A dictionary attack to get "correcthorsebatterystaple" would consider about 200,000^4 combinations of words. How long would that take?
The answer is in the picture. It is not 200,000^4 combinations because those words are so common. If you look at his numbers, he is only claiming 11 bits of randomness per word, which means a dictionary of about 2000 words. 44 bits of randomness altogether. 550 years at 1000 guesses per second. In practice they can be a million times faster. It's only 5 hours at a billion guesses a second, and if they have a big cluster of GPUs or a botnet they could be hundreds of times faster than that.
Upshot is that 4 random words, 44 bits, isn't enough nowadays. It's better than Tr0ub4dor&3, but that's not saying much.
It would actually be more combinations than that because the hack doesn't know how many words to consider (e.g., 1 word or 9 words?)
That doesn't make as much difference as you might expect. Checking all one word passwords, then all two word, then all three word, doesn't take much longer than checking all three word passwords because there are 2000 times as many three word passwords as two word ones.
Previous Topic
Index
