On Oct 30, 2011 11:29 AM, "William Allen Simpson" < william.allen.simpson@gmail.com> wrote:
On 10/26/11 9:13 AM, Neil Harris wrote:
Assuming the seven-character password given, "YH2MnDD", uses the
character set [A-Za-z0-9], there should be 62^7 ~= 3.5 x 10^12 possible such passwords.
I really wish folks would at least read a Wikipedia article before making such calculations. :-(
No, you've listed the number of combinations, not the entropy.
No, 40-bits of strength means 2**20 attempts on average. Same order of magnitude as WEP. You remember WEP, the security designed to be easily crackable?
https://secure.wikimedia.org/wikipedia/en/wiki/Wired_Equivalent_Privacy
In 2005, a group from the U.S. Federal Bureau of Investigation gave a demonstration where they cracked a WEP-protected network in 3 minutes using publicly available tools.
Or, maybe, perhaps, you might trust that a well-known long-time security professional is telling you the generated password is too weak. ;-)
If you are going to be so insulting, please at least try and be right... You could start by reading the articles you are telling other people to read.
For a random sequence of characters, the entropy is just the base-2 log of the number of combinations, so there is nothing wrong with just calculating the number of combinations. Converting to entropy just makes it easier to compare two passwords drawn from different character sets.
WEP is flawed because it encrypts different parts of the message using related keys, not because it is susceptible to a brute force attack on the password. It is completely irrelevant to our discussion.
To get the average number of attempts, you half the number of combination, you don't square root it. With 40 bits, the average is 2^39 attempts, not 2^20.