Azio’s Computer Log

Heh, we all know what this is? right?

This , also know as the last resort attack, will try every possible password with a mask (alpha/numeric + capitals, specialchars, etc) . In theory, a brute force attack will always be successful since the rules for acceptable passwords must be publicly known, but as the number of possible passwords increases (with the length of the password, much like your telephone code), the time to crack or, “brute-force to the last combination” becomes an everlonger operation. Also as length increases, it is rather exponential curve to the time to crack. For instance the difference between a 20 char alphanumeric encrypted password and a 6 char encrypted password could be 100 years, even on some supercomputers.

The method is unlikely to be as practical as the dictionary attack for many reasons.

A common current length recommendation is 8 or more randomly chosen characters, combining letters, numbers and special characters. Systems which limit passwords to numeric characters only, or upper case only, which exclude possibly password character choices make these attacks a synch. Using longer passwords in most cases render the password unviable to crack (would take so many years, it is arguable that the user may no longer exist, or worse, the password has been changed, or the machine simply no longer exists!!).Generic brute-force search techniques can be used to speed up the computation. But the real threat may be likely fo be from smart brute-force techniques that exploit knowledge about how people tend to choose passwords. NIST SP 800-63 (2) provides further discussion of password quality and suggests, for example, than an 8 character user-chosen password may provide somewhere between 18 and 30 bits of entropy, depending on how it is chosen.

This number is very far less than what is generally considered to be safe for an encryption key.

How small is too small thus depends partly on the attacker’s ingenuity and resources (e.g. available time, computer power, etc). Most commonly used hashes can be implemented using specialized hardware, allowing faster attacks. I spoke a bit about this in my MD5 Cracking HowTo featured earlier on this month of september.
The discintcion between guessing, dictionary and brute force attacks is not strict. They are similar in that an attacker goes through a list of candidate passwords one by one; the list may be explicitly enumerated or implicitly defined, may or may not be incorporate knowledge about the victim, and may or may not be linguistically derived (a real oxford dictionary word).