The speed, processing power, of the computer used to crack a password doesn't make any difference. The process is not CPU dependent and is simply the input of a simple list of logical guesses. As mentioned in the article the main limitation is the speed with guesses can be made. The two main limitations are the speed of the connection and any limitation placed on how many attempts can be made in any set amount of time by the securing system. The basics are as relevant now as they were in 2007.

Like I said, IGNORING THE SYSTEM. You're talking about a specific program that is cracking a password file. Not to mention, a program like that requires access to the machine in the first place, which would probably make it a pointless endeavor to recover passwords, you already have access to the data.

We could go on all day about specific circumstances where this works, and that doesn't. In the end, it doesn't help at all because most people will tend to form the opinion that it doesn't matter and they will keep using weak passwords.

You want a specific example where a 6 character password will work? Try and crack 256 (try 128 for that matter) bit AES where the key was hashed from a 6 character password. Never going to happen.

In the end, if you want true data security, authentication to prevent access to the system is not the answer. Encryption is the only thing that will prevent access to your data, and even that depends on the implementation of the algorithm itself (plenty of examples of encryption software with holes).

You don't need access to the system, you can gather the password hash over the network.
And yes a 6 charcter is pretty eacy to crack, 8, 10, 12, etc take longer but not all that much longer.

This is true for online password attacks, and not true for offline password attacks. Many systems are vulnerable to offline password attacks.

There are offline password attacks that do not depend on prior access to the system. There have also been ways to use unprivileged access to obtain hashed passwords, which can lead to successful privilege escalation attacks.



That's where policy, enforcement, security education and token-based authentication can help. I have customers who use and enforce strong password policies. In many cases it took significant effort to implement due to end-user resistance.



Cracking AES is exceptionally difficult and expensive, and likely to be infeasible for some time to come. But we weren't talking about encryption keys, we were talking about account passwords. These are frequently stored as hashes. While there are no hash-reversal attacks that I'm aware of, there are some good attack modalities. These attacks work a lot better with six character passwords than they do with longer passwords of roughly equivalent complexity.



Encryption plays a critical part of information security in many systems. As you say, most successful attacks against encryption work because of weak implementation rather than weak encryption (WEP being a notable counterexample).

Unfortunately encryption by itself does not result in secure systems. While I'd put software and configuration vulnerabilities ahead of authentication issues, weak authentication continues to pose a significant threat to information security. Data secured by strong encryption but weak authentication can be quite vulnerable.