an article in VBPJ http://www.vbpj.com/upload/free/features/vbpj/2001/01jan01/da0101/da0101.asp

makes the following incorrect assertion:

"If a fast PC could try 1,000 encryptions per second (not an unreasonable
number given the math involved), it would take an average of about 17.5 years
to find the key"

the problem is this assumes that a user's key is evenly distributed across
the 128-bit keyspace, which is incorrect. most user's have passwords comprised
only of a-zA-Z0-9 and some punctutation, the key size is not spread evenly
across the 128-bit keyspace, and as an attacker i would not check all values
between 0 and 2^128, rather i would check this much, much smaller keyspace.

What about the salt value added on to the alphanumeric string?
--
Eli Allen
eallen@bcpl.net

"Michael Howard" <mikehow@micosoft.com> wrote in message
news:3a639bd8$1@news.devx.com...
>
> an article in VBPJ
http://www.vbpj.com/upload/free/features/vbpj/2001/01jan01/da0101/da0101.asp
>
> makes the following incorrect assertion:
>
> "If a fast PC could try 1,000 encryptions per second (not an unreasonable
> number given the math involved), it would take an average of about 17.5
years
> to find the key"
>
> the problem is this assumes that a user's key is evenly distributed across
> the 128-bit keyspace, which is incorrect. most user's have passwords
comprised
> only of a-zA-Z0-9 and some punctutation, the key size is not spread evenly
> across the 128-bit keyspace, and as an attacker i would not check all
values
> between 0 and 2^128, rather i would check this much, much smaller
keyspace.

a salt would certainly help

"Eli Allen" <eallen@bcpl.net> wrote:
>What about the salt value added on to the alphanumeric string?
>--
>Eli Allen
>eallen@bcpl.net
>