The PKZip manual has a handy little table to explain password "hacking" time
for a brute force attack on their encryption key method of protecting a ZIP
file, at the rate of 10,000 keys attempted per second. This does not take
into account the expected value, dividing by two per Gavin and Wirt, and
would be pretty tricky to pull of on a console. Of course, for MPE, case
does not matter, so starting with the 26*36^chars-1 calculation, what I came
up with is in the last column, provided for comparison's sake to the others
at the difficult rate of 10,000 attempts per second. I found it interesting
to compare just 26 chars with MPE standards of allowing numerics after the
first char. Good argument for long passwords with at least one
non-alphanumeric. I wonder if a future version of SECURITY / 3000 (or even
MPE or HP Security Monitor) will allow longer passwords than eight chars?
key 26 chars 96 chars 256 chars 26*36^(chars-1)
len (a-z) (typable) (all ASCII) (MPE contruct)
3 2 secs 1 min 27 min 3.37 secs
4 1 min 2.35 hrs 4 days 2.02 min
5 19 min 9 days 3 yrs 1.21 hrs
6 8.6 hrs 2 yrs 891 yrs 43.67 hrs
7 9 days 238 yrs 2,283 Cs 65.51 days
8 241 days 228 Cs 584,546 Cs 6.46 yrs
9 17 yrs 21,945 Cs 149,643,989 Cs 2.33 Cs
10 447 yrs 2,106,744 Cs 38,308,861,211 Cs 83.73 Cs
|