## Can a universe-sized computer crack an SMS-sized password?

A place to discuss the science of computers and programs, from algorithms to computability.

Formal proofs preferred.

Moderators: phlip, Moderators General, Prelates

queerismyfavouritecrayon
Posts: 10
Joined: Wed Aug 31, 2011 4:43 am UTC

### Can a universe-sized computer crack an SMS-sized password?

Hi, I'm new to cryptography so I don't trust my own calculations. I was hoping you folks could tell me if I'm off the mark.

The question is: if you turned the entire universe into a computer and devoted all of its resources to brute forcing an 160-character password consisting entirely of lower-case letters, would you succeed before your cosmic computer succumbed to entropy?

The hypothesis in question:

-Any computation that can be performed must be a "subroutine" in the overarching computation of the universe. Therefore, the computational capacity of the whole universe places a safe limit (though not an absolute, incontrovertible one) on brute force attacks.

-Seth Lloyd says that, so far, the universe has performed no more than 10^120 operations (http://arxiv.org/abs/quant-ph/0110141). I've also heard 10^123 operations so I'll use that figure just to make this estimate slightly more conservative.

-I'll assume one password guess-attempt in a brute force attack is 1 operation. (Could a guess conceivably be less than 1 operation?)

-According to Wikipedia (http://en.wikipedia.org/wiki/Future_of_an_expanding_universe#Dark_Era), when the universe is 10^100 years old, "Photons, neutrinos, electrons, and positrons will fly from place to place, hardly ever encountering each other." Presumably this makes any meaningful computation impossible, including a brute force attack.

-The way I interpret Seth Lloyd's paper (though it's confusing) is that the universe has so far performed no more than 10^123 operations in its 13.7 billion year history. For simplicity though, I'll assume that the universe is capable of 10^123 operations annually. (If I'm doing all these steps correctly, this significantly overattributes processing power to the universe.) Therefore I'll multiply 10^123 operations * 10^100 years to get 10^223 total operations throughout the course of the universe.

-An 160-letter password (the same size as a text message) using only lower case would have 26^160 combinations.

-According to Wikipedia (http://en.wikipedia.org/wiki/Password_strength#Entropy_as_a_measure_of_password_strength), "On average, an attacker will have to try half the possible passwords before finding the correct one." So we'll change that to (26^160 / 2).

-Since (26^160 / 2) - (10^223) yields a huge positive number (see the math: http://goo.gl/dhygG), I conclude that if you used all the computation power in the universe to try to crack this password, you would have a negligible chance of succeeding before the whole thing goes up in smoke (or, rather, Hawking radiation).

So, is this conclusion correct, or is there a mistake here?

Known flaws:

-Doesn't take into account quantum computation
-Assumes present-day heat death predictions are accurate
-Ignores possibility of a multiverse
-It's unrealistic to remember an 160-letter password unless it consists of words, in which case it would be subject to a much faster, dictionary attack

P.S. Sorry, it's my first post to the forum, I couldn't figure out how to make hyperlinks
Last edited by queerismyfavouritecrayon on Thu Sep 01, 2011 4:21 pm UTC, edited 1 time in total.

Yakk
Poster with most posts but no title.
Posts: 10879
Joined: Sat Jan 27, 2007 7:27 pm UTC
Location: E pur si muove

### Re: Can a universe-sized computer crack an SMS-sized passwor

Doesn't set off my "off by a lot"-meter.

There are also thermodynamic limits on computation based on temperature and energy that are useful. So you can work out similar problems on how much computation a type-2 civilization could do before its star ran out of fuel.
One of the painful things about our time is that those who feel certainty are stupid, and those with any imagination and understanding are filled with doubt and indecision - BR

Last edited by JHVH on Fri Oct 23, 4004 BCE 6:17 pm, edited 6 times in total.

Sagekilla
Posts: 382
Joined: Fri Aug 21, 2009 1:02 am UTC
Location: Long Island, NY

### Re: Can a universe-sized computer crack an SMS-sized passwor

By the raw numbers, the number of possible passwords (26^160) is equal to about 10^(226.396). Since you're assuming you can do 10^223 passwords, you'll only be able to try 0.04% of the possible passwords.
Equivalently, there's 1243.67 times as many passwords as you can check.
http://en.wikipedia.org/wiki/DSV_Alvin#Sinking wrote:Researchers found a cheese sandwich which exhibited no visible signs of decomposition, and was in fact eaten.

naschilling
Posts: 142
Joined: Wed Apr 06, 2011 2:52 pm UTC
Contact:

### Re: Can a universe-sized computer crack an SMS-sized passwor

I have to admit, this is one of the best questions, albiet most random, questions I've ever heard.

According to Tom's Hardware using a single modern computer with a few beefy graphics card, they can check around 1,000,000 (10^6) passwords per second. For a moment, let's try to crack that 160-character password with that. It should not surprise anyone that 10^226.4 passwords checked 10^6 passwords per second would need 10^220.4 seconds to crack it. For comparison, the CURRENT age of the universe is 10^18 seconds old, and the OP cites that the maximum age of the universe is 10^100 years, which is 10^107.5 seconds. It doesn't look like we'll make it.

Using the processing rate of 10^120 calculations so far that your cite, it would produce 10^102 calculations per second. Multiply by the maximum age of the universe (10^107.5 seconds) and you get 10^209.5 calculations, which is less than the 10^226.4 passwords that are possible.

Maybe if we built a better universe...
If you don't have walls, why would you need Windows?

MHD
Posts: 630
Joined: Fri Mar 20, 2009 8:21 pm UTC
Location: Denmark

### Re: Can a universe-sized computer crack an SMS-sized passwor

<Off topic post>

I must compliment the OP.
Keep doing this and you will go far

Also, welcome to XKCD.

</Off topic post>
EvanED wrote:be aware that when most people say "regular expression" they really mean "something that is almost, but not quite, entirely unlike a regular expression"

queerismyfavouritecrayon
Posts: 10
Joined: Wed Aug 31, 2011 4:43 am UTC

### Re: Can a universe-sized computer crack an SMS-sized passwor

Sagekilla wrote:Since you're assuming you can do 10^223 passwords, you'll only be able to try 0.04% of the possible passwords. Equivalently, there's 1243.67 times as many passwords as you can check.

Wow, you would actually have a lot higher chance of cracking it than I thought! To me a 1 in (1243.67 / 2) chance or even a 1 in 10,000 chance is not a "negligible" chance. See, I told you I didn't know anything about cryptography!

A few more problems:

Someone told me that when I subtracted "(26^160 / 2) - (10^223)", I should have divided them (but coincidentally I got the same result anyway? huh?)

They also pointed out that if you are using 256-bit encryption, an attacker would just go for the key (1.16*10^77 combinations) rather than the password (26^160 combinations). I guess this could be resolved by using a key with more than 26^160 combinations, but to my knowledge you can't really implement this today -- nor use a password over 64-characters.

I don't really understand the physics behind Seth Lloyd's paper. I especially didn't consider this: just because so far the universe has performed no more than 10^123 operations doesn't mean its computation capacity will remain static for the rest of time. This is a major problem with any conclusions you might want to draw!

naschilling wrote:It should not surprise anyone that 10^226.4 passwords checked 10^6 passwords per second would need 10^220.4 seconds to crack it.

Actually, you would only need half as long.

I started off on this cosmic computer thought experiment because I saw a flaw in the standard "this password would take a 100 years to crack" line of thinking. (I wanted to find a password that would be truly secure for 100 years.) Those calculations don't account for Moore's Law, which means that the cracking time gets cut in half every 2 years. In 20 years, your "100-years safe" password will be crackable in 36 days!

I started off with contemporary supercomputers and distributed computing systems, then tried to factor in how long a password would be secure as these computers got exponentially faster. I started with (extremely optimistic) estimates for Moore's Law running out of steam in 80 years (http://www.physorg.com/news174750105.html) or 600 years (http://arxiv.org/abs/astro-ph/0404510) but quickly realized this was inadequate. Moore's Law only accounts for the increase in the processing speed of X amount of computing hardware (e.g. a PC, a supercomputer, \$1000 worth of computing power, etc). If you only factor in Moore's Law, you are ignoring any possibility of the overall volume of computing increasing! You are not even considering that the world's population might increase, or that a higher proportion of the world's population might get computers. I think most people would agree: in the future, there will be more computers!

So, not only is the standard "this password would take X long to crack" woefully misguided, even if you factor Moore's Law into these calculations they still give you a false sense of security. Yakk, you were a lot more on the money by asking how many guess-attempts a Type II-civilization would be capable of. I didn't think of that, so I went after larger limits.

Yakk
Poster with most posts but no title.
Posts: 10879
Joined: Sat Jan 27, 2007 7:27 pm UTC
Location: E pur si muove

### Re: Can a universe-sized computer crack an SMS-sized passwor

You could also try using the future light-and-return-cone of your password, and factor in a cosmic inflation model. That'll give you a finite energy budget bound. You can use the increasingly chill CMB as a temperature limit. The amount of computation you can do may actually diverge, but it would be an interesting problem to work through.
One of the painful things about our time is that those who feel certainty are stupid, and those with any imagination and understanding are filled with doubt and indecision - BR

Last edited by JHVH on Fri Oct 23, 4004 BCE 6:17 pm, edited 6 times in total.

Thesh
Has the Brain Worms, In Case You Forgot.
Posts: 4475
Joined: Tue Jan 12, 2010 1:55 am UTC
Location: California, Southern USA

### Re: Can a universe-sized computer crack an SMS-sized passwor

queerismyfavouritecrayon wrote:Someone told me that when I subtracted "(26^160 / 2) - (10^223)", I should have divided them (but coincidentally I got the same result anyway? huh?)

If you got the same result, you made a mistake.

queerismyfavouritecrayon wrote:They also pointed out that if you are using 256-bit encryption, an attacker would just go for the key (1.16*10^77 combinations) rather than the password (26^160 combinations). I guess this could be resolved by using a key with more than 26^160 combinations, but to my knowledge you can't really implement this today -- nor use a password over 64-characters.

That's actually not a problem. You can use an algorithm like Threefish which allows block sizes and keys up to 1024 bits. For 26^160, a 768 bit key will be large enough. This algorithm is probably too new to rely on right now, but there are other options as well.

Another thing you can do is expand the password to a 1280 bit key using a hash algorithm and encrypt each block multiple times. Encrypting five times with five different 256 bit keys is equivalent to encrypting once with a 768 bit key (more precisely log_2( 2^768+2^512) bits) due to a meet in the middle attack. The meet in the middle attack requires known plain texts, and you brute force decrypting one half and encrypting the other half until you find a match. This is generally considered infeasible for key sizes this large due to the storage space required, but if we are talking universe sized computers...

Also, I don't know the physics of that paper, however in the past I thought about necessary key length in this way:

If all the mass in the universe was converted to computers with the mass of an electron, and each computer could test 10^20 keys per second (arbitrary, chosen because that's around the frequency that gamma rays start), then you need a 400 bit key so that you can't brute force it in less than the current age of the universe. Then expand that to 512 bits, just because it's a power of two and adds an extra security margin in case the algorithm has a weakness.
The lights in the sky keep calling my name. They're calling my name; I think they're coming for me.

mfb
Posts: 892
Joined: Thu Jan 08, 2009 7:48 pm UTC

### Re: Can a universe-sized computer crack an SMS-sized passwor

Seth Lloyd does a bit more than giving a number: He gets a formula to calculate the possible number of operations for all times. It is \#ops \approx \rho \,c^5 t^4 / \hbar. As we already know the value for the current age of 10^10 years, it is easy to scale it up to 10^100 years: \#ops \approx 10^{480}. More than enough for the sms-sized password. The important point here is that with increasing age, we have a larger volume (~t^3) to do calculations in.
To reach 26^160 = 10^226 calculations, we have to wait for about 10^26 times the current age of the universe, so ~10^36 years. Chances are good that even if protons are unstable, most of them will survive long enough to finish your computation with something baryonic. Any ideas how to use that theoretical computing power in a controlled way?
Searching for the lower bound for the proton lifetime, my browser suggested visiting the URL http://de.wikipedia.org/w/index.php?title=Proton&stable=1

Maybe it is possible to crack every (reasonable, e.g. storable on computers) password in polynominal* time if time loop logic works.
*checking a password of some TB size with appropriate encryption algorithms will take some time, too.

lightvector
Posts: 212
Joined: Tue Jun 17, 2008 11:04 pm UTC

### Re: Can a universe-sized computer crack an SMS-sized passwor

If the password cracking really can only be treated as a black box (that is, the only way is to literally just try each password), then this looks reasonable. Exponentiation is really really powerful.

But once you have a password with anywhere near this many bits, your primary weakness is not the lifetime of the universe, or a cosmic-sized computer, or any sort of exotic physical limits. Rather, the primary weakness is that someone will eventually discover an exploitable flaw in the underlying algorithm or system, allowing it to be cracked far more easily than brute forcing. If, for example, your password was hashed by ROT13, then you could have millions of letters, rather than just 160, and it still would not be secure.

Using a lot of bits or letters is easy. Establishing the security of the underlying cryptography is the hard part.

WarDaft
Posts: 1583
Joined: Thu Jul 30, 2009 3:16 pm UTC

### Re: Can a universe-sized computer crack an SMS-sized passwor

Maybe it is possible to crack every (reasonable, e.g. storable on computers) password in polynominal* time if time loop logic works.
*checking a password of some TB size with appropriate encryption algorithms will take some time, too.
Actually, with time loop logic, you can obtain any answer in time proportional to the length of the answer (because that's the minimum possible time to read the answer.) You just have to use time loop recursion.
All Shadow priest spells that deal Fire damage now appear green.
Big freaky cereal boxes of death.

mfb
Posts: 892
Joined: Thu Jan 08, 2009 7:48 pm UTC

### Re: Can a universe-sized computer crack an SMS-sized passwor

I think you still have to check if it is the correct password - otherwise you cannot determine what to send back in time.
Ok, a trickier version of that would split up the check in several cycles of the same slice in time (or somewhere in the past or the future). But then you need polynomial computing power or polynomial integrated computing time.

And finally, linear is just a special case of polynomial. If it is linear will depend on the algorithm (good: not linear?).

queerismyfavouritecrayon
Posts: 10
Joined: Wed Aug 31, 2011 4:43 am UTC

### Re: Can a universe-sized computer crack an SMS-sized passwor

mfb wrote:Seth Lloyd does a bit more than giving a number: He gets a formula to calculate the possible number of operations for all times. It is \#ops \approx \rho \,c^5 t^4 / \hbar. As we already know the value for the current age of 10^10 years, it is easy to scale it up to 10^100 years: \#ops \approx 10^{480}. More than enough for the sms-sized password. The important point here is that with increasing age, we have a larger volume (~t^3) to do calculations in.

Okay, I definitely missed that. Back to the drawing board.

WarDaft
Posts: 1583
Joined: Thu Jul 30, 2009 3:16 pm UTC

### Re: Can a universe-sized computer crack an SMS-sized passwor

mfb wrote:I think you still have to check if it is the correct password - otherwise you cannot determine what to send back in time.
Ok, a trickier version of that would split up the check in several cycles of the same slice in time (or somewhere in the past or the future). But then you need polynomial computing power or polynomial integrated computing time.

And finally, linear is just a special case of polynomial. If it is linear will depend on the algorithm (good: not linear?).

Yes, you have to check that the answer is correct before you send it back to complete the loop. But that doesn't mean you can't use it in the mean time. The time to obtain the answer is thus always linear in the size of the answer. Even if the question is halts(x).
All Shadow priest spells that deal Fire damage now appear green.
Big freaky cereal boxes of death.

mfb
Posts: 892
Joined: Thu Jan 08, 2009 7:48 pm UTC

### Re: Can a universe-sized computer crack an SMS-sized passwor

Well, with time machines, you can get the answer at any time - even before you get the problem. So in my opinion, the interesting quantity is the total amount of necessary calculations.

queerismyfavouritecrayon
Posts: 10
Joined: Wed Aug 31, 2011 4:43 am UTC

### Re: Can a universe-sized computer crack an SMS-sized passwor

Can anyone help me find a way to practically implement this? I was working on a toy version but ran into some immediate limits. TrueCrypt allows for a maximum of 64-character passwords. I generated a 2200-character password using pseudo-random and allegedly truly random data that I would like to use. Moreover, 2^256 < 10^480. I need something like a 2048-bit symmetric key.

Thesh
Has the Brain Worms, In Case You Forgot.
Posts: 4475
Joined: Tue Jan 12, 2010 1:55 am UTC
Location: California, Southern USA

### Re: Can a universe-sized computer crack an SMS-sized passwor

Well, if you do use a 2048 bit key, then you are going to run into a situation where it's much easier to brute force the key than the password. For your key generation, you can do something like this where + is concatenation:

Code: Select all

a = ""x = sha512(password)FOR i = 1 to 4   x = sha512(x + password)   a = a + xENDFOR
The lights in the sky keep calling my name. They're calling my name; I think they're coming for me.

queerismyfavouritecrayon
Posts: 10
Joined: Wed Aug 31, 2011 4:43 am UTC

### Re: Can a universe-sized computer crack an SMS-sized passwor

Why is the key easier to brute force than the password?

Thesh
Has the Brain Worms, In Case You Forgot.
Posts: 4475
Joined: Tue Jan 12, 2010 1:55 am UTC
Location: California, Southern USA

### Re: Can a universe-sized computer crack an SMS-sized passwor

http://www.wolframalpha.com/input/?i=lo ... %5E2200%29

That 2200 character password is equivalent to a 10341 bit key. That assumes all lower case characters as used in your example. It will be significantly more if you allow uppercase, numbers, and special characters.
The lights in the sky keep calling my name. They're calling my name; I think they're coming for me.

Goplat
Posts: 490
Joined: Sun Mar 04, 2007 11:41 pm UTC

### Re: Can a universe-sized computer crack an SMS-sized passwor

queerismyfavouritecrayon wrote:Can anyone help me find a way to practically implement this?
When you're talking about making passwords strong enough to resist someone who can "turn the entire universe into a computer", practicality has already been thrown out the window. Anyone who has the resources to break even a 20-letter password by brute force (let alone 160-letter) will also have access to much easier means of getting whatever information you want to keep secret:

queerismyfavouritecrayon
Posts: 10
Joined: Wed Aug 31, 2011 4:43 am UTC

### Re: Can a universe-sized computer crack an SMS-sized passwor

True Goplat, but if it's relatively easy to implement a standard that is theoretically secured by physical limits, why not do it? Why keep incrementally upgrading encryption strength as Moore's Law goes along?

undecim
Posts: 289
Joined: Tue Jan 19, 2010 7:09 pm UTC
Contact:

### Re: Can a universe-sized computer crack an SMS-sized passwor

queerismyfavouritecrayon wrote:True Goplat, but if it's relatively easy to implement a standard that is theoretically secured by physical limits, why not do it? Why keep incrementally upgrading encryption strength as Moore's Law goes along?

You're assuming a few things:

1) That encryption is only broken by brute force
2) That a single operation of the universe corresponds to a single operation of conventional computers (think quantum computers)
Blue, blue, blue

Thesh
Has the Brain Worms, In Case You Forgot.
Posts: 4475
Joined: Tue Jan 12, 2010 1:55 am UTC
Location: California, Southern USA

### Re: Can a universe-sized computer crack an SMS-sized passwor

queerismyfavouritecrayon wrote:True Goplat, but if it's relatively easy to implement a standard that is theoretically secured by physical limits, why not do it? Why keep incrementally upgrading encryption strength as Moore's Law goes along?

Moore's law isn't our problem right now. Upgrading algorithms doesn't just mean increasing key length, it means providing protection from new cryptanalysis. 128 bit keys are more than sufficient to protect us from Moore's law for the foreseeable future in terms of brute force. For example, this is distributed.net's page for trying to brute force a 72 bit key in distributed.net:

http://stats.distributed.net/projects.php?project_id=8

3204 days so far, and they've searched less than 2% of the key space. Now, a 128 bit key has 2^56 times as many keys. So it will take you 72 quadrillion, 57 trillion, 594 billion, 37 million, 927 thousand and 936 times as long to brute force. Algorithms with 256 bit keys are common as well, so key length is definitely not a concern right now.

So how are algorithms broken? By finding weaknesses in the algorithm that allows you to recover the key or find an alternate algorithm to decrypt the ciphertext. This is what cryptographers are focused on preventing now, and this is far more important than key length. Now, it's easy to make an algorithm that is resistant to cryptanalysis, but the problem comes in that we not only need to be resistant to cryptanalysis, we also need the algorithm to be efficient. For example, you can easily take an algorithm and double the number of rounds, but in doing so you cut the throughput in half.

Now, even though you can't brute force a 128 bit key, there can still be advantages to going to a 256 bit key. If a flaw is found in the algorithm that allows key recovery, there is a good chance that it will take significantly longer to recover larger keys (but this is not always the case). For example, if an attack allowed a 128 bit key to be broken in 2^38 operations, the same algorithm with a 256 bit key might take 2^100 operations to complete. Also, if it's a known plaintext attack against a particular algorithm, when using a 128 bit key it might require a 2^20 known plaintexts to break while if you are using it with a 256 bit key it might require 2^48 known plaintexts.

Currently Twofish is a very fast algorithm in which there are no known breaks on more than 6 rounds (the full version as 16 rounds), so unless some major advancements are made in cryptanalysis the only way to break it is through a brute force.
The lights in the sky keep calling my name. They're calling my name; I think they're coming for me.

queerismyfavouritecrayon
Posts: 10
Joined: Wed Aug 31, 2011 4:43 am UTC

### Re: Can a universe-sized computer crack an SMS-sized passwor

undecim: yeah, granted, brute force is not the only way to crack encryption keys or passwords. there are other forms of vulnerability we need to worry about, but why not at least get brute force defense right? In terms of passwords: at some point in my lifetime a 20-character alphanumericsymbolic password may be crackable in about 90 minutes. your second point ties into this: it is especially imprudent to use the minimal encryption you think you can get away with in your era because quantum computing might come along sooner than expected nullify all your security.

the first thing quantum computing would do would be to cut the keyspace it needed to search for your key/password in half. news articles often use the buzzphrase "a quantum computer could do more calculations in an instant than there are atoms in the universe". if we interpret this perhaps too literally as 10^80 calculations per nanosecond, and account for the keyspace being halved, we can begin to do a sketch calculation for what would be strong enough to withstand a quantum brute force attack. let's suppose that a quantum computer is in fact a universe of 10^80 processors that are each 1 billion times faster than all of the world's current top 500 classical supercomputers combined (i.e. each processor can do 60 quadrillion calculations per nanosecond). so a quantum computer, we are assuming, can do 10^80 * 10^80 * 60 quadrillion calculations per nanosecond. let's assume we have a supercomputing grid of quantum computers where each atom in the universe is a quantum computer. so our grid has 10^80 computers. our grid is capable of less than 10^374 calculations before Heat Death (see calculations, and feel free to point out errors: http://bit.ly/oZvqih). a 250-character alphanumericsymbolic password would have a negligible chance of yielding to that brute force attack (http://bit.ly/o2i43R). 4096-bit key, suffused with sufficient entropy (e.g. air turbulence recorded from microphone, mouse movement, atmospheric white noise) would also be safe (http://bit.ly/oUFZm8).

(EXTREME SCENARIO IF YOU'RE NOT CONVINCED: Now, every operation in each of the processors is a Seth-Lloyd-universe going from Big Bang to Heat Death: http://bit.ly/nJNUTv. A 600-char password would do: http://bit.ly/r8ArU8. You'd need to double your key again, to 8192 bits.)

Maybe this wouldn't be the best thing, though, because in a case of extortion you would have no way of meeting your extorter's demands or proving you didn't have the password anymore...

Thesh
Has the Brain Worms, In Case You Forgot.
Posts: 4475
Joined: Tue Jan 12, 2010 1:55 am UTC
Location: California, Southern USA

### Re: Can a universe-sized computer crack an SMS-sized passwor

Well, if you are going to do all that, why not just use a infinite improbability computer? No matter what your key length, I can describe a computer that can break it. As a more realistic (but still completely unrealistic) way to think of it is this: if you convert the mass of the observable universe to supercomputers with the mass of a neutrino (the lightest known massful particle) and they can all test one key for every unit of Planck time (theoretically smallest unit of time measurable), a 512 bit key is sufficient to protect against brute force over the age of the universe. With Grover's algorithm you might be able make a 512 bit key effectively a 256 bit key, and then a 1024 bit key is still sufficient over the age of the universe, but none of this matters in reality because computers of the speed I described will not happen ever.
The lights in the sky keep calling my name. They're calling my name; I think they're coming for me.

lojbrent
Posts: 1
Joined: Sat Dec 03, 2011 12:13 am UTC

### Re: Can a universe-sized computer crack an SMS-sized passwor

at some point in my lifetime a 20-character alphanumericsymbolic password may be crackable in about 90 minutes.

Any clue how long that thing takes now on a standard computer. I was trying to crack a password on a Zip archive once. I had brute force app running about 30 sessions on a machine, one with 2 characters, one with 3, one with 4 and so on. That ran for 6 days I think without a single hit.

wumpus
Posts: 440
Joined: Thu Feb 21, 2008 12:16 am UTC

### Re: Can a universe-sized computer crack an SMS-sized passwor

lojbrent wrote:
at some point in my lifetime a 20-character alphanumericsymbolic password may be crackable in about 90 minutes.

Any clue how long that thing takes now on a standard computer. I was trying to crack a password on a Zip archive once. I had brute force app running about 30 sessions on a machine, one with 2 characters, one with 3, one with 4 and so on. That ran for 6 days I think without a single hit.

A 20 char password (assuming 32 possible characters) is 100 bits (120 if 64 possible characters).
This is roughly twice the size of DES. In 2008 the time to break DES on ideal hardware (RIVYERA) was one day (no idea if enough RIVYERA machines have shipped to break in 90 minutes, but assume that is close enough).
If it took 40 years to go from first chips to 56 bits, assuming Moore's law (note, there was a specific revision slowing it down in 1990, and it keeps getting more expensive to obey Moore's law) it will take another 40 years to brute force 112 bits.

It is essentially impossible to brute force anything approaching 56 bits on a PC (less sure about a GPU, but still very, very slow). Best best is on some sort of distributed system or botnet.

WarDaft
Posts: 1583
Joined: Thu Jul 30, 2009 3:16 pm UTC

### Re: Can a universe-sized computer crack an SMS-sized passwor

Graphics cards have been in the multi-teraflops range for a while now, so less than a day for sure.
All Shadow priest spells that deal Fire damage now appear green.
Big freaky cereal boxes of death.

wumpus
Posts: 440
Joined: Thu Feb 21, 2008 12:16 am UTC

### Re: Can a universe-sized computer crack an SMS-sized passwor

Stop worrying about brute force. Just stop it. Also cryptanalysis is also an unreasonable thing to worry about. Key theft and plain text theft is how cryptography is broken (nobody has liked to http://xkcd.com/538/ yet? for shame). 128 bits is enough for the next 50 years. 256 is enough for less "universal" computers (ones that assume that each electron in the universe stores one bit). When you hit public key crypto, all bets are off (they tend to work on solving a "known hard problem" where the "known hard problem" isn't exactly O(e^x). Higher order "elliptical" curve cryptography might fix this).

If you are new to cryptography, try heading over to http://www.schneier.com/ (oddly enough, it was that site that introduced me to xkcd). The first thing you need to know about cryptography, is that the whole point is to create a security system to protect a secret. There are a thousand ways to get at that secret, and brute forcing is the absolute hardest one. Not only that, if the key is big enough that you have to write it on a post it (or put it on a USB stick), it becomes as easy to lose as the proverbial "tippy top secret laptop left on a train". Your ubuntu loaded computer is an insecure joke next to brute force attacks; try using SELinux, openbsd stripped down to nothing but email, and only using it for secure communication (and don't trust the machine more than the safe it is kept in). PS. Don't forget the tinfoil (seriously, there is a reason the NSA requires such things to be put in a Faraday cage, although it is likely a cover to make people assume that they lost their data through some sort of high-tech system, not that they hired a nerdy IT type who fell like a ton of bricks for this really hot spy...).

The easiest method is to break into the location of one of the communicators and look for a handy postit. Few people can handily memorize 8000 bits* of entropy (there are 35 people listed who have memorized more than 2409 digits of pi, an equal feat. For 256 bits, the number is 77 or following the xkcd example 17 arbitrary words).

An adversary with an infintely powerful computer is likely to be able to mount a Tempest attack (determine the state of your computer via EMI emitted) much, much, easier than brute forcing. I would also assume that such a computer would be of immense help in performing cryptanalysis on whatever algorithm you are using. I would also assume that the google machines know enough about me (or anyone who surfs the net) to create a "knowable password space" that is quite possible to quickly exhaust (even worse, they could break into groups of "possible password sets" that allow greater parallelization to break the passwords of anybody believed to use passwords in that set).

Key management is also an issue. How in the world did you send your 8000 bit keys to everyone you want to securely communicate with? It is far easier to intercept them than any attempt at brute force.

As mentioned above, even using an oversized key is going to be an issue. I would assume you have to simply run each password through known cryptographic algorithm until you had used up all the bits in the password. I also have to point out that this is a place where you are going backwards. If a much smaller password can not be bruteforced (or otherwise guessed), it can be expanded to a much larger key.

As Thresh pointed out, cryptography can be more easily broken by cryptanalysis than by brute force (and by various means of key theft and plaintext theft far more easily than cryptanalysis). Creating a large key out of a hash of a password might be of some value as the attacker has at least the chance of determining the key from cryptanalysis. No idea if I'll have time to work on such an idea.

Finally, if you are still certain you want oversized keys, go google key leakage (might take a few more keywords) and find out how trying to hide a large secret (even inside of your computers registers) might be harder than trying to hide a smaller (say a 256 bit key) secret. Since brute forcing each is equivilantly difficult (i.e. both are impossible), this makes the 256 bit key *more* secure if it never has to cross back and forth from memory (of course this leave unanswered (how it the world is the key not cached?).

wumpus
Posts: 440
Joined: Thu Feb 21, 2008 12:16 am UTC

### Re: Can a universe-sized computer crack an SMS-sized passwor

WarDaft wrote:Graphics cards have been in the multi-teraflops range for a while now, so less than a day for sure.

http://mytechencounters.wordpress.com/2 ... phic-card/

This was a year ago (unlisted GPU) and he was getting 8 characters in 18 hours. I'm sure that a 7979 (or two) should be able to get ~50-64 bits in under a day by now. Also new releases of the software here:
http://www.golubev.com/hashgpu.htm

WarDaft
Posts: 1583
Joined: Thu Jul 30, 2009 3:16 pm UTC

### Re: Can a universe-sized computer crack an SMS-sized passwor

He says 5770, so yeah, a 7979 or 6990 (I don't know which is best, tomshardware says a 6990 is better than a 7970 though) should be able to rip those values apart.

And that's using no intelligent strategy at all. A distributed GPU computation project could easily make a rainbow table that leaves 14 or 15 character passwords useless.
All Shadow priest spells that deal Fire damage now appear green.
Big freaky cereal boxes of death.

korona
Posts: 438
Joined: Sun Jul 04, 2010 8:40 pm UTC

### Re: Can a universe-sized computer crack an SMS-sized passwor

A rainbow table for 14 character passwords (~70 bit key strength) has more than 10^20 entries even if you assume that the password consists only of lower case letters.

WarDaft
Posts: 1583
Joined: Thu Jul 30, 2009 3:16 pm UTC

### Re: Can a universe-sized computer crack an SMS-sized passwor

You can trade off entries with acceleration in order to gain fewer characters but maintain a usable table size. A 10 gb database could make the search about a billion times faster, and thus make passwords up to 5 characters longer as easy to crack.
All Shadow priest spells that deal Fire damage now appear green.
Big freaky cereal boxes of death.

korona
Posts: 438
Joined: Sun Jul 04, 2010 8:40 pm UTC

### Re: Can a universe-sized computer crack an SMS-sized passwor

I doubt that there is a way to reduce the table size from 745'058'059'696 GB to 10 GB in a way such that you get any reasonable performance advantage over brute forcing; assuming a key length of 64 bit (which is pretty low) and only lower case letters.

WarDaft
Posts: 1583
Joined: Thu Jul 30, 2009 3:16 pm UTC

### Re: Can a universe-sized computer crack an SMS-sized passwor

However many entries you have in your rainbow table, you get that much of a speedup in your search. A billion evenly spaced entries is a billion fold speedup, but you still have to actually do all the work once.
All Shadow priest spells that deal Fire damage now appear green.
Big freaky cereal boxes of death.

Thesh
Has the Brain Worms, In Case You Forgot.
Posts: 4475
Joined: Tue Jan 12, 2010 1:55 am UTC
Location: California, Southern USA

### Re: Can a universe-sized computer crack an SMS-sized passwor

You aren't going to store every single password anyway. All you need to do is get a dictionary and hash individual words, combinations of words, and permutations (e.g. append numbers, capitalize, replace o with O, etc.). That takes care of most, of them.

Of course, all you need to do to protect against rainbow tables is use a 128-bit salt, and then you can easily make your passwords require 100ms to hash, making dictionary/brute force attacks take significantly longer. If all web programmers knew/cared enough to do this and implemented a reasonable password policy, the internet would be a safer place.

Also, on the topic of GPUs, I wouldn't imagine they would show a huge advantage, as most hashes are simple integer operations.
The lights in the sky keep calling my name. They're calling my name; I think they're coming for me.

WarDaft
Posts: 1583
Joined: Thu Jul 30, 2009 3:16 pm UTC

### Re: Can a universe-sized computer crack an SMS-sized passwor

They're massively parallel, and can also do integer operations. Actually, these days, they're made to do all kinds of operations, because games are getting more demanding and the graphics card being able to do more than floating point operations is getting better and better.

The example above shows a 1000 fold improvement over just the CPU. It's not the most tightly controlled test, but that's about 15 years as far as Moore's law is concerned.
All Shadow priest spells that deal Fire damage now appear green.
Big freaky cereal boxes of death.

### Who is online

Users browsing this forum: No registered users and 7 guests