Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 21

Thread: Time to Crack Chart

  1. #11
    King Tutorial-ankhamun
    Join Date
    Jul 2004
    Posts
    897
    Originally posted here by XTC46
    this was the point I was trying to make. The guess could be off by YEARS depepnding on the passowrd. I mean if somone made their password. ABCDEFG and the scanner did that compbo right away bag, your cracked in less then a second, but if they made it !AbCdEfG! it might take a while longer.
    Ok, I see where the misunderstanding lies. I’ll restate it:

    I would like to know the time to run though the entire key space. Or, put another way, about how long would it take (ball park) if the correct password was the VERY last one tried in a brute force attack.

  2. #12
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    XTC46 I am afraid that we both agree that Irongeek's quest is mission impossible?

    It is more of a complex math model than a few simple formulae?

    Anyway, as you have implied, if the answer is "somewhere between 10 seconds and 10,000 years........is that information of any practical use or relevance?

    I guess that is one of the problems of probability and statistics when you have to take the whole population distribution into account

    And I still haven't won the bloody national lottery (maybe I shouldn't be using john the ripper )

  3. #13
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Are you including the extended ASCII in the keyspace? If you are then the keyspace gets HUGE and thus the cracking time multiplies linearly.

    This may help. There is an Excel Spreadsheet linked to in the top left corner that might help you get some estimations.

    [Edit]

    Nihil:

    You have to remember that the problem has a finite answer depending on the tecgnology used. Obviously, every time a CPU gets faster the time comes down.

    But also, Lophtcrack and others employ some sneaky techniques like automatic "leetspeak" substitutions during dictionary attacks with the accompanying pre and post additions. Thats a nice one because a lot of people chose a word like outcast, leetspeak it 0u+C4$+ and add a character to the front like ! making !0u+C4$+.... looks good... but the word is still outcast with leetspeak added in and the pre character.

    Yes, it extends the time for a full dictionary attack quite a bit... but then again a full dictionary attack only takes a day or so depending upon the dictionary and the computer used. You'd have that password in a week on a good computer with the "enhanced" dictionary attack.

    This is why I always use/recommend an extended ASCII character in passwords that you want to keep secure. Most of the password crackers aren't designed to attack the extended characters because it extends the time of crack so significantly. As a cracker i have to decide whether to attack the lower ASCII keyspace alone and see what I get or to attack the entire keyspace which extends my crack time phenomenally - BUT, if I spend the time on the lower keyspace and fail then I have to start all over... However, if I attack the entire keyspace I have to accept that I am automatically extended my crack time if it is a lower keyspace significantly.... The upshot is that by the time I crack it the user might have changed it.... But that's what encryption is all about....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  4. #14
    King Tutorial-ankhamun
    Join Date
    Jul 2004
    Posts
    897
    Tiger Shark, something like Johns -i:all, which I think is 95 characters. The formula is pretty easy if you know the approximate number of password tried per second:

    ((Number-of-characters-in-keyspace)^(Length-of-largest-key-tried))/(Approximate-number-of-password-tried-per second)=(how-long-it-takes-in-secs)

    I'll take a look at the sheet.

    /edit:Again, whole keyspace, all possible passwords are tried as if only the last one is correct.

  5. #15
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Hi Tiger~,

    I appreciate what you are saying, dictionary attacks can be pretty sneaky, particularly if they have extended intelligence.

    /jk some members of AO would actually beat the system provided that it did not have fuzzy logic......their spelling would protect them jk/


    I think that Irongeek is interested in bruteforcing random/selected passwords though. I just tried my AO password on that tool................4,802 years? I would bet that the FBI/Secret Service/CIA could do it inside one hour with their rainbow tables (the IRS would do it in 30 seconds, but there again, they always were greedy buggers?)

    Irongeek, I see what you are saying about the theoretical calculation, but a lot can depend on where you start and how you progress? I still feel that there are a lot of subtle nuances involved here?

    Thanks for the link Tiger~ that was the sort of tool I was thinking of, but it is a different one to the one I saw before............which raises an issue?

    If I gave the same data to both tools, would I get the same answer...........I would have thought not, but more importantly, would there be a significant difference.

    If there is a significant difference, this would lend weight to XTC46 and my own suspicions that this is rather more complex than might seem at first sight?


  6. #16
    Senior Member
    Join Date
    Oct 2002
    Posts
    1,130
    Ha! Mine would take 2,503,316,488.71 days on one computer.

    That's about 6.8 million years.

    Even with the resources of the NSA, that's still pretty tough.

    Then again, by combining words to make phrases and not just letters to make words, it might be a lot simpler...
    Government is like fire - a handy servant, but a dangerous master - George Washington
    Government is not reason, it is not eloquence - it is force. - George Washington.

    Join the UnError community!

  7. #17
    King Tutorial-ankhamun
    Join Date
    Jul 2004
    Posts
    897
    Ok, I used Cain and got some good (very) rough estimates of what I want:

    1.8Ghz P4 with 512MB of RAM
    1 account


    Code:
    Hash Type	Characters	         Length   Time
    LM	Alpha Numeric Single Case	1-7	 10 hours
    LM	All Characters Single Case	  1-7	  35 hours
    NT	Alpha Numeric Single Case       1-7	 6.2 hours
    NT	Alpha Numeric Single Case      1-14	55,000,000 years
    NT	All Characters Single Case	1-7	  22 Days
    NT	All Characters Single Case	1-14	 400,000,000,000 years

  8. #18
    Senior Member RoadClosed's Avatar
    Join Date
    Jun 2003
    Posts
    3,834
    400,000,000,000 years
    And we change them every 30 days.

    Nice analysis Irongeek. Is it similar to your earlier formula?
    West of House
    You are standing in an open field west of a white house, with a boarded front door.
    There is a small mailbox here.

  9. #19
    King Tutorial-ankhamun
    Join Date
    Jul 2004
    Posts
    897
    No, it's just what Cain estimates when you run it on Windows hashes. Hopefully it's in the ball park.

  10. #20
    Senior Member
    Join Date
    Jul 2004
    Posts
    469
    Some examples of password strengths:

    Password Type | Length | Possible combinations | Estimated Time to Crack
    Alpha (Case in-sensitive) | 6 characters | 308,915,776 | Less than a minute
    Alpha (case sensitive) | 6 characters | 19,770,609,664 |1 days
    Alpha (case sensitive) and numeric | 6 characters | 56,800,235,584 | 3 days
    Alpha (case sensitive), numeric and symbols | 6 characters | 606,355,001,344 | 5 weeks
    Alpha (case sensitive), numeric and symbols | 9 characters | 472,161,363,286,556,672 | 77 thousand years

    The estimates above are based on a rate of 100,000 attempts per seconds and assume that half of the key space must be searched. Notice how lengthening the password length has a dramatic effect on the size of the search space.
    I pulled this information out of the cccure.org's domain 1 of the CISSP. I don't have a link for it as I downloaded it as a doc a long time ago, but if anyone wants the doc it is up on their site somewhere. Not related to a specified app, but still relative info.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •