running Linux on odd devices is SOOO COOL!

[Kurt Granroth]

On 11/15/09 10:56 AM, Alex Dean wrote:
> Kurt : Is that "28 trillion hours" figure you cited the estimated time
> to try *all* 12 character passwords? If so, I think that's not the right
> metric. The search for a password stops once you've found the correct
> one, and you'd only try them all if the correct password is the very
> last one you tried. It'd be helpful to know something like "I'm able to
> attempt 95% of all 12 character passwords after 28 trillion hours". If
> the password is truly a random string of junk, it's perfectly possible
> (just phenomenally unlikely) that you'll guess it on the 1st try.

Any figures citing regarding brute force attacks are necessarily the 
worst case scenario.  That is, if you had to to through the entire 
solution set, how long would it take?

Obviously, any real attack would take some amount of time less than 
that.  You could even guess it completely by accident on the first try 
making the "28 trillion hours" estimate come out to "less than one 
second" for that password.

The reason that the upper figure is always quoted, though, is that is 
the only one that matters if you are going to try to brute force a 
password.  Since it *can* take that long, you must assume that it *will* 
take that long or else you are being foolishly optimistic.  The odds are 
solidly in favor of it taking very close to that amount of time.