On Wed, 2004-10-27 at 20:17, Lew Bloch wrote: > "Rodolfo J. Paiz" suggested: > > Even when I do use passwords (and assuming the 8-char "standard"), I > > always have at least one upper- and lower-case letter, one number, and > > one special char. So that's actually 948 = 6,095,689,385,410,816 or > > about 6.1 x 1015. > > > > If I did my quick figures right, they'd have to exceed 1.93 million > > attempts per second to be statistically likely to crack my box in less > > than 100 years. Not bloody likely, and still very secure. <grin> > > That's assuming that all characters from all character sets are equally > likely in every position in the password. In fact, human-generated > passwords tend to have fewer punctuation and digit characters than the > statistical likelihood. Exploiting this and similar facts would speed > up the attack considerably. > > Some cracking will use techniques that have a high(er) probability of > hitting the correct value than simplistic brute-force methods. Basing > your security estimate on defense against brute force only is probably > not optimal if you have anything significant to protect. > > If the only attacks you get are from script kiddies, then your odds are > better. Just wondering if I am missing something here. It may take a long time to go through _all_ combinations, but all the cracker wants is the _correct_ password. This might be on the first try, but not likely the last. Regards Chris
