Focus on Microsoft
TGP Password Strength Checker online Jul 13 2010 05:08AM
Thor (Hammer of God) (thor hammerofgod com) (3 replies)
RE: TGP Password Strength Checker online Jul 15 2010 11:01AM
Keith Langmead (keith vpwsys net) (1 replies)
RE: TGP Password Strength Checker online Jul 16 2010 12:21AM
Thor (Hammer of God) (thor hammerofgod com)
Hey Keith - great find, thanks.

This one was interesting. As one can imagine, calculating the precise number of iterations to hit a specific password is not exactly easy, particularly given the different "base" character sets that I try to programmatically qualify.
As such, I have to carve out different base strings to index in order to find the particular index of any particular character in any particular string. Your passphrase was recognized as base 36, meaning a-z lowercase and 0-9. However, it was indexing based on a base string of a-z,A-Z, and 0-9 as if it was a base 62 instead of base 36. As such, if it were base 62, that number would be correct, though it was comparing to a base 36 for the total keyspace.

I've added logic now to explicitly carve out base string indexes for each individual base group (10, 26, 36, 62, 72, and 96). It now behaves much better and aligns the "this password" base with the "keyspace" base as it should.

The implementation in TGP operated the same way, and I've changed that as well, so thank you very much for your feedback. I've received some other really cool feedback from the community regarding features which will be implemented shortly.

Thanks again.
t

>-----Original Message-----
>From: Keith Langmead [mailto:keith (at) vpwsys (dot) net [email concealed]]
>Sent: Thursday, July 15, 2010 4:01 AM
>To: Thor (Hammer of God); focus-ms (at) securityfocus (dot) com [email concealed]
>Subject: RE: TGP Password Strength Checker online
>
>Hi Thor,
>
>Thanks for posting that, it definitely looks like a tool that will come in handy.
>That said, unless I'm missing something obvious I think you might have the
>labels for the results the wrong way around, since when checking a random
>password it will apparently take longer to crack my password than to crack the
>entire keyspace!
>
>Password Used : 53dsfkzabwvg (not a real one obviously) Iterations this
>password: 7,839,264,032,113,450,000 Years to crack this password: 248.58
>Iterations for entire keyspace: 4,873,763,662,273,660,000 Years to crack entire
>keyspace: 154.55
>
>Keith
>
>-----Original Message-----
>From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]]
>On Behalf Of Thor (Hammer of God)
>Sent: 13 July 2010 06:08
>To: focus-ms (at) securityfocus (dot) com [email concealed]
>Subject: TGP Password Strength Checker online
>
>I've been thinking about standing up the Password Strength Checker tool in
>TGP online, so here it is:
>
>https://www.hammerofgod.com/passwordcheck.aspx
>
>For those not familiar with it, I wanted to come up with a better way of
>classifying what a "strong" password was (and wasn't). Admins can have
>"complex" password requirements, but they don't equate to any quantifyable
>strength of a password/phrase. Like with any math-based tool that attempts
>to do the thinking for a person, there are certain assumptions one must make
>about base keyspace derived from a passwords characters, and this is no
>different. However, what IS different is that you can actually get an idea of
>exactly how many iterations it will take to crack both a particular password
>specifically and the keyspace it "lives" in, apply that to actual TIME required to
>crack it. I like that part, and have found it to be valuable, so here it is in case
>you do as well. The fully skinny on what I'm doing here can be found at
>http://www.hammerofgod.com/tgp.aspx#password .
>
>Timothy "Thor" Mullen
>Hammer of God
>thor (at) hammerofgod (dot) com [email concealed]
>www.hammerofgod.com
>
>
>
>--
>E-Mail sent using Agility Mail - www.agilitymail.co.uk

[ reply ]
Re: TGP Password Strength Checker online Jul 14 2010 08:53AM
Alexander Klimov (alserkli inbox ru) (1 replies)
RE: TGP Password Strength Checker online Jul 16 2010 01:32AM
Murda (murdamcloud bigpond com) (1 replies)
RE: TGP Password Strength Checker online Jul 16 2010 05:40PM
Wayne Anderson (wfrazee wynweb net) (1 replies)
RE: TGP Password Strength Checker online Jul 17 2010 02:22AM
Thor (Hammer of God) TGP (tgp hammerofgod com)
Re: TGP Password Strength Checker online Jul 13 2010 08:52PM
Ansgar Wiechers (bugtraq planetcobalt net) (2 replies)
RE: TGP Password Strength Checker online Jul 15 2010 04:48PM
Tom Walsh - lists (mailinglist expresshosting net)
RE: TGP Password Strength Checker online Jul 15 2010 04:12PM
Thor (Hammer of God) (thor hammerofgod com)


 

Privacy Statement
Copyright 2010, SecurityFocus