But this is tricky to deal with since you can never know what order the attacker may use. 0-9.A-Z), and the brute-force attack uses sequential guesses, then a password starting with a '0' will be broken at least 100x faster than a password that starts with LAST character in that sequence (let's call it 'Z'). For example, if your password 100-character alphanumeric system (e.g. A more accurate statement would be, "it takes 10 years to test all combination of 8 digit passwords." But the fact is that some passwords would be guessed much faster depending on the character selection and attack method. That is, when someone says "an 8 digit passwords take 10 years break," that 10 years is the MAXIMUM time required. This is not to say the specific characters used in a password don't affect the speed at which it is broken. This is why sysadmins might force everyone to use different character types to make sure that a would-be intruder has to try all permutations. The principal of this is identical to that of the dictionary attack. But if, despite the availability of 100 digits, it is known to the attacker that everyone is using only X, Y and Z, then the attacker can narrow down the brute-force attack and negate the benefit of 100 digit security system. For example, a random sequence of 'X', 'Y' and 'Z' is just as hard to guess as a random sequence of all letters of the alphabet.as long as the attackers doesn't know you prefer X, Y, and Z. In other words, what matters most is what characters EVERYONE in the system uses, not just you. What matters most is what the attacker expects to have to tried, not what characters you chose. On the issue of characters used in a password, this is not quite as simple as most people state. It might take longer, due to the speed of the USB connection, but human typing rate is not a good reference on this matter. Even if you can't get to the HDD, the attacker would simply replace the keyboard with a computer that would send 'keystrokes' much faster than you could type. And frankly, that is easy to do, if you have access to the computer itself. But that assumes the attacker has access to the file that stores the encrypted password. In that case, an 8 digit password would be blown in less than 6 hours sooner depending on the brute-force method. I know of one modest demonstration (Feb 2012, link) that claimed the power to make 400 billion guesses a second on a 25 GPU system.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |