Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[Jookia]

If it were words, a dictionary attack would work great.

Also, I stopped math at grade 5 and even then I didn't know the basic multiplication and subtrcation.

[G-Flex]

There seems to be an assumption that the brute force script has to get through every possible password combination before finding the right one.

I wasn't assuming this in my calculations. I was trying to find a number of tries necessary for you to have a 50% chance of finding it. Obviously, yeah, you can get it before then, but you can't count on it.


However, my probabilities for finding it WERE a little on the low side, due to something I just realized: They assume that you're trying random passwords each time, which you're not, since you aren't going to try the same password more than once. I forgot to account for that, and it might make a significant difference.

[The Scout]

Any other methods?

[G-Flex]

Why do you need other methods? I linked you to a tool that can recover the password for you in what is probably a very small amount of time.

[kcwong]

We were having this conversation on /g/ last night. Some script kiddie wanted to break a 20 character long password that contained only letters (uppercase and lowercase) and thought he was hot shit using 60 computers at once to do the cracking. The math worked out to be it'd take him the region of a couple billion years to get it. Using just one computer would mean he'd have to calculate past the heat death of the universe.

With a realistic setup he won't be able to crack even a 5 characters long alphabetic password.

Password retry count. Fail to authenticate a few times, and the account is blocked.

Windows/Active Directory can be configured not to block account (to minimize admin efforts), and instead introduces a time delay when you fail to authenticate several times in a row. The delay will grow faster and faster as you keep trying.

[Shades]

In this case he has access to the system though so it can be done much much faster. For example Philippe Oechslin recently used hashed lookup tables on a single machine and was processing over 300 billion attempts a second.

Which means a 14 character random password takes around 5.3 seconds. (This was windows XP password hashes, not sure how different vista or windows 7 ones are, also it ignores the fact you can just elevate your privileges programmaticly too)

Technically this is a dictionary attack not a brute force, but the dictionary contains the hash for every password in the search space. (Just like if you search on google with an md5 or sha1 hash for your password it'll tell you what the original word was and a reason people should learn to use salts)

[Blacken]

But salting is hard!

[SHAD0Wdump]

But salting is hard!

Heres a hint, don't turn the shaker upside down. Instead turn it on it's side.

[Shades]

But salting is hard!

I assume your joking? But I don't get it  This might be because I've not had sleep this week and my b brain isn't working well.

[Blacken]

But salting is hard!

I assume your joking? But I don't get it  This might be because I've not had sleep this week and my b brain isn't working well.

I'm currently working on un-screwing some dumbass's web code. That was his reason for not following anything remotely close to modern best practices.

[RandomNumberGenerator]

How are you guys getting the probability of these figures? I'm no math student, so I can't figure it out myself (I've been trying 26*25*24*23 like I learned in Grade 11, the last year I ever touched math, but that's tedious and leaves me to flounder a lot. Also, it's incorrect).

I think it's 26*26*26*26*26 [...] for a password that's all uppercase letters, then 52*52*52*52*52 [...] for upper and lowercase... add in numbers and characters makes it even more complex.

[Ninteen45]

...assuming that all passwords on the internet are ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ.

[Virex]

You're right, but to calculate the chance you're looking for you've probably got to use a recursive formula and devising one is making my headcrab hurt right now. I';ll probably attempt to give you a meaningfull awnser tommorow

[G-Flex]

How are you guys getting the probability of these figures? I'm no math student, so I can't figure it out myself (I've been trying 26*25*24*23 like I learned in Grade 11, the last year I ever touched math, but that's tedious and leaves me to flounder a lot. Also, it's incorrect).

I think it's 26*26*26*26*26 [...] for a password that's all uppercase letters, then 52*52*52*52*52 [...] for upper and lowercase... add in numbers and characters makes it even more complex.

That's for the number of possibilities, yes (n^m, where n is the number of characters in the set you're choosing from and m is the amount of characters that compose the string.. same as with numbers or anything else, really), but not for the probability of getting it right within a certain number of tries.

Imagine you're trying to pick a certain card out of a deck. There are 52 possibilities. The first time you pick, you have a 1/52 chance of getting it right (and 51/52 of getting it right). The second time you pick, you've already limited a possibility, so now you're picking from a pool of the 51 left over, so you have a 1/51 chance of getting it right that time (50/51 of getting it wrong).

So, your chance of getting it wrong after seven tries is:
(51/52)*(50/51)*(49/50)*(48/49)*(47/48)*(46/47)*(45/46)

The same logic applies to cracking a password, unless you're clueless enough to attempt the same password twice (a mistake I accidentally made in my original math, since I was assuming you were trying random passwords each time.. which is because, because you're not; you're eliminating the ones you've already tried).

You could represent the above using a product series to make it look nicer, but you get the point.


If you just want to know how long it would take to have a 50% chance of getting it right, that's easier, since intuitively it's obvious (and happens to be correct) that if you try half of the possibilities, you have 50% chance of getting it right by the time you've tried that many. Of course, there's also a chance you'll get it right long before then, or long after; that 50% chance isn't the chance that you'll get it right on the exact try when you've exhausted half the possibilities, just the chance that you'll have gotten it right by that time.

[Soadreqm]

I have another method!

1) Install Linux. You don't really have to install it, just run it off a live CD or something.
2) Back up all relevant game files, and everything else you don't want to permanently lose. An external hard drive would be good here, but you can make do with USB memory sticks or blank CDs if that's all you have.
3) Reinstall Windows. Define new password. Write the fucking password down on a slip of paper so you don't forget it again.
4) Put all the backed-up stuff back.
5) Of course, your registry's borked now.
6) Let that be a lesson to you.

Actually, does repair-installing windows or whatever let you reset the admin password? I forget. If yes, you can skip steps 1) and 2). The point is that breaking the password is not necessary since the files aren't actually encrypted or anything.