Brue force attacks (was Re: !!!DANGER!!!! Acute security risk!
WAKE UP!!!!)
Rasjid Wilcox
rasjidw "at" openminddev.net
Thu Feb 26 02:32:00 2004
On Thursday 26 February 2004 05:18, Seak, Teng-Fong wrote:
> I knew. Well, actually, I saw. There's the "too many security failures"
> message. But I also saw that it would grant me chance to input password
> again. I'm not sure, is it about after 20 seconds? And if I programme a
> robot to hack in a slow manner, say one per 30 seconds, I'm 30 times slower
> to hack in. But it is still able to hack in. No?
Suppose that someone has a random 8 character password (not a dictionary
word), all in lower case.
There are 26^8 = 208,827,064,576 combinations.
If you only check one every 30 seconds, it will take:
104,413,532,288 minutes = 1,740,225,538 hours = 72,509,397 days = 198,519.9
years to check all of them.
So I'm feeling quite safe at this point.
The moral of course is not to use a dictionary word (or simple derivative like
flower28) as your password, since there are *far* fewer words than random
combinations of letters, and brute force attacks are much more likely to
succeed.
Cheers,
Rasjid.
--
Rasjid Wilcox
Canberra, Australia (UTC +11 hrs)
http://www.openminddev.net