Focus on Microsoft
TGP Password Strength Checker online Jul 13 2010 05:08AM
Thor (Hammer of God) (thor hammerofgod com) (3 replies)
RE: TGP Password Strength Checker online Jul 15 2010 11:01AM
Keith Langmead (keith vpwsys net) (1 replies)
RE: TGP Password Strength Checker online Jul 16 2010 12:21AM
Thor (Hammer of God) (thor hammerofgod com)
Re: TGP Password Strength Checker online Jul 14 2010 08:53AM
Alexander Klimov (alserkli inbox ru) (1 replies)
RE: TGP Password Strength Checker online Jul 16 2010 01:32AM
Murda (murdamcloud bigpond com) (1 replies)
RE: TGP Password Strength Checker online Jul 16 2010 05:40PM
Wayne Anderson (wfrazee wynweb net) (1 replies)
RE: TGP Password Strength Checker online Jul 17 2010 02:22AM
Thor (Hammer of God) TGP (tgp hammerofgod com)
+ Serban to merge thread:

I actually thought about that when I was first coding up the tool: Given that we already have Class A - F (10,000 - 1,000,000,000 passwords per second respectively) I just decided to go with the worst case scenario for the user. We really can't qualify exactly WHO is going to be attacking our passwords (passphrases) so I think it just makes sense to approach it from a more tactical standpoint. While it may not be the most practical assumption, planning for a group of supercomputers working in conjunction to crack your encrypted data and interacting with policy as if that is the least common denominator (even though it's not) seemed the best way to go.

I can certainly add categories to the algorithm, but I don't really know how valuable that would be. Using Class F as the base (though the highest classification) will always yield a tangible, measurable time value irrespective of technology advances. At some point we'll be at Class Q, but then we'll just add a few more zeros to the calculation if/when it becomes feasible.

I'm more than happy to provide a drop-down box, but I really don't see the "end-of-the-day" value.

t

>-----Original Message-----
>From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]]
>On Behalf Of Wayne Anderson
>Sent: Friday, July 16, 2010 10:40 AM
>To: 'Murda'; focus-ms (at) securityfocus (dot) com [email concealed]
>Subject: RE: TGP Password Strength Checker online
>
>I would love to see some basic option to configure what your assumption is
>for compute resources to apply.
>
>Maybe a drop box with a couple of presets predicated on example
>configurations. E.g. a choice of "A modern desktop", "A modern multi-proc
>server", "A modern single HPC Server", "a distributed 10-server array", and
>[insert one of the top 10 from the current list of supercomputers here,
>preferably one government owned]
>
>I think the password strength tool is almost as useful (when mature) as the
>rest of the offering.
>
>-W
>
>-----Original Message-----
>From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]]
>On Behalf Of Murda
>Sent: Thursday, July 15, 2010 7:33 PM
>To: focus-ms (at) securityfocus (dot) com [email concealed]
>Subject: RE: TGP Password Strength Checker online
>
>I like the idea behind the tool, somewhat, but I don't know how exact it can
>be. I think Alexander's reasoning below has some strength behind it. Is it
>something like trying to predict when a random number might come up. Keep
>rolling an n-faced die for long enough and sometimes your number may come
>up near the 'beginning' or near the 'end'. Who can say? Obviously, that all
>depends on how the program is actually implemented to brute force. Is it
>purely sequentially?
>Which also makes me wonder, what is the 'seconds to crack' based on? A
>single machine? An array of distributed machines etc?
>I think you can give some 'good' idea of how strong the passphrase is but
>maybe not as exact as you hope. I could be wrong(and often am).
>
>
>
>
>-----Original Message-----
>From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]]
>On Behalf Of Alexander Klimov
>Sent: Wednesday, July 14, 2010 6:54 PM
>To: focus-ms (at) securityfocus (dot) com [email concealed]
>Subject: Re: TGP Password Strength Checker online
>
>On Tue, 13 Jul 2010, Thor (Hammer of God) wrote:
>> However, what IS different is that you can actually get an idea of
>> exactly how many iterations it will take to crack both a particular
>> password specifically and the keyspace it "lives" in, apply that to
>> actual TIME required to crack it. I like that part, and have found it
>> to be valuable, so here it is in case you do as well.
>
>An incorrect precise number is worse than no number at all: if you assure user
>that it takes 129,052,722,140 iterations to guess password "password", or
>2,322,220,814,264,750,000 to guess "qwerty123456", it only misleads. The real
>attackers start guessing not from "a", but in the most-probable-first order.
>What is this order depends on the traits of the mark: the first password to try,
>can as well be "password", "qwerty123456", or "salasana".
>
>--
>Regards,
>ASK

[ reply ]
Re: TGP Password Strength Checker online Jul 13 2010 08:52PM
Ansgar Wiechers (bugtraq planetcobalt net) (2 replies)
RE: TGP Password Strength Checker online Jul 15 2010 04:48PM
Tom Walsh - lists (mailinglist expresshosting net)
RE: TGP Password Strength Checker online Jul 15 2010 04:12PM
Thor (Hammer of God) (thor hammerofgod com)


 

Privacy Statement
Copyright 2010, SecurityFocus