> Here is a summary to give you an idea of how large of numbers we are
> talking about:
>
> simple 5 character password combinations (a-z)
> 26^5 = 11881376 (0.01 seconds)
>
> full alphanumeric 5 character password (a-zA-Z0-9):
> 62^5 = 916132832 (0.9 seconds)
>
> complex alphanumeric 5 character password (above + all symbols)
> 94^5 = 7339040224 (7.3 seconds)
>
> 3 word passphrase drawing from 2000 word vocabulary
> 2000^3 = 8000000000 (8 seconds)
>
> simple 8 character password combinations (a-z)
> 26^8 = 208827064576 (208 seconds)
>
> 4 word passphrase drawing from 2000 word vocabulary
> 2000^4 = 16000000000000 (4.4 hours)
>
> full alphanumeric 8 character password (a-zA-Z0-9):
> 62^8 = 218340105584896 (2.5 days)
>
> complex alphanumeric 8 character password (above + all symbols)
> 94^8 = 6095689385410816 (70 days)
>
> 5 word passphrase drawing from 2000 word vocabulary
> 2000^5 = 32000000000000000 (1 year, 5 days)
>
> 5 word passphrase drawing from 5000 word vocabulary
> 5000^5 = 3125000000000000000 (99 years)
>
> The time shown in parens is the maximum time that it would take for a
> system capable of encrypting 1 billion passwords per second would take.
> Apparently, home desktop systems with high end GPUs have been built that
> can do this.
>
> Lesson learned from all this? Sentence based passphrases are much much
> stronger. The downside is that they are easier to accidently say in your
> sleep.
>
The time needed to generate the encrypted keys is only important if you
already have the encrypted key and you want to reverse the password.
For scanning SSH hosts that isn't important. What is important is the
number of combinations for the password character set and the amount of
time that each wrong answer takes. If the SSH server (and basically
anything that uses pam_unix.so) waits 2 seconds after each wrong
attempt, the amount of time needed to guess the correct password becomes
huge.
For the worst case example above [a-z]{5} it would take 275 days to try
every combination. The [A-Za-z0-9]{5} one takes 58.1 years. The
shortest reasonable set/size (all symbols, 6 characters) would take 1801
years
How many threads would an attacker have to use to make it worth it?
The biggest problem is social engineering, not password complexity. Too
many people share or write down their passwords. Or they use really
obviously bad passwords (the account name, 1234, "password", etc). The
bots hitting the ssh servers, at least from what I've seen, aren't doing
a brute force attack: they're trying to pick up low hanging fruit where
passwords of well known accounts were chosen stupidly.
Brian
_______________________________________________
BLUG mailing list
BLUG@linuxfan.com
http://mailman.cs.indiana.edu/mailman/listinfo/blug
No comments:
Post a Comment