Reply to post:

Father of Unix Ken Thompson checkmated: Old eight-char password is finally cracked

dajames Silver badge

My ISP assigns passwords - with no option to make your own strings. They use a random combination of about six short-ish words. How effective is a brute force approach for guessing those?

Is this RFC2289? That, as written, uses six words from a dictionary of 2048 to represent six groups of 11 bits that encode a 64-bit number (with a bit of juggling to get 66 bits from 64).

If so, there are 2^66 possible different combinations of words, of which only 2^64 are actually used.

RFC2289 is quite old, now. It describes using MD4, MD5, or SHA-1 digest algorithms in a password generation function. Given the general weakness of passwords I would think that RFC2289 with SHA-1 would still be regarded as better than a user-chosen password, but one could update the algorithm to use a better hash function -- but then one would probably want to use more than 64 bits of the digest output, and so would end up with more than six words in the password.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon


Biting the hand that feeds IT © 1998–2019