a determined amount of time... it will take a long long time

That really isn't always true, it depends of the length of the encryption key and kind of encryption. Take DES for example which is an 56-bit encryption method from the early 70s, well it was first cracked in 1997 by distributed.net, the second time in 1998 in a little over 40 days, they needed 22 thousand connected computers for that.
Of course pc's now are a little faster but still, 40 days, just for an 56-bit symmetric encryption.

Now still lets say an 128-bit encryption (which is a normal length), for that you would need 40*2^72 days, that's a little over 530602975603330922887 years, with those same 22 thousand computers.

Btw. the fact that we have way more powerfull processors does not count, because processor speeds double every 18 months, which means that it will take us 72*18 months = 108 years until they are fast enough to crack the 128-bit code with the same amount of pc's. Besides, this is the easy encryption (symmetric), most encryption these days is done assymmetric and that is still a lot harder to crack.

elluva.

ok but if you were able to somehow connect over the internet and share the processing burden over all the comeputers. You could have an indefinite amount of computers linked into it. 22 thousand is a very low number. If it is even possible to do this and it got popular there would more than a million computers linked to it. It would break 128 bit encryption in minutes.

Actually, throwing 45 times as many computers (1 million vs 22 thousand) at the problem would seem like you could do it much faster - but if elluva's calculations are right, it'd still take 530602975603330922887 / 45 = 11791177235629576000 years.

If the computers nowadays would be 1000 times as fast as then (which is a huge overestimation) and you'd have 10 million computers working toghether, it would still take you 415568250492528778,805248 days, that's somewhat more then 1138543152034325 years .
Point I want to make is that no, you cannot simply break an 128-bit key in minutes by simple brute force. The problem is that the number of possible keys ascends exponentially, it doubles with each extra bit in the key. The fact that you can't keep this up in the real world with the number of computers that you connect makes it very hard to crack an encryption with simple brute force.

Of course I do believe that if you take a brute force method and you adapt it to handle the cracking more intelligently (if this is possible), it can be possible to get way better results, but that depends entirely on the encryption algorithm.

elluva.

indeed, we don't have exactly the same results, but the point remains.

btw. This is how I calculated it,

128 bits - 56 bits = 72 bits
=> 2^72 times as many possible keys

Now if 22.000 pc's calculated for 40 days (and they had luck with them, because they had only reached 47% or so of all the keys), then that same amount of pc's calculate 40*2^72 = (aterriblybignumberof)days. Then just divide by 365 and you have a good approximation of the number of years you'd have to spend.

Then if pc's are 1000 times as powerfull, divide the number by 1000, and if you have 10 000 000 pc's, multiply by ((22 000)/(10 000 000)), and you'll get the giant number i've got .

elluva.

why do you need to crack it anyway?

I think this person is asking out of curiosity

"Password cracking" refers to when you have the password hash and you are trying to find a password that produces that hash. Is that what you guys are talking about?