[Cryptography] Brute-force password crackers?

Jerry Leichter leichter at lrw.com
Sat Dec 25 08:10:30 EST 2021

> Could someone please explain the current strategies of brute-force password crackers these days?
> I presume that huge dictionaries of existing passwords, words, phrases, etc., + brute force alphabetic enumeration in order of probability?
Dictionaries, yes.  Seeded with passwords of whatever form that have appeared in previous leaks - which by now form a rather extensive list of culturally significant words, phrases, and so on.  Then algorithmic transformations applied to the dictionary entries - l33tspeak stuff.

It’s certainly possible these days to also do brute-force attacks - it’s been a while since I saw an estimate of the practical limits but they were quite high (all 8-character sequences of alphabetics in a few hours?) even a couple of years back.  Whether this is worth it is unclear - depends on what you’re trying to accomplish.  For attacks to find any passwords you can in a leaked list at low cost, the list-plus-algorthmic approach will likely find many hits.  If you’re trying to crack a particular user’s password and the “smarter” approach failed, you may have to fall back on brute force.  At this point, it’s likely not useful to worry about probabilities - the “probable” ones, as far as anyone can know, we’re already tried and filtering those out may cost more than simply trying them again.  You could presumably try to do the improbable ones - 20 random alternations of 0, 1, O, and l - last but the density of those is so low that I doubt the gain is worth it.

                                          -- Jerry

More information about the cryptography mailing list