Nils Kassube kassube at gmx.net
Sat Aug 11 12:59:40 BST 2007

```Larry Hartman wrote:
> ok so lemme see if I understand it.....(15 letters x 2 for uppercase) +
> (10 numbers x 2 for special char) ^ (25 for length)/2
>
> 30+20 ^25/2
>
> 50^25/2 =
> 1,490,115,253,322,075,409,335,142,750,678,456,308,527,668.3990024431495
>1730712
>
> This is for a 25 char long password, using 15 letters of the alpha bet
> with uppercase, 10 numerals, and 10 spec chars
>
> Let us assume this is a completely random password....

Yes, that is the average number of guesses necessary to find the password
(if I counted your digits correctly -- it should be 1.49 * 10^42). In
general a longer password is better than a bigger set of valid charcters.

> Now let me ask the question again.....what exists out there that can
> (guestimate) would it take to crack such a complex beast given good PC
> hardware?
>
> Would this PCWIN or John the Ripper software that others mentioned be
> capable of doing it?  Also curious about hardware requirements to do
> this efficiently.....lets say I don't want to be waiting for weeks to
> do one file. I want to have an idea of the effort involved to crack

If it is a random password, you can only guess it by trying every possible
combination of valid characters, i.e. brute force. That is what password
cracking programs do.

Let's assume you need 100 machine instructions to check a single password
(I suppose you need more). With a machine that can execute one
instruction per clock cycle and 1GHz clock frequency that would be 10
million tries per second. You can scale that number linearly for faster
and / or more machines. With your numbers that would be 1.49 * 10^35
seconds or 4.7 * 10^27 years, which is far more time than from the Big
Bang until today (about 12 * 10^9 years). So, if there is no big error in
my calculations, it is probably impossible to find a 25 character
password with our present technology only by brute force attacks.

However, the password cracker programs mentioned generally are successful
because virtually nobody uses a password of 25 random letters. Do the
math again with a password of only 5 characters and the result is very
different.

> A comparison can be made to file safes.....good ones are rated to take
> 4-5 hours of work with special tools to break into them.

The calculation above applies to file safes as well, if it is for brute
force attacks only. But there is another possible approach. You can find
faults in the encryption algorithm. If the algorithm is weak, it may be
much easier to decrypt the contents of the file save or anything else
which is encrypted.

Nils

```