Sampo A Syreeni wrote:
>
> On Thu, 31 Aug 2000, Tom Vogt wrote:
>
> >> would put it at about 26^3200, which is on the order of 2^12000. Go
> >> ahead, I await your method of brute forcing that.
> >
> >yes, but would you TYPE 3200 characters every morning to log in?
>
> Besides, it is quite likely that such long passwords would actually be taken
> from known texts. It is relatively easy to track what texts a given
> adversary is likely to have read, obtain them in electronic form and run a
> brute force based on that. That's would usually bring us far below
> O(2^12000).
You're right, the work level would be far below 2^12000. Maybe, by
careful research on your target's reading habits, you could get the
work level down to 2^2000. (I'm pulling the number out of my ass, but
it suffices for this level of discussion.)
I used to work for a full-text indexing company. (So I can argue from
a position of authority, and you can't dispute anything I say. ;-) )
The problem of indexing and matching text is not a hard problem in the
mathematical sense, but it quickly becomes computationally gruesome.
Yes, Moore's law continues to work on processors, and storage space is
dropping in price even faster than are MFLOPs, but there's still an
awful lot of text out there which _could_ be memorized and used as a
pass phrase. And the simple expedient of replacing an ell with a one
would trash the usefulness of your text database.
For myself, I often use as pass phrases memorized phrases from
literature. Which ones? Well, I read four languages, and I do the
number/letter and symbol/letter substitutions, so I feel secure even
revealing that clue.
--
Steve Furlong, Computer Condottiere Have GNU, will travel
518-374-4720 [EMAIL PROTECTED]
