In <6W7Dq.10311$XA2.6260@newsfe06.iad> unruh <unruh@invalid.ca> writes:

>On 2011-12-05, Robert Bonomi <bonomi@host122.r-bonomi.com> wrote:
>> In article <msmdnauWH7xB_eDQnZ2dnUVZ_gadnZ2d@giganews.com>,
>> W <persistentone@spamarrest.com> wrote:
>>>If you construct a password from smallcase letters, you effectively have 24
>>>permutations per character. If you construct a password from uppercase and
>>>lowercase and add in 10 number digits, you increase that to 58 permutations
>>>per character in the password. That ends up making a big difference in
>>>the number of permutations needed to guess a password of - for example - 14
>>>digits (i.e., 24^14 versus 58^14).
>>>
>>>How many permutations effectively make it impossible - with modern
>>>computers - to brute force calculate a password?
>>
[...]
>> A high-end commodity PC is probably able to to a million+ password
>> calculations per second. Without considering purpose-built hardware, which
>> has performance several orders of magnitude higher.

>No, that is a bad overestimate of the number of password attempts per
>second, by at least 1000 or more likely even more.
>The password algorithm is not simply a single MD5 or des. It is
>deliberately designed to slow things down.

People seem to forget that each trial password must be verified to
determine if it's correct. Unless you also have access to the
password hashes, you need to attempt authentication to verify each
password. That's always the slowest step. As well, millions of
authentications will likely be noticed!

--
-Gary Mills- -Unix Group- -Computer and Network Services-