Crypticide III(a): Number of passwords
Due to time constraints, I am going to have to split this week’s
crypitcide posting into two parts - I have a lot going on at work, and
this weekend likewise, so I will cut down to the meat of the matter
and then dress it up with some finesse in the next few days.
As I implied in Crypticide I, my attempt to kill the Unix crypt()
algorithm has been going on for over 13 years now. A few more weeks
won’t make much difference.
So, consider the figure of “6.7 trillion” as computed here:
1+95^1+95^2+95^3+95^4+95^5+95^6+95^7+95^8 =
6,704,780,954,517,121 decimal =
17,d1f6,7717,3e81 hex =
10111,11010001,11110110,01110111,00010111,00111110,10000001 binary
…the number occupies 7 bytes; it fits comfortably within a 64 bit
word, leaving at least 8, if not 10 or 11 bits spare, to play with for
other encoding purposes.
Alas that is the number of plaintext passwords that we computed last
week, on the assumption of using the 95-character typeable keyboard
characters in standard ASCII. As previously stated I recognise that
this is no longer a cast-iron certainty that people’s passwords are
entirely composed of 7-bit ASCII, but it’s a pretty good assumption
for a significant portion of the world’s computing userbase.
In short: it’s a good enough assumption that it can bite, painfully.
Now: let’s think around some of the implications of this math.
First, think of this in terms of storage requirements. In calculating
how many passwords exist (6.7 trillion) we have also (excluding
metadata) computed approximately how much storage is needed to create
a dictionary that contains every possible password:
95^0 = 1 (one, zero-length password; 1 byte, or specialcase it)
95^1 = 95 (95, 1-char passwords, 95 bytes)
95^2 = 9025 (9025, 2-char passwords, (9025*2) bytes = 18050 bytes)
…
So, following that math:
((95^1)*1)+((95^2)*2)+((95^3)*3)+((95^4)*4)+((95^5)*5)+((95^6)*6)+((95^7)*7)+((95^8)*8)
53,566,920,179,174,020
which is this much storage:
53566920179174020 / (1024^4)
48,718
About 49,000 Terabytes. That sounds like an awful lot, doesn’t it?
Enough to be secure even in this day and age?
The thing is, you don’t need to do that. More later.
For those of you who want to experiment with the maths, I
recommend use of the Unix arbitrary precision calculator /usr/bin/bc
as available on most Unix flavours; I am writing this article on an
Apple iBook and am using bc with its ibase and obase
converters to produce most of the maths for this series of articles,
and pasting the computation directly into the window, merely adding
commas for clarity. Hopefully this should reduce risk of typos, etc,
going unspotted.
Crypticide Project RSS:
[www.crypticide.com]
