7

u/blastnabbit Mar 08 '16

Yeah, but not in any meaningful way.

Brute forcing a 7 digit, mixed case, alphanumeric password, with special characters takes a little more than 33 days.

Simply adding 1 character to the end increases the time to brute force to almost 7 years.

If you knew the password formula, you could skip every possible password 7 characters and less, which would save you 33 days of brute forcing.

But you'd still be looking at almost 7 years to brute force the 8 character password space.

(I used Generic Salted SHA-1 on this page for the time estimates, but of course they'll vary in the real world based on access to hardware: http://calc.opensecurityresearch.com)

It's also worth mentioning that brute forcing is only practical when trying to extract password from their hashed form. Latency of the Internet makes brute forcing a login form directly impractical.

1

u/[deleted] Mar 08 '16

Latency of the Internet makes brute forcing a login form directly impractical.

I'm assuming you mean latency due to rate limiting?

1

u/blastnabbit Mar 09 '16

Not even. Just the fact that it might take a couple hundred milliseconds for the round trip per password is enough to make running through every possible 8 character password take an unreasonably large amount of time.

There are 1,127,875,251,287,708 possible 8 character passwords. On average, you'll need to try 50% of them before getting the right one. That means you'll need to try 563,937,625,643,854 passwords.

So even if each guess only took 5 milliseconds, it'd require on average 2,819,688,128,219,270 milliseconds or 89,411.72 years to brute force the password.

15

u/urukhai434 Mar 08 '16

There was a bestof that showcased why this wasn't the case.

4

u/[deleted] Mar 08 '16

i remember that, disagree with it. it just seemed like someone's best attempt at arguing for it being safer, and seemed like a stretch.

4

u/LezardValeth Mar 08 '16

I dunno - it's pretty clear to anyone who's taken a security class, I think.

Attackers don't get in by cycling through and brute forcing a given user's uncommon password. The search space is still infeasible even with the minor additional restrictions.

Attackers do get in by cycling through users and finding one with a common password ("password1", etc.). Adding these restrictions reduces the likelihood of one of these being found because each user tends to have their own way of following the restrictions. Password entropy overall is increased leading to a safer system.

Now obviously, having too many restrictions can cause passwords to end up on post-it notes near monitors so it is a balance. But "reducing the search space" is definitely not a valid criticism of these restrictions.

1

u/PoesLawyers Mar 08 '16

I don't believe you.

1

u/DoctorWaluigiTime Mar 08 '16

Does it? I mean, does it eliminate so many possibilities that it would actually matter to a brute force attempt to crack a password (given how many passwords/second can be attempted)?

1

u/[deleted] Mar 09 '16

Why not just destroy the possibility of brute force and do a 3 failed attempts lockout or 2 step verification. All password problems solved.