From kde-devel Sat Nov 15 05:20:24 2003 From: Michael Pyne Date: Sat, 15 Nov 2003 05:20:24 +0000 To: kde-devel Subject: Re: IBM Applies for Password Manager Patent X-MARC-Message: https://marc.info/?l=kde-devel&m=106887381107446 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thursday 13 November 2003 15:51, Jason Keirstead wrote: > On November 13, 2003 5:38 pm, George Staikos wrote: > > You think that kwallet is easier to brute force than /etc/shadow and > > the 8 character unix passwords? > How is he going to read /etc/shadow when he can't log in? If he's brute forcing a password, he doesn't need /etc/shadow, he needs only to try to login until the system accepts him. Of course, a good system would block his IP and inform and admin after a few failed attempts, but the point is that he really doesn't NEED /etc/shadow for a brute-force attack. A simple dictionary attack will suffice, and is likely to finish about a trillion years of so before brute forcing Blowfish. :) The difference is in the sample space of the keys. Assuming 256-bit Blowfish, there will be around 2^256 different keys available to choose from, which means, on average, 2^255 attempts using brute force. It may even be possible to reduce that to 2^254, but I think even that is many orders of magnitude greater than the number of different passwords which can be stored in /etc/ shadow. - Michael Pyne -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQE/tbekqjQYp5Omm0oRAvjoAJ4gnPi6V4Pg4Ul1krm7BLyZUAgk2ACfcGPA YgleSoBQj+MoObO6PPGZuFQ= =SpQK -----END PGP SIGNATURE----- >> Visit http://mail.kde.org/mailman/listinfo/kde-devel#unsub to unsubscribe <<