[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-devel
Subject:    Re: IBM Applies for Password Manager Patent
From:       Michael Pyne <pynm0001 () comcast ! net>
Date:       2003-11-15 5:20:24
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thursday 13 November 2003 15:51, Jason Keirstead wrote:
> On November 13, 2003 5:38 pm, George Staikos wrote:
> >   You think that kwallet is easier to brute force than /etc/shadow and
> > the 8  character unix passwords?
> How is he going to read /etc/shadow when he can't log in?

If he's brute forcing a password, he doesn't need /etc/shadow, he needs only 
to try to login until the system accepts him.  Of course, a good system would 
block his IP and inform and admin after a few failed attempts, but the point 
is that he really doesn't NEED /etc/shadow for a brute-force attack.  A 
simple dictionary attack will suffice, and is likely to finish about a 
trillion years of so before brute forcing Blowfish. :)

The difference is in the sample space of the keys.  Assuming 256-bit Blowfish, 
there will be around 2^256 different keys available to choose from, which 
means, on average, 2^255 attempts using brute force.  It may even be possible 
to reduce that to 2^254, but I think even that is many orders of magnitude 
greater than the number of different passwords which can be stored in /etc/
shadow.

 - Michael Pyne
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQE/tbekqjQYp5Omm0oRAvjoAJ4gnPi6V4Pg4Ul1krm7BLyZUAgk2ACfcGPA
YgleSoBQj+MoObO6PPGZuFQ=
=SpQK
-----END PGP SIGNATURE-----
 
>> Visit http://mail.kde.org/mailman/listinfo/kde-devel#unsub to unsubscribe <<

[prev in list] [next in list] [prev in thread] [next in thread]