Assume an attacker is using a processor capable of executing 100 million instruc

Question

Assume an attacker is using a processor capable of executing 100 million instructions per second and has designed an algorithm to test passwords that requires 10 instructions.

Assume that the attacker has correctly guessed an ID and plans to carry out a brute force attack against all possible passwords to try to get into the account for that ID.

How long would you tell the account user to make her/his password, using a combination of alphabetic characters and numbers, to ensure that it is reasonably safe for 3 months?

Back up your answer with calculations of the time to crack a password of the recommended length.

Explanation / Answer

>It takes 10 instructions to test passwords.
Processor speed- 100 million instructions per second.
3 months = 90 days x 24 x 60 x 60 = 7776000 seconds.
Total number of attempts possible in 3 months= 77760000000000 (because it is executing at 100 mil instructions per sec)
Every possible character can have 62 combinations ( i.e- 26 lower case alphabets + 26 upper case alphabets + 0 to 9 digits)
So possible attempts for different character passwords-
62^3 = 238328 (for 3 characters)
62^6 = 56800235584 (for 6 characters) which is < Than 77760000000000
62^7 < than 77760000000000 (so it won’t work for 7 characters/numbers also)
62^8= 218340105584896 (for 8 characters). Which is > than 77760000000000
So the password should be minimum 8 characters. As it can stay protected at least for 3 months and later the user can again change it.

Related Questions

Navigate

• Browse (All)
• Browse A
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.