On Sun, 2009-11-15 at 13:22 -0700, Robert Holtzman wrote:
> I was just about to comment on this. You beat me to it. In all the
> different material I've read, everyone is fond of saying it would
> take <insert huge number here> of years to break a strong password. 
> Statistically the odds of the first try being successful are not, as
> you
> pointed out, zero and increase with each combination. Granted, it
> would
> still take a hell of a long time but not the <insert huge number>
> years
> people always claim.   

On top of that, people don't take into account how exponential
inventions reduce that time dramatically.

Okay, let's say it takes 300,000 years to crack a password. That's 1
system...running for 300,000 years.

Now, use the Seti project with distributed computing and hide it inside
of a "useful" application. Do you really think it will take long to get
1 million downloads?

So, 1 million downloads...your distributed password cracking application
is now deployed and people allowed it to connect and bypass all
firewalls because, well, it was trusted.

So, 1 million systems doing a 300,000 year task. What does that equate
to? Now think of what would happen if you got 2 million, 4 million, and
8 million computers?

In short time, you can crack that password in 1 hour. NOW, what if you
made a business out of cracking passwords for the bad guys? 24 passwords
per day...selling at $3,000 a password...think about how good of a life
you can have making $26,280,000 / year for writing a piece of software?
Do you really think it will be hard to pay off a couple network
administrators to mask your IP? Say you pay them 50k each and you need
20 of them...that's only $2mil you give up a year. You're still netting
$24 mil. You do it for one year, you never work again.

Just think of the scenario...and remember, humans are the weakest link
in the whole chain.

Oh, and the scary part...reduce that price per password to $300.00..you
make less money, but you just increased your client base immensely.

It's a scary thought. BUT, ultimately, all this does is make people
think "Then what good is it to fight? I'll just leave admin/admin as my
router password. No use in trying to beat it."


---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss