Caporegime
- Joined
- 12 Mar 2009
- Posts
- 26,779
dmpoole is a journo?! 
How long would it take to crack an 8 digit password?
- Thread starter SexyGreyFox
- Start date
Permabanned
- Joined
- 10 Dec 2008
- Posts
- 4,080
- Location
- London
Let's say it took you 15 guesses, and each guess took 10 seconds, it would take 150 seconds.
- Joined
- 29 Mar 2003
- Posts
- 57,718
- Location
- Stoke on Trent
Would love to know what it is you're doing to need this though?
I need some figures for work.
I work in a Medico Legal department and daily we send out disks to Solicitors containing Medical Records and according to the chart it would take an average computer up to 57 years to find it.
I also send out password protected documents in email and for some reason 'the powers that be' think that it's safer sending in the post than in email
I will be printing out the Password Recovery Speeds page and planting it on a desk.
Thanks
Associate
- Joined
- 6 Mar 2011
- Posts
- 140
- Location
- Scotland, UK
That's not the password, that is it's hash key. That's how many systems check your password, they don't store the password directly, they store its hash key. That implies it is possible to unlock the computer using another password, since the hash map is many to one, but it avoids security issues like someone using a tool to scan your drive for the explicit password. After all, you can't put all your passwords in an encrypted folder, how would the computer decrypt the folder to check if the password for decrypting the folder is right?
Picking a good 'random' 8~10 character password is enough for such purposes I'd imagine. You have to consider what you're encrypting. Yes, in an ideal world we'd all use 50 digit gibberish as our passwords but we're stupid and lazy. Fortunately, at present, the amount of effort needed to break a password people can remember (8~10 characters) is too much bother for most purposes.
Your mates aren't going to spend ages running a cracking program just to read your Gmail, likewise the resources even for News of The World to try to crack thousands of people's encryptions for medical records or the like just to see if they hit something interesting are too much. If you've got specific reason to think someone will be very interested in some piece of information you have access to then up your password to 15~20 characters. That way, unless you're working on nuclear defence secrets and a sovereign state has reason to want the details, you're going to be okay. Besides, in those circumstances this happens :
Email passes through a lot of servers, including outside the country and thus our jurisdiction. For something like someone's medical records it might be overly paranoid but anyone working in securities or defence would at the very least use some high level encryption on their emails. In my experience some companies prefer to post by courier encrypted hard drives which then have some weird formatting or file type which needs some addition information to open, even if you decrypt them.I also send out password protected documents in email and for some reason 'the powers that be' think that it's safer sending in the post than in email
Given the examples of people leaving DVDs of hundreds of thousands of tax details on trains, the fact some people are perhaps a touch overly paranoid is no bad thing.
Password protected documents? You mean the password protection that comes with Word for example? That really isn't safe - no-one would bother brute forcing those passwords as there are easier ways around them. Post i.e. recorded delivery is much safer (though even then I'd send encrypted media). If you want to use email to send confidential documents you should really be looking at government approved encryption software - there are probably legal requirements surrounding the level of encryption protection for this type of data.
Last edited:
Best case scenario would be "instant", as the first generated password would be correct.
- Joined
- 29 Mar 2003
- Posts
- 57,718
- Location
- Stoke on Trent
We always PDF and use the encryption with Adobe Professional.
We use a combination of numbers, uppercase, lowercase & symbols.
The disks automatically encrypt when wrote with a programme called Safeguard.
It really depends on the password source (what the password is used with). The log into windows password normally takes seconds to bypass no matter how long the password is. Older versions of office documents take very little time to bypass passwords.
I'd definitely check that complies with the relevant security regulations for transmitting medical records. My gut feeling is that Adobe Professional password protection will be quite easy to crack.
Neither of the products you mention appears on the CESG approved list: http://www.cesg.gov.uk/products_services/iacs/caps/index.shtml - but then I don't know if it has to for medical records.
iirc only PGP and BeCrypt appear on that list as a software solution, however I have used Sophos (used to be Utimaco) Safeguard in government before with no issues.
Also used the Stonewood hardware encrypted drives which are pretty neat.
I don't understand how people are reaching the conclusions that they're reaching (timewise).
So a file encrypted using adobe professional will take the same amount of time it would to crack a file encrypted with truecrypt (aes/twofish/serpent encryption, ripemd-160 hash alg for instance), assuming they're using the same passphrase/number of chars?.
Surely people need details of the method of encryption used by adobe professional?.
I'm rocking 24 char pw's in truecrypt atm, and now I'm slightly worried lol. Not that I have much to hide, but I would at least like it to work..
So a file encrypted using adobe professional will take the same amount of time it would to crack a file encrypted with truecrypt (aes/twofish/serpent encryption, ripemd-160 hash alg for instance), assuming they're using the same passphrase/number of chars?.
Surely people need details of the method of encryption used by adobe professional?.
I'm rocking 24 char pw's in truecrypt atm, and now I'm slightly worried lol. Not that I have much to hide, but I would at least like it to work..
bruteforcing a password of the same length, with the same character set will always have the same theoretical maximum time
This one is good too http://www.howsecureismypassword.net/
The password scheme where I work (have no problem disclosing this as none of you know where that is) is a word with capital then a symbol then the month/year (changes every month, obviously this is less secure vs somebody who knows the convention but with a password such as Thinkpad@0711 or Cocacola!1337 your looking at up to 300 million years to brute force with a desktop PC, that's more than acceptable imo.
The password scheme where I work (have no problem disclosing this as none of you know where that is) is a word with capital then a symbol then the month/year (changes every month, obviously this is less secure vs somebody who knows the convention but with a password such as Thinkpad@0711 or Cocacola!1337 your looking at up to 300 million years to brute force with a desktop PC, that's more than acceptable imo.