========
Newsgroups: alt.security.pgp
Subject: Password Cracking
From: youwish@aol.com (youwish)
Date: Sat, 27 Jan 1996 11:15:25 GMT

The most vulnerable part of any encryption method is the user's
password.  Horror stories abound of people using their names or
birthdays or five letter words to protect their valuble data.  Some
statistics on how many combos are created by different length
passwords using different character sets:

6 digit password: upper case and lower case letters: 19.7 billion 
6 digit password: upper/ lower case + numbers :  56.8 billion  
6 digit password: all possible ascii char : 281 trillion

10 digit pw : upper/ lower case letters : 141 trillion
10 digit pw:  upper/lower + numbers :  839,299 trillion 
10 digit pw:  all possible ascii char :  1 trillion trillion

these all look like very large numbers, but consider that a cheesy
program to crack passwords on zip files can search 180,000 combos /sec
, and you will see that a 10 digit password with letters and numbers
should be about minimum.  Expect anyone who is serious about getting
your data will have the ability to search at least 100 million
possible passwords per sec.  

At that rate, cracking a ten digit password using any of the 256 ascii
characters will take about 300 million years, but which time your data
should be unimportant.

No plain english or foreign words, whether they are spelled backwords,
or have wierd capitalisations.  There are cracking programs that
easily get around that.  Here are some examples of good passwords...

D@F3dzsuCK  
1>:(Bit3zz   


bad passwords:

joe
vampire
11675 
erIpMav
kiJgh