# How Many Permutations Make a Password Effectively Impossible to Brute Force Calculate?

#### Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

•  Subject
• Author
• Posted on
If you construct a password from smallcase letters, you effectively have 24
permutations per character.   If you construct a password from uppercase and
lowercase and add in 10 number digits, you increase that to 58 permutations
per character in the password.     That ends up making a big difference in
the number of permutations needed to guess a password of - for example - 14
digits (i.e., 24^14 versus 58^14).

How many permutations effectively make it impossible - with modern
computers - to brute force calculate a password?

--
W

## Re: How Many Permutations Make a Password Effectively Impossible to Brute Force Calculate?

On 3/13/2011 5:27 PM, W wrote:

24?

## Re: How Many Permutations Make a Password Effectively Impossible to Brute Force Calculate?

24

26 in English alphabet sorry.

--
W

## Re: How Many Permutations Make a Password Effectively Impossible to Brute Force Calculate?

Wrong word. That is not "permutations", that is "choices" A permutation
is a rearrangement of a given string. You are not rearranging some given
set but are selecting out of an alphabet (26 characters) for each
position.

## Re: How Many Permutations Make a Password Effectively Impossible to Brute Force Calculate?

Depends on how long you are willing to spend.

## Re: How Many Permutations Make a Password Effectively Impossible to Brute Force Calculate?

24
and
permutations
in
14

I don't think that's quite correct.      At a certain number of
permutations, even 10K computers couldn't brute force the password in 10
years, working 24x7.

I'm trying to objectify this.   So "depends" isn't a useful answer.

--
W

## Re: How Many Permutations Make a Password Effectively Impossible to Brute Force Calculate?

I am not a cryptologist, but I think an exact answer would require exact
values for "modern computers", both in terms of quantity and performance.
Does the attacker have access to a couple of PCs, to a botnet grid or to
the combined supercomputer capacity of several Western governments?

You are probably familiar with the results e.g. distributed.net has
achieved.

--
Thor Kottelin
http://www.anta.net /

## Re: How Many Permutations Make a Password Effectively Impossible to Brute Force Calculate?

The attacker has 10K Intel 3GHz quad core computers.

No I am not.

--
W

## Re: How Many Permutations Make a Password Effectively Impossible to Brute Force Calculate?

But they might be if you spend 10000000 years.

## Re: How Many Permutations Make a Password Effectively Impossible to Brute Force Calculate?

First, you have to learn basic concepts.  English has unique 26 letters,
using upper/lower and digits gives 62 possibilities.  Add in punctuation
symbols, and you have a minimum of 94 possibilities (assuming you limit
things to the 7-bit ASCII set).

Next, you have to define 'how long' constitutes 'effectively make it
impossible'.

To 'brute force' a password means to repeatedly try various possibilities
until one succeeds.

HOW LONG does it take to try -one- password and determine success/failure,
for the system you are trying to break into?

Take the time period you have defined as 'effectively impossible', divide
by the time it takes to do _one_ possibility.  Now, _double_ that number;
that is the number of 'possibilities' you need to have for possible
passwords.  Assuming you only have _one_ machine to try cracking with.
Scale up the 'possibilities' required, by the total number of machines
available.

"A numerical answer is left as an exercise for the student."

hints:

Putting together distributed networks consisting of a quantity of machines
that requires a 6 (or 7) digit number to express is relatively trivial
in today's world.

A high-end commodity PC is probably able to to a million+ password
calculations per second.  Without considering purpose-built hardware, which
has performance several orders of magnitude higher.

Add another 5 orders of magnitude to account for seconds in a day.

Effectively impossible is "how many" days?

## Re: How Many Permutations Make a Password Effectively Impossible to Brute Force Calculate?

No, that is a bad overestimate of the number of password attempts per
second, by at least 1000 or more likely even more.
The password algorithm is not simply a single MD5 or des. It is
deliberately designed to slow things down.

## Re: How Many Permutations Make a Password Effectively Impossible to Brute Force Calculate?

[...]

People seem to forget that each trial password must be verified to
password hashes, you need to attempt authentication to verify each
password.  That's always the slowest step.  As well, millions of
authentications will likely be noticed!

--
-Gary Mills-        -Unix Group-        -Computer and Network Services-