Passwords on ODF files

Nils Kassube kassube at gmx.net
Sat Aug 11 12:59:40 BST 2007


Larry Hartman wrote:
> ok so lemme see if I understand it.....(15 letters x 2 for uppercase) +
> (10 numbers x 2 for special char) ^ (25 for length)/2
>
> 30+20 ^25/2
>
> 50^25/2 =
> 1,490,115,253,322,075,409,335,142,750,678,456,308,527,668.3990024431495
>1730712
>
> This is for a 25 char long password, using 15 letters of the alpha bet
> with uppercase, 10 numerals, and 10 spec chars
>
> Let us assume this is a completely random password....

Yes, that is the average number of guesses necessary to find the password 
(if I counted your digits correctly -- it should be 1.49 * 10^42). In 
general a longer password is better than a bigger set of valid charcters.

> Now let me ask the question again.....what exists out there that can
> crack this password....add this secondary question to it:  How long
> (guestimate) would it take to crack such a complex beast given good PC
> hardware?
>
> Would this PCWIN or John the Ripper software that others mentioned be
> capable of doing it?  Also curious about hardware requirements to do
> this efficiently.....lets say I don't want to be waiting for weeks to
> do one file. I want to have an idea of the effort involved to crack
> just one password.

If it is a random password, you can only guess it by trying every possible 
combination of valid characters, i.e. brute force. That is what password 
cracking programs do.

Let's assume you need 100 machine instructions to check a single password 
(I suppose you need more). With a machine that can execute one 
instruction per clock cycle and 1GHz clock frequency that would be 10 
million tries per second. You can scale that number linearly for faster 
and / or more machines. With your numbers that would be 1.49 * 10^35 
seconds or 4.7 * 10^27 years, which is far more time than from the Big 
Bang until today (about 12 * 10^9 years). So, if there is no big error in 
my calculations, it is probably impossible to find a 25 character 
password with our present technology only by brute force attacks.

However, the password cracker programs mentioned generally are successful 
because virtually nobody uses a password of 25 random letters. Do the 
math again with a password of only 5 characters and the result is very 
different.

> A comparison can be made to file safes.....good ones are rated to take
> 4-5 hours of work with special tools to break into them.

The calculation above applies to file safes as well, if it is for brute 
force attacks only. But there is another possible approach. You can find 
faults in the encryption algorithm. If the algorithm is weak, it may be 
much easier to decrypt the contents of the file save or anything else 
which is encrypted.


Nils



More information about the kubuntu-users mailing list