Well,

Firstly let me state that I have never actually tried it on long passwords as I don't do penetration testing for a living. I have used cracking tools in demonstrations/presentations regarding password security though. Not quite what you want, but I believe that the underlying principles are the same.

A lot of tools, you will have noticed, have a cut off of either 8 characters or 14. I believe because 8 used to be a sort of standard, and 14 was certainly the maximum for a Windows 9x environment.

Obviously if your tool or dictionary tables do not support a particular size, you are SOL.

With NT systems you can have 127 characters, which would take an unrealistic amount of time. I suspect that 17 would be unrealistic to bruteforce as well, although I have never personally tried it. Colleagues have reported that they gave up on long passwords due to the amount of time it took without a result.

Naturally a lot depends on the strength of the algorithm. I believe that if you use the weakest WiFi system, you are recommended to have a password of 20 characters?

I would suggest that you look into using the precomputed "rainbow tables" method. I have seen 14 character ones demonstrated and they are fast, but they are VERY LARGE like the straight keyboard was 60Gb, for 14 characters. I shudder to think what the full ASCII set and 127 characters would be

I am afraid that I cannot help much more than suggest that you look into the rainbow tables angle.

My approach is to keep an eye on what cracking tools are readily available and what their limits are. I would then deploy a mechanism to enforce a password policy that is beyond those limits.

//off topic

You will hear people say that long passwords aren't practical, as people just forget them or write them down, which produces local insecurity. People can generally remember 8 characters quite easily, and longer ones if they are broken down like telephone numbers, NATO IDENT numbers and the like.

My psychological take is that people can remember a sequence of actions far better than data........a bit like driving an automobile?

So, if you have a core "password", all you need to do is "pack" it with a sequence of easily remembered keystrokes. For example:

¬!"£$%^&*()_+#PaSsWoRd#=-0987654321`

is a 36 character pass with an 8 character core. The "packing" is the top row of the keyboard left to right with "shift" on, followed by the same row right to left with "shift" off.

I think that John and Cain would have quite some fun with that?

Just a thought



EDIT:

This link might be of interest:

http://www.lockdown.co.uk/?pg=combi&s=articles