[Cryptography] Brute-force password crackers?
jan at dusatko.org
Thu Dec 30 10:06:52 EST 2021
Dne 28. 12. 2021 v 0:07 Jerry Leichter napsal(a):
>> OK, we have databases of >10^6 passwords, so we can easily compute distributions for graphs, digraphs, trigraphs, etc.
>> So a 'random' password is potentially guessed more quickly than a 'non-random' password which utilizes these distributions for pessimizing guessability.
>> In particular, shouldn't password generators make sure that passwords utilize less-frequently used characters -- e.g.,the 'long tail' ? It should certainly reject the very rare cases of all digits, etc.
>> While these passwords may not be easy to type -- e.g., Unicode -- this may not make much difference with keepass-type programs.
>> Nicht wahr?
> It really depends on what you're trying to do. If you need a human to be able to remember and type the password, those "long tail" passwords will be really tough.
> Once you assume the password will be saved by a program, not remembered by a human being, all this sort of stuff becomes irrelevant. I mentioned in a previous note that the Mac Keychain program will let you generate passwords. Safari will also suggest passwords for you, which will be saved to the Keychain and filled automatically. These are something like 25 random letters and digits. (I never bothered to count.)
> -- Jerry
> The cryptography mailing list
> cryptography at metzdowd.com
Beside regular brute-force password cracking, using vocabularies or
password databases and software like hashcat/prince, there are also
PassGAN tools based on AI. This is kind of attack to human generated
password, where used words and sentences can be grabbed from social
networks, e-mails, blogs or other resources. All people use only small
subset of words available in specific language. Thanks to that limits,
that tools can estimate probabilities of such words and event.
combination in passwords with quite interesting score.
More information about the cryptography