Re: SQL audit

From: Yong Huang <>
Date: Wed, 23 Dec 2009 09:19:19 -0800 (PST)
Message-ID: <>

> A minimum length limit. I think 8 is fairly common.

I did some research on *ethical* password retrieval (or really, cracking, if you don't mind the tone of the word). See

An 8-alphanumeric case-insensitive password can be retrieved on a single PC in about a month in the worst case. Here's the relevant part:

  • What are some ballpark figures for the time to guess longer passwords?

As you saw, it took the 2.6 GHz machine about 50 seconds to reach "test1" in a 5-char word brute force crack. The Perl program is written in a way to provide strings in alphabetic order. So if the password were "zz999", it would definitely take longer, perhaps a little over 1 minute. If you add another alphanumeric character to guess a 6-char password, you add one more layer of for-loop. Since the complete alphanumeric character is 36 characters, a rough estimate of runtime is 40 minutes. To guess a 7-char password, it's 40 x 36 = 1440 min or 24 hours. To guess an 8-char password, it's 36 days. All these assume that the execution is on one computer only, the first 2 chars are letters, the remaining are alphanumeric, the password is very "unlucky" to use letters close to the end of the alphabet and digits close to 9. That is, these time estimates are the worst case scenarios. On the other hand, the password may be extremely "lucky" to be found within the first few seconds.

Yong Huang       

Received on Wed Dec 23 2009 - 11:19:19 CST

Original text of this message