[dba-Tech] Check password strength

Arthur Fuller fuller.artful at gmail.com
Mon Jul 23 06:14:25 CDT 2012 

Thanks for the links, Mark. As it happens, I regularly use 3 passwords, one
for everything related to finance, one for sites like TechRepublic, and one
for Citrix/SQL connections. All of them use mixed case + special symbols +
numerics, and are easily remembered.

I ran the most sensitive one (the fiscal one) through your first link and
obtained these results:

Search Space Depth (Alphabet):26+10+33 = *69*Search Space Length
(Characters):10 charactersExact Search Space Size (Count):
(count of all possible passwords
with this alphabet size and up
to this password's length)2,
482,167,502,723,212,150 Search Space Size (as a power of 10):2.48 x 1018
Time Required to Exhaustively Search this Password's Space:
Online Attack Scenario:
(Assuming one thousand guesses per second)7.89 hundred thousand
centuriesOffline
Fast Attack Scenario:
(Assuming one hundred billion guesses per second)9.47 monthsMassive
Cracking Array Scenario:
(Assuming one hundred trillion guesses per second)6.89 hours
I thought it was pretty good; now my opinion is backed by evidence.
Arthur

On Mon, Jul 23, 2012 at 4:32 AM, Mark Breen <marklbreen at gmail.com> wrote:

> Hi Arthur,
>
> thanks for the email, we need more linux posts here on dba-Tech.  After
> all,  it is the OS of the future  it is the OS of the present ;)
>
> There was another site posted here about a year ago and it allowed us to
> type in a password and it would tell us how long it would take to
> bruteforce that password.  They provided three metrics, Online Attack
> Scenario, Offline Fast Attack Scenario and a Massive Cracking Array
> Scenario.
>
> What the site really demonstrated was that the longer the password the
> better, complexity helped, but password length trumped complexity.
>
> Complex passwords almost always have to be stored in a secure tool, which
> itself must be password protected and managed securely.
>
> With that in mind, I have started to move towards simpler but longer
> passwords.  My assumption is they are too strong to be bruteforced or
> guessed, no dictionary attack is likely to find a match, and the user does
> not have to write them done.  My longer passwords also have one added
> benefit, they are easy to type in.
>
> samples of easy to remember, easy to type are
>
> accessdbmwmotorcycles
> sausagesandbicycles
> ilovetotravel
> arthurandraspberryaregreat
>
> You see that these are impossible to bruteforce, (according to the tool we
> played with last year).  Impossible to dictionary attack.  Easy to type,
> easy to remember.
>
>

More information about the dba-Tech mailing list