On 9/11/24 23:03, Chris Green wrote:
No, it's impossible to get back to the password from the 'scrambled'
string. The **only** way to validate your password is to encrypt the
password you enter and then compare the result with the 'scrambled'
string.
In particular the only way to discover a password is to 'brute force'
it by trying zillions of possible passwords until one, when encryted,
produces the required 'scrambled' string.
Well, in a fashion. Given the size of disk drives all one needs to do
is pre-compute all possible
scrambles of strings up to a certain size. I think the current estimate
is that this has been done for
all strings up to (maybe including) 8 characters long.
Then all you do is look up the scrambled value and see what string (or
in some cases, set of strings)
pre-computes to that value.
Which is why most sites now want a password of at least 8
characters.More relevant to the original question is that it's even more
difficult to break encryption like the above when the 'password' that
you're trying to obtain is actually a large chunk of text. Even if
you happen to know it's (say) 1000 characters long brute forcing it is
quite impossible.
The current number of printable characters is 95 per position. So all
possible 8 character strings is 95^8 -- about 6 PB.
Not trivial but much better than brute forcing. Which is why my minimum
password length is way longer than that!
Recently ran into a bank that had a max length much shorter than my
personal limit. They are no longer in business -- I doubt my
complaint had much to do with their merger!
BTW, who remembers a 1000 character password anyway! I know, use a
password manager -- but then you have to trust that it is secure.
_______________________________________________
gnucash-user mailing list
gnucash-user@gnucash.org
To update your subscription preferences or to unsubscribe:
https://lists.gnucash.org/mailman/listinfo/gnucash-user
-----
Please remember to CC this list on all your replies.
You can do this by using Reply-To-List or Reply-All.
