Re: SQL audit

From: Dennis Yurichev <>
Date: Wed, 23 Dec 2009 21:11:05 +0200
Message-ID: <>

Hash: SHA1

Yong Huang wrote:

>> A minimum length limit.  I think 8 is fairly common.

> I did some research on *ethical* password retrieval (or really, cracking,
> if you don't mind the tone of the word). See
> An 8-alphanumeric case-insensitive password can be retrieved on a single
> PC in about a month in the worst case. Here's the relevant part:
> * What are some ballpark figures for the time to guess longer passwords?
> As you saw, it took the 2.6 GHz machine about 50 seconds to reach "test1"
> in a 5-char word brute force crack. The Perl program is written in a way
> to provide strings in alphabetic order. So if the password were "zz999",
> it would definitely take longer, perhaps a little over 1 minute. If you
> add another alphanumeric character to guess a 6-char password, you add
> one more layer of for-loop. Since the complete alphanumeric character is
> 36 characters, a rough estimate of runtime is 40 minutes. To guess a
> 7-char password, it's 40 x 36 = 1440 min or 24 hours. To guess an 8-char
> password, it's 36 days. All these assume that the execution is on one
> computer only, the first 2 chars are letters, the remaining are
> alphanumeric, the password is very "unlucky" to use letters close to the
> end of the alphabet and digits close to 9. That is, these time estimates
> are the worst case scenarios. On the other hand, the password may be
> extremely "lucky" to be found within the first few seconds.

Or 16 hours for all 8-symbol passwords on a special hardware:

iEYEARECAAYFAksya0kACgkQ1YPmFmJG++NRwwCgmg3p6rOpm9D1x0SIVOA0cojd MZcAnivav/Q3cQHprDnEIpjc7by8wM4Z

Received on Wed Dec 23 2009 - 13:11:05 CST

Original text of this message