[Discuss] On "Simple" Brute Forcing Passwords Not Being Simple

[kentborg at borg.org (Kent Borg)]

On 02/25/2017 02:05 PM, Kent Borg wrote:
> Once you try to do the math you'll notice the very description "20-characters" suddenly becomes pretty vague. Reasonable people won't agree on how many digits are in the answer, let alone a precise value. But one thing should be clear: It is a really big number.

I can't resist: If one assumes a 20-character passphrase is limited to a 
character set of just 64-characters, that's:

   64^20 combinations,

which just so happens to be exactly:

  2^120 combinations,

or:

1,329,227,995,784,915,872,903,807,060,280,344,576 combinations.

What if you check possibilities as fast as, say 9,192,631,770 per 
second*? Arbitrary, fast, but plausible: we have computers with 
single-cycle times of that order of magnitude. Very aggressive, but 
plausible.

* The rate of the cesium transition that defines a second.

Assume you have a billion of these working in parallel.

How long would it take to try all those possibilities?

4,585,144,309 years. Roughly the age of the earth, to date. (That was 
the numerological alignment that sent me to my keyboard. Forgive me.)

That's just 2^120. If you let me use the characters in this e-mail ("^" 
or '-' or  "~" or even " and ' and ? and . and , and - and ! and 
God-forbid ?--?Ol?!) you might need to try a bigger character set. Maybe 
you search 20-characters of a 93-character set.

That's ~2^131. A horrible, horrible, crazy, big number. And you still 
won't find "May the Force be with you!", because it is too long.

No, brute forcing a passphrase of any length is impossible, unless you 
get clever and prioritize your search. And more clever is more better. 
Very subtle stuff.

The day-to-day passphrase I use on my password encryption data is crazy 
big--only if you try to brute force it na?vely, yet unnervingly small if 
you know it's exact format (not telling). That's why I consider that 
singly-encrypted file to be very sensitive, something I don't want 
floating about, not without some extra layers of independent encryption 
around it.

The difference between--on one hand--being able to brute-force my 
password passphrase with $5K of hardware and--on the other hand--being 
able to brute-force it will trillions of dollars precisely...never? 
Being clever and subtle in how you prioritize your search.

A very big topic, something that has to account for "May the Force be 
with you!" and "correct horse battery staple" and "One MILLION 
dollars!", etc.*

* May a big corpus be with you.

-kb