"Dylan Semler" <dylan.semler@xxxxxxxxx> writes: > However, if you use an 8-digit password with capital and lowercase > letters, numbers, and symbols, there are 8^( 26*2 + 10*2 + 20 ) = 8^92 = > 1.21e83 possible passwords. Since ssh waits about a second after each > incorrect password and there have been only 3.32e17 seconds in the history > of the universe, it seems scritcly /impossible/ for a password to be > guessed. So the risk must not be from password-bots. What is the risk > then? This calculation is only correct if and only if the letters and numbers are truly chosen with uniform distribution. In practice people tend to choose mostly from the easy to type letters. The result is a password that is composed of mostly easy to type letters with perhaps one or two uppers, numerics or punctuation. The search space for that is quite a bit smaller than the full 92^8 of your example. My gut feel is that it would be well below 26^8 because even of the lower case, many are chosen with the same probability. Personally I don't believe folks should be using passwords for anything but local logins. For ssh a 1k-bit rsa key is going to be a fair bit stronger and one doesn't have to worry about foolish users that pick their wife's name or pet's name as the password. -wolfgang -- Wolfgang S. Rupprecht http://www.wsrcc.com/wolfgang/