Password cracking mathematics

[Dooling37]

So I'm trying to make up a little presentation about password security (for no particular reason), and I've got two questions:

First, when I am calculating the total number of possible passwords given some parameters (e.g. -- 4 characters, alphabetic-only), would the formula be: password length to the number of possible characters' power (4^26 = 4503599627370496), or vice versa -- number of possible characters to the length power (26^4 = 456976). I'm thinking it would be the latter, but not sure. I wish I had paid closer attention in my probability and stats courses over the years.

Also, are there any figures available for how many possibilities are tried per second for a program like 'John the Ripper,' on a decent machine (e.g. -- 1.2GHz, 448MB SDRAM; I am assuming the program performance is machine-dependent). I just pulled a guess of 250 attempts per second out of nowhere, b/c I couldn't find any figures. I have no idea how realistic that is.

Thanks for your input.

 

[iamwiz82]

wouldnt it be 26^4?

 

[Haircut]

It would be 26^4 for a 4 character key.

250 attempts per second is way too low, you will likely be getting hundreds of thousands of attempts per second on any modern computer, possibly more.

 

[rgwalt]

It would be 26*26*26*26 or 26^4 (or 26**4 in Fortran )

Ryan

 

[Dooling37]

Cool, that's what I thought...seems to make more sense.

I figured I might be low on the attempts per second, but I just have no concept -- guess I'll bump it up from 250, though. ; )

Thanks.

 

[Ameesh]

26^4 , on a 1ghz box with some efficient code you could do a hundred thousand checks a second



a 4 charcter password is trivial crack thats why people say to have an 8 char alpha numeric password. it would take approximatly 326 days at the previous rate of continous cracking versus 4 seconds with a 4 character pass

 

[Dooling37]

Yeah, after plugging the different numbers in, I realized how extremely low I was on that estimate. Putting in 10,000 per second would take 45 seconds for the 4 character alpha, vs. 2014063.2 Millenia for a 12 character alphanumeric and special character password.

I'll go with 100,000 per second, though -- that sounds even more realistic.

 

[DaveSimmons]

don't forget the requirement of prohibiting use of english words (without forcing extra letters, etc.) since any good password-cracking software would combine brute force with an english dictionary. Also if not blocked many users will just repeat their username as the password.

 

[her209]

Now heres some more restraints:

Must contain at least one upper case and one lower case.
Adjacent letters cannot be the same.
A letter cannot be used more than twice.

 

[goog40]

I remember a long time ago I had a zip that had a password on it, and I tried some program to try to crack it by brute force, it was usually around 500,000 a second, this was on a P233 MMX with a whopping 32mb of EDO RAM runnning Win95.

 

[Dooling37]

Originally posted by: goog40
I remember a long time ago I had a zip that had a password on it, and I tried some program to try to crack it by brute force, it was usually around 500,000 a second, this was on a P233 MMX with a whopping 32mb of EDO RAM runnning Win95.

Wow! :Q
That's unbelievable. I guess I will have to readjust my estimate upwards, again. haha

As for all of the other rules and restrictions, I'm not really trying to make a comprehensive, complete report or anything, so I will leave out the more complicated rules, but those were all good points. Especially about the upper and lower-case -- I completely disregarded that, which adds another 26 possible characters.

Thanks for the replies. ; )

 

[Alphazero]

You could try writing a short program with a timer to simulate generating and trying different passwords to calculate a more accurate estimate of how many you can try per second.

 

[Dooling37]

Originally posted by: Alphazero
You could try writing a short program with a timer to simulate generating and trying different passwords to calculate a more accurate estimate of how many you can try per second.

Yes, I could -- if I had any programming ability, whatsoever. ; )