Re: SQL audit
From: Dennis Yurichev <dennis_at_conus.info>
Date: Wed, 23 Dec 2009 21:11:05 +0200
Message-ID: <4B326B49.1030303_at_conus.info>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
>
> I did some research on *ethical* password retrieval (or really, cracking,
> if you don't mind the tone of the word). See
> http://yong321.freeshell.org/oranotes/PasswordRetrieval.txt
>
> An 8-alphanumeric case-insensitive password can be retrieved on a single
> PC in about a month in the worst case. Here's the relevant part:
>
> * What are some ballpark figures for the time to guess longer passwords?
>
> As you saw, it took the 2.6 GHz machine about 50 seconds to reach "test1"
> in a 5-char word brute force crack. The Perl program is written in a way
> to provide strings in alphabetic order. So if the password were "zz999",
> it would definitely take longer, perhaps a little over 1 minute. If you
> add another alphanumeric character to guess a 6-char password, you add
> one more layer of for-loop. Since the complete alphanumeric character is
> 36 characters, a rough estimate of runtime is 40 minutes. To guess a
> 7-char password, it's 40 x 36 = 1440 min or 24 hours. To guess an 8-char
> password, it's 36 days. All these assume that the execution is on one
> computer only, the first 2 chars are letters, the remaining are
> alphanumeric, the password is very "unlucky" to use letters close to the
> end of the alphabet and digits close to 9. That is, these time estimates
> are the worst case scenarios. On the other hand, the password may be
> extremely "lucky" to be found within the first few seconds.
Date: Wed, 23 Dec 2009 21:11:05 +0200
Message-ID: <4B326B49.1030303_at_conus.info>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Yong Huang wrote:
>> A minimum length limit. I think 8 is fairly common.
>
> I did some research on *ethical* password retrieval (or really, cracking,
> if you don't mind the tone of the word). See
> http://yong321.freeshell.org/oranotes/PasswordRetrieval.txt
>
> An 8-alphanumeric case-insensitive password can be retrieved on a single
> PC in about a month in the worst case. Here's the relevant part:
>
> * What are some ballpark figures for the time to guess longer passwords?
>
> As you saw, it took the 2.6 GHz machine about 50 seconds to reach "test1"
> in a 5-char word brute force crack. The Perl program is written in a way
> to provide strings in alphabetic order. So if the password were "zz999",
> it would definitely take longer, perhaps a little over 1 minute. If you
> add another alphanumeric character to guess a 6-char password, you add
> one more layer of for-loop. Since the complete alphanumeric character is
> 36 characters, a rough estimate of runtime is 40 minutes. To guess a
> 7-char password, it's 40 x 36 = 1440 min or 24 hours. To guess an 8-char
> password, it's 36 days. All these assume that the execution is on one
> computer only, the first 2 chars are letters, the remaining are
> alphanumeric, the password is very "unlucky" to use letters close to the
> end of the alphabet and digits close to 9. That is, these time estimates
> are the worst case scenarios. On the other hand, the password may be
> extremely "lucky" to be found within the first few seconds.
Or 16 hours for all 8-symbol passwords on a special hardware: http://conus.info/ops/
- -- My PGP public key: http://yurichev.com/dennis.yurichev.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAksya0kACgkQ1YPmFmJG++NRwwCgmg3p6rOpm9D1x0SIVOA0cojd
MZcAnivav/Q3cQHprDnEIpjc7by8wM4Z
=d2yT
-----END PGP SIGNATURE-----
-- http://www.freelists.org/webpage/oracle-lReceived on Wed Dec 23 2009 - 13:11:05 CST