How Many Permutations Make a Password Effectively Impossible to Brute Force Calculate?

If you construct a password from smallcase letters, you effectively have 24
permutations per character. If you construct a password from uppercase and
lowercase and add in 10 number digits, you increase that to 58 permutations
per character in the password. That ends up making a big difference in
the number of permutations needed to guess a password of - for example - 14
digits (i.e., 24^14 versus 58^14).

How many permutations effectively make it impossible - with modern
computers - to brute force calculate a password?


--
W

On 3/13/2011 5:27 PM, W wrote:
> If you construct a password from smallcase letters, you effectively have 24
> permutations per character.

24?

On 2011-03-14, W <persistentone@spamarrest.com> wrote:
> If you construct a password from smallcase letters, you effectively have 24
> permutations per character. If you construct a password from uppercase and
> lowercase and add in 10 number digits, you increase that to 58 permutations
> per character in the password. That ends up making a big difference in
> the number of permutations needed to guess a password of - for example - 14
> digits (i.e., 24^14 versus 58^14).
>
> How many permutations effectively make it impossible - with modern
> computers - to brute force calculate a password?
>
>

Depends on how long you are willing to spend.

"1PW" <1PW@INVALID.net> wrote in message
news:iljpie$ba7$1@news.eternal-september.org...
> On 3/13/2011 5:27 PM, W wrote:
> > If you construct a password from smallcase letters, you effectively have
24
> > permutations per character.
>
> 24?

26 in English alphabet sorry.

--
W

"unruh" <unruh@wormhole.physics.ubc.ca> wrote in message
news:slrninrdkt.obc.unruh@wormhole.physics.ubc.ca. ..
> On 2011-03-14, W <persistentone@spamarrest.com> wrote:
> > If you construct a password from smallcase letters, you effectively have
24
> > permutations per character. If you construct a password from uppercase
and
> > lowercase and add in 10 number digits, you increase that to 58
permutations
> > per character in the password. That ends up making a big difference
in
> > the number of permutations needed to guess a password of - for example -
14
> > digits (i.e., 24^14 versus 58^14).
> >
> > How many permutations effectively make it impossible - with modern
> > computers - to brute force calculate a password?
>
> Depends on how long you are willing to spend.

I don't think that's quite correct. At a certain number of
permutations, even 10K computers couldn't brute force the password in 10
years, working 24x7.

I'm trying to objectify this. So "depends" isn't a useful answer.

--
W

"W" <persistentone@spamarrest.com> wrote in message
news:LK-dneGt469cKuLQnZ2dnUVZ_q4AAAAA@giganews.com...
> "unruh" <unruh@wormhole.physics.ubc.ca> wrote in message
> news:slrninrdkt.obc.unruh@wormhole.physics.ubc.ca. ..
>> On 2011-03-14, W <persistentone@spamarrest.com> wrote:
>> > If you construct a password from smallcase letters, you effectively
>> > have
> 24
>> > permutations per character. If you construct a password from
>> > uppercase
> and
>> > lowercase and add in 10 number digits, you increase that to 58
> permutations
>> > per character in the password.

>> > How many permutations effectively make it impossible - with modern
>> > computers - to brute force calculate a password?
>>
>> Depends on how long you are willing to spend.
>
> I don't think that's quite correct. At a certain number of
> permutations, even 10K computers couldn't brute force the password in 10
> years, working 24x7.
>
> I'm trying to objectify this. So "depends" isn't a useful answer.

I am not a cryptologist, but I think an exact answer would require exact
values for "modern computers", both in terms of quantity and performance.
Does the attacker have access to a couple of PCs, to a botnet grid or to
the combined supercomputer capacity of several Western governments?

You are probably familiar with the results e.g. distributed.net has
achieved.

--
Thor Kottelin
http://www.anta.net/

On 2011-03-15, W <persistentone@spamarrest.com> wrote:
> "1PW" <1PW@INVALID.net> wrote in message
> news:iljpie$ba7$1@news.eternal-september.org...
>> On 3/13/2011 5:27 PM, W wrote:
>> > If you construct a password from smallcase letters, you effectively have
> 24
>> > permutations per character.

Wrong word. That is not "permutations", that is "choices" A permutation
is a rearrangement of a given string. You are not rearranging some given
set but are selecting out of an alphabet (26 characters) for each
position.

>>
>> 24?
>
> 26 in English alphabet sorry.
>

On 2011-03-15, W <persistentone@spamarrest.com> wrote:
> "unruh" <unruh@wormhole.physics.ubc.ca> wrote in message
> news:slrninrdkt.obc.unruh@wormhole.physics.ubc.ca. ..
>> On 2011-03-14, W <persistentone@spamarrest.com> wrote:
>> > If you construct a password from smallcase letters, you effectively have
> 24
>> > permutations per character. If you construct a password from uppercase
> and
>> > lowercase and add in 10 number digits, you increase that to 58
> permutations
>> > per character in the password. That ends up making a big difference
> in
>> > the number of permutations needed to guess a password of - for example -
> 14
>> > digits (i.e., 24^14 versus 58^14).
>> >
>> > How many permutations effectively make it impossible - with modern
>> > computers - to brute force calculate a password?
>>
>> Depends on how long you are willing to spend.
>
> I don't think that's quite correct. At a certain number of
> permutations, even 10K computers couldn't brute force the password in 10
> years, working 24x7.

But they might be if you spend 10000000 years.

>
> I'm trying to objectify this. So "depends" isn't a useful answer.
>

"Thor Kottelin" <thor@anta.net> wrote in message
news:R6Pfp.23289$mX5.19556@uutiset.elisa.fi...
> "W" <persistentone@spamarrest.com> wrote in message
> news:LK-dneGt469cKuLQnZ2dnUVZ_q4AAAAA@giganews.com...
> > "unruh" <unruh@wormhole.physics.ubc.ca> wrote in message
> > news:slrninrdkt.obc.unruh@wormhole.physics.ubc.ca. ..
> >> On 2011-03-14, W <persistentone@spamarrest.com> wrote:
> >> > If you construct a password from smallcase letters, you effectively
> >> > have
> > 24
> >> > permutations per character. If you construct a password from
> >> > uppercase
> > and
> >> > lowercase and add in 10 number digits, you increase that to 58
> > permutations
> >> > per character in the password.
>
> >> > How many permutations effectively make it impossible - with modern
> >> > computers - to brute force calculate a password?
> >>
> >> Depends on how long you are willing to spend.
> >
> > I don't think that's quite correct. At a certain number of
> > permutations, even 10K computers couldn't brute force the password in 10
> > years, working 24x7.
> >
> > I'm trying to objectify this. So "depends" isn't a useful answer.
>
> I am not a cryptologist, but I think an exact answer would require exact
> values for "modern computers", both in terms of quantity and performance.
> Does the attacker have access to a couple of PCs, to a botnet grid or to
> the combined supercomputer capacity of several Western governments?

The attacker has 10K Intel 3GHz quad core computers.


> You are probably familiar with the results e.g. distributed.net has
> achieved.

No I am not.

--
W

In article <msmdnauWH7xB_eDQnZ2dnUVZ_gadnZ2d@giganews.com>,
W <persistentone@spamarrest.com> wrote:
>If you construct a password from smallcase letters, you effectively have 24
>permutations per character. If you construct a password from uppercase and
>lowercase and add in 10 number digits, you increase that to 58 permutations
>per character in the password. That ends up making a big difference in
>the number of permutations needed to guess a password of - for example - 14
>digits (i.e., 24^14 versus 58^14).
>
>How many permutations effectively make it impossible - with modern
>computers - to brute force calculate a password?

First, you have to learn basic concepts. English has unique 26 letters,
using upper/lower and digits gives 62 possibilities. Add in punctuation
symbols, and you have a minimum of 94 possibilities (assuming you limit
things to the 7-bit ASCII set).

Next, you have to define 'how long' constitutes 'effectively make it
impossible'.

To 'brute force' a password means to repeatedly try various possibilities
until one succeeds.

HOW LONG does it take to try -one- password and determine success/failure,
for the system you are trying to break into?

Take the time period you have defined as 'effectively impossible', divide
by the time it takes to do _one_ possibility. Now, _double_ that number;
that is the number of 'possibilities' you need to have for possible
passwords. Assuming you only have _one_ machine to try cracking with.
Scale up the 'possibilities' required, by the total number of machines
available.

"A numerical answer is left as an exercise for the student."

hints:

Putting together distributed networks consisting of a quantity of machines
that requires a 6 (or 7) digit number to express is relatively trivial
in today's world.

A high-end commodity PC is probably able to to a million+ password
calculations per second. Without considering purpose-built hardware, which
has performance several orders of magnitude higher.

Add another 5 orders of magnitude to account for seconds in a day.

Effectively impossible is "how many" days?

On 2011-12-05, Robert Bonomi <bonomi@host122.r-bonomi.com> wrote:
> In article <msmdnauWH7xB_eDQnZ2dnUVZ_gadnZ2d@giganews.com>,
> W <persistentone@spamarrest.com> wrote:
>>If you construct a password from smallcase letters, you effectively have 24
>>permutations per character. If you construct a password from uppercase and
>>lowercase and add in 10 number digits, you increase that to 58 permutations
>>per character in the password. That ends up making a big difference in
>>the number of permutations needed to guess a password of - for example - 14
>>digits (i.e., 24^14 versus 58^14).
>>
>>How many permutations effectively make it impossible - with modern
>>computers - to brute force calculate a password?
>
> First, you have to learn basic concepts. English has unique 26 letters,
> using upper/lower and digits gives 62 possibilities. Add in punctuation
> symbols, and you have a minimum of 94 possibilities (assuming you limit
> things to the 7-bit ASCII set).
>
> Next, you have to define 'how long' constitutes 'effectively make it
> impossible'.
>
> To 'brute force' a password means to repeatedly try various possibilities
> until one succeeds.
>
> HOW LONG does it take to try -one- password and determine success/failure,
> for the system you are trying to break into?
>
> Take the time period you have defined as 'effectively impossible', divide
> by the time it takes to do _one_ possibility. Now, _double_ that number;
> that is the number of 'possibilities' you need to have for possible
> passwords. Assuming you only have _one_ machine to try cracking with.
> Scale up the 'possibilities' required, by the total number of machines
> available.
>
> "A numerical answer is left as an exercise for the student."
>
> hints:
>
> Putting together distributed networks consisting of a quantity of machines
> that requires a 6 (or 7) digit number to express is relatively trivial
> in today's world.
>
> A high-end commodity PC is probably able to to a million+ password
> calculations per second. Without considering purpose-built hardware, which
> has performance several orders of magnitude higher.

No, that is a bad overestimate of the number of password attempts per
second, by at least 1000 or more likely even more.
The password algorithm is not simply a single MD5 or des. It is
deliberately designed to slow things down.


>
> Add another 5 orders of magnitude to account for seconds in a day.
>
> Effectively impossible is "how many" days?

In <6W7Dq.10311$XA2.6260@newsfe06.iad> unruh <unruh@invalid.ca> writes:

>On 2011-12-05, Robert Bonomi <bonomi@host122.r-bonomi.com> wrote:
>> In article <msmdnauWH7xB_eDQnZ2dnUVZ_gadnZ2d@giganews.com>,
>> W <persistentone@spamarrest.com> wrote:
>>>If you construct a password from smallcase letters, you effectively have 24
>>>permutations per character. If you construct a password from uppercase and
>>>lowercase and add in 10 number digits, you increase that to 58 permutations
>>>per character in the password. That ends up making a big difference in
>>>the number of permutations needed to guess a password of - for example - 14
>>>digits (i.e., 24^14 versus 58^14).
>>>
>>>How many permutations effectively make it impossible - with modern
>>>computers - to brute force calculate a password?
>>
[...]
>> A high-end commodity PC is probably able to to a million+ password
>> calculations per second. Without considering purpose-built hardware, which
>> has performance several orders of magnitude higher.

>No, that is a bad overestimate of the number of password attempts per
>second, by at least 1000 or more likely even more.
>The password algorithm is not simply a single MD5 or des. It is
>deliberately designed to slow things down.

People seem to forget that each trial password must be verified to
determine if it's correct. Unless you also have access to the
password hashes, you need to attempt authentication to verify each
password. That's always the slowest step. As well, millions of
authentications will likely be noticed!

--
-Gary Mills- -Unix Group- -Computer and Network Services-