On Nov 15, 2009, at 10:40 AM, Kurt Granroth wrote: > I feel pretty safe with a protocol that would require long than the > age > of the universe to crack! I would NOT consider that broken :-) I think this is a pretty sane approach to things. You have to think about likely vs. unlikely, not possible vs. impossible. The fact that any password can be guessed eventually isn't the point. You just have to make it inconvenient enough for an attacker that they give up and go somewhere else. Obviously that calculus is different when the payoff for your cracking efforts is 'taking down a power grid' or 'launching a missile', instead of 'free wireless access'. To me, if its likely to take a cracker multiple years of concerted effort to break my wireless network, that's plenty for me. Kurt : Is that "28 trillion hours" figure you cited the estimated time to try *all* 12 character passwords? If so, I think that's not the right metric. The search for a password stops once you've found the correct one, and you'd only try them all if the correct password is the very last one you tried. It'd be helpful to know something like "I'm able to attempt 95% of all 12 character passwords after 28 trillion hours". If the password is truly a random string of junk, it's perfectly possible (just phenomenally unlikely) that you'll guess it on the 1st try. Thanks for an interesting discussion. alex