Sequences of passwords are tried against a system or password
repository in order to find a valid authentication. Examples include
running the program "crack" on a stolen password file, guessing passwords on
network routers and PBX switches, and using well-known maintenance passwords
to try to gain entry.
Complexity: Password guessing has been analyzed in
painstaking detail by many researchers. In general, the problem is as hard
as guessing a string from a language chosen by an imperfect random number
generator.
[Cohen85] The complexity of attack depends on the
statistical properties of the generator. For most human languages there are
about 1.2 bits of information per symbol,
[Shannon49] so for an
8-symbol password we would expect about 9.8 bits of information and thus an
average of about 500 guesses before success. Similarly, at 2 attempts per
user name (many systems use thresholds of 3 bad guesses before reporting ana
anomaly) we would expect entry once every 250 users. For 8-symbol passwords
chosen uniformly and at random from an alphabet of 100 symbols, 5 quadrillion
guesses would be required on average.
fc@red.a.net