Posted 28 September 2010 - 05:01 PM
So my girlfriend and I were putting pen to paper trying to get our arms around this question after a recent unpleasant experience and watching a few Youtube videos on hacking (not that we expected to see the Masters at work there) and reading a few academic papers on the subject and we focused on the "brute force" method -- maybe this would provide some food for thought.
Most alarming was an expose on the helpful "lost password retriever program" marketed as the Lightning Hash Cracker, which claims to process 608,000,000 passwords/sec using graphics acceleration (they might have been talking about hashes but I'll assume they amount to the same thing since we're real newbie's at this stuff -- and claims to be the most technologically advanced on the mkt today). So the math went something like this (she posted this in another forum but I thought it was fun and hopefully helpful here too).
The way we began to get our arms around that is to say there are (looking now) about 93 or so characters we can use on my keyboard right now, including the ~ thing and others like it. So, the formula for possible total # of permutations where order doesn't matter and repetition is allowed is simply N^x, where N is the pool to draw from and x is the number of characters in your pswrd. On average you would divide the result by 2 (he has on average to get through 1/2 of the combinations before hitting paydirt), but let's say luck is on his side and he gets it in the first 25% of all tries, so let's divide by 4 instead. Then let's say he's part of a well-funded organized crime group and strings together 100 computers, so the 608 MM/second becomes 60.8 B/sec (I think that's right so far). A 6 character password under this scenario would take 3 seconds to crack. Unless this napkin is wrong, a 12 character password would take....anyone, anyone, Bueler, Bueler? -- 546 centuries! I'm probably overlooking something, but exponents can be pretty powerful, so please correct me if I'm wrong, especially on the hash business.
Incidentally, does anyone know of a reference of what registry keys are commonly targeted by hackers and should be protected? Also looking for a guide on configuring Comodo to configure outgoing communications to trap the trojan from calling home if anyone has one anywhere (think I'm doing okay on incomings). Cheers -- S