by frosty » Tue Nov 06, 2012 11:57 am
I was thinking about this after thinking about the XKCD comic about password complexity of shorter "random" passwords with large charsets, vs the passphrase approach.
Obviously brute forcing a very long (say 14+ char) password even just lower alpha is a practical impossibility (at least right now), but that's obviously a pretty dumb way to attack that problem.
Could you take a standard dictionary attack and simply get it to try all possible combinations of common lower case words, a quick search says there's about 170,000 English words, so that would be a fairly good guess at dictionary size.
Assuming one of your words was <blank> an attack on passwords of length n words would search for all password combinations between 1 and n?
So to search where n=3 we'd also include all n=2, n=1 attempts as well?
170,000^3 = 4,913,000,000,000,000 permutations
If we make a wild assumption that overhead for the code to build the password list isn't a terribly big overhead for code execution time (especially if we dump our password list in very fast vRAM) and we assume a single GPU cracking at about 300M/sec for something like NTLM, that gives us an estimate of:
4,913,000,000,000,000 / 300,000,000
16,376,666 Seconds, about 190 days.
Not really feasible for someone with a single video card, but doable for distributed computing in fairly reasonable time frames, your 154B/sec rig from your blog would do that in about
4,913,000,000,000,000 / 154,000,000,000
31,902 seconds, about 9 hours!
So your admin password could be "reverse"+"systematic"+"encryption" (27 char) and that would be do-able. Although 4 words and above become practically infeasible again, so I guess it's a similar problem to passwords, without better (slower) encryption you need some minimum complexity from the user.