How long does it take to crack an 8 digit password?

[webmal]

I normally use a random 8 digit password compromising of letters (mixed case) and numbers. If a cracker was using a modern PC (P4 3.4GHz with 1 GB RAM), how time-consuming is a brute force attack on my password?

I best assume that my 8 digit password is secure. Thank you.

Webmal

 

[TuxDave]

Originally posted by: webmal
I normally use a random 8 digit password compromising of letters (mixed case) and numbers. If a cracker was using a modern PC (P4 3.4GHz with 1 GB RAM), how time-consuming is a brute force attack on my password?

I best assume that my 8 digit password is secure. Thank you.

Webmal

What type of digits are allowed... all 255 possible ascii?

 

[webmal]

[/quote]

What type of digits are allowed... all 255 possible ascii?[/quote]


I'm not sure what you mean. FYI I use http://www.winguides.com/security/password.php to generate random passwords. Password length is 8 char and I check the "Include Letters" (e.g. abcdef), "Include Mixed Case" (e.g. AbcDEf) and "Include Numbers" option.

Webmal

 

[MalikChen]

That would be 26 letters lower, plus 26 letters upper, plus 10 numbers = 62 chars

62^8 = 218340105584896 possible combinations

It really depends on what you are cracking. Zip password crackers can try 4.5 million/sec, Excel crackers are about 230,000/sec. From what I've seen, OS crackers can only go about 2k/sec. I might be wrong, so someone correct me.

However, other kinds of password crackers just replace your password with something else. if someone has physical access to your machine, it won't matter how strong your password is. They can just boot into a CD-os, and replace your password hash with one that matches a simple one like "abcde."

Also, the easyest way to make a brute force crack hard is to have your passwd start with a letter at the lower half of the alphabet, because most start at "A" and go down. Because if your passwd is AAAAAAAA, it doesn't matter that it has to spend fifty years cracking if it can get it right on the first try.

 

[Cattlegod]

That means you have 62 combinations per character instead of 256.


so we need to know how many clock cycles it takes to guess a password.


use this formula

(x*62^8)/(6.8*10^9) where x = number of cycles for 1 guess. That should give you the total average time it takes to crack the password in seconds. I think I did the equation correctly, if anyone can correct it, feel free.

 

[webmal]

Let's say I'm using WinZip to password protect my files, can somebody give me an estimate on the duration?

I just want to check if my random 8 char password is adequate. Thank you.

Webmal

 

[cquark]

Originally posted by: webmal
Let's say I'm using WinZip to password protect my files, can somebody give me an estimate on the duration?

I just want to check if my random 8 char password is adequate. Thank you.

Webmal

Using Xieve which checks 1.5billion zip passwords/min, it would take 101 days to brute force crack your password. However, WinZip has a variety of encryption options, some of which can be broken in under an hour, and others of which, like AES, would take far longer to brute force.

I'd start an attack at www.lostpassword.com or by doing a google search on "password recovery."

 

[webmal]

My password takes 101 days to crack...that sounds reasonable. BTW, WinZip v9.0 has AES encryption.

Webmal


EDIT due to cquark's edit (above).

 

[cquark]

Originally posted by: webmal
Holy cr*p, only 40 hours! I think I need a stronger password. Thanks.

Webmal

Sorry, I misread their spec as per-second, when it was per-minute. I corrected my above post to 101 days.

However, there are better methods than brute force, as there are implementation issues with WinZip's AES encryption, discussed in detail at
http://www.cs.ucsd.edu/users/t...pers/WinZip/winzip.pdf

Someone would have to be pretty smart to carry out many of those attacks, but it only takes one smart person to figure it out and add it to the next version of their WinZip-cracking software to make your encryption insecure.

 

[webmal]

Originally posted by: cquark

...issues with WinZip's AES encryption, discussed in detail at
http://www.cs.ucsd.edu/users/t...pers/WinZip/winzip.pdf

I believe the recent WinZip 9.0 SR-1 has fixed these issues. Please correct me if I'm wrong.

Webmal

 

[cquark]

Originally posted by: webmal

Originally posted by: cquark

...issues with WinZip's AES encryption, discussed in detail at
http://www.cs.ucsd.edu/users/t...pers/WinZip/winzip.pdf

I believe the recent WinZip 9.0 SR-1 has fixed these issues. Please correct me if I'm wrong.

Webmal

I'm not sure if it has or not. While I'm interested in encryption and security, I live in a Linux/UNIX world, so I don't use WinZip much myself. They're rather vague in their release note except for mentioning unrelated buffer overflow issues several times
http://www.winzip.com/wz90sr1.htm
However, after reading the paper, I think they'd have to break compatibility of encrypted archive formats to fix some of the security flaws.

 

[eigen]

Originally posted by: webmal
My password takes 101 days to crack...that sounds reasonable. BTW, WinZip v9.0 has AES encryption.

Webmal


EDIT due to cquark's edit (above).

Be aware boys and girls of big words like AES, while AES is a sound crypyo algorithmn it may not be implemented properly.I have read some bad things about how AES was used in Winzip.I will try and find the link.

Edit: The link was right above me.

 

[Gamingphreek]

Well if his takes that long how long would mine take.

It is 13 characters long with upper case lower case, numbers and symbols.

My dad has worked for the government for a few years and one of the training courses he went to (working towards MCSE) they told the students to write down a password and theyll see how long it takes there computer to find it out. THey found that the one thing that really screws them up is asterisks.

Mine would take a while i assume? BUt how long... how secure is my good ol PC.

-Kevin

 

[eigen]

Originally posted by: Gamingphreek
Well if his takes that long how long would mine take.

It is 13 characters long with upper case lower case, numbers and symbols.

My dad has worked for the government for a few years and one of the training courses he went to (working towards MCSE) they told the students to write down a password and theyll see how long it takes there computer to find it out. THey found that the one thing that really screws them up is asterisks.

Mine would take a while i assume? BUt how long... how secure is my good ol PC.

-Kevin

The equation is above...but you could always test it.
In windows use cain
In linux go with John the Ripper.

What will happen is you will get bored after a few weeks and just quit.I have never been patient enough to crack a password. Lots of easier ways in.

 

[numb]

In most cases, even being able to obtain the hash is a pretty good sign of a weak password.

 

[willfreund]

If its 12345678 its easy. If its Through a web hacker. a program it would take days, maybe a month. If its on your computer, Or you can physicly attach a decoder to it it might take days still, but its a bit faster

 

[eigen]

Originally posted by: numb
In most cases, even being able to obtain the hash is a pretty good sign of a weak password.

i dont find this to be a reasonable answer. While I do agree that obtaining the hash is a sign of weak security ( in linux to access the hash you have to already have root privileges) I dont see how the having the hash of the pass makes it weak.The point of a hash is that it is non-invertible ( at least ideally) I could give the whole world my hash and expect it to be secure forever if the hash function was cryptographically sound.

 

[numb]

It's a matter of security policy.

 

[gutharius]

Originally posted by: numb
It's a matter of security policy.

Care to enlighten me? :sun:

 

[eigen]

Originally posted by: numb
It's a matter of security policy.

I understand that, I even said that in my post...but posssesion of the hash in no ways weakens the password.Thats the point it is one-way.

 

[Gagabiji]

62^8 = 218340105584896 possible combinations

So, have fun

 

[MalikChen]

The only time having a hash weakens a password is when there are collisions. It's why many people are using SHA-1 instead of MD5. Also, if someone has write-access to the hash file, they can re-write the hash file so that they know what collides.

 

[Shalmanese]

The point is if you have the hash, you can attempt cracking on your own machine which gives you a speed boost as well as being less conspicuous. Many sysadmins will notice a user hammering away at the login server 1000 times a minute and there are trivial ways to disable remote password cracking like gradually increasing the delay between each login. If you have the hash, you can throw as much computer power as you like since it's a very parralel algorithm and you can turn a password that requires 3 months to crack into one that takes 3 minutes.

 

[eigen]

Originally posted by: Shalmanese
The point is if you have the hash, you can attempt cracking on your own machine which gives you a speed boost as well as being less conspicuous. Many sysadmins will notice a user hammering away at the login server 1000 times a minute and there are trivial ways to disable remote password cracking like gradually increasing the delay between each login. If you have the hash, you can throw as much computer power as you like since it's a very parralel algorithm and you can turn a password that requires 3 months to crack into one that takes 3 minutes.

I

I call shens on the 3mins...But I know what you mean.Access to the hash is bad but it does not weaken the hash.

 

[MercenaryForHire]

Ahem.

For those not willing to read it all, the following five passwords:

N73k_a7()TUBoK
PrFa$=ptRcb^__
z %G)r*EW&2nk#
cjST$=W0U*-5CH
(zw= ijV$i*vEX

were cracked in a total of 177.81 seconds.

Oh, my bad. Did I just ruin your sense of security?

- M4H