Programming and Scripting :: C question



I'm don't think 4 chars of anything is very strong, though I'll have to look up what quenya is, or ask some Scandinavian friends!

Even that Perl one-liner will get through the full lower case 4-char password space in no time.

You probably know that each char of pw length increases the brute force crack time exponentially.

Even with humongous computing resources, brute force is likely to be a waste of time on good long random passwords from a wide space of chars including %!@#/\| .,  etc.  You start measuring crack times in aeons.  The weakness is usually in the relative non-randomness of the passphrase (recognizable words etc) or the encryption implementation itself.

It's 4 words, not 4 chars. It's 30 chars total..

BTW, Quenya is Tolkien's high elvish. It's spoken in the movies too. That's a fun part too, as the subtitles say different things than the actors ;)

Quote
My password consists of 4 lowercase words of english, finnish and quenya.


Ah! Then that's a different problem.  I don't think any cracker in their right mind is going to try to brute force a 30-char passphrase.  Instead, they'll do a dictionary-based attack using the three nominated languages, perhaps first trying to narrow the search space using word frequencies.  But I'm not an expert.

I'm sure the answer to your Perl questions is yes but I have to eat now.

:D

Sure, go have a meal.

Wordlists, well, since I'm pretty much the only one using Quenya in a password, I highly doubt anyone has put a wordlist up for it. And then there's the fact both finnish and quenya are suffix-based, ie a words meaning is modified by modifying the word, instead of prepositions like in english. So there are countless variations of a single word.

I have my doubts about this being a practical test for hardness at least in this particular universe and not for a passphrase built from words  - nonetheless, this should work in principle with those Finnish chars in the set.

Here I'm testing it on a blowfish encrypted file 'encryptedfile' with a simple 2-char  passphrase "at", which it brute force cracked in about 1 second.

Change the openssl command string to suit your rsa key cracking issue.

Code Sample

#!/usr/bin/perl
# curagacrack.pl

my $n = 30; # max len of passphrase

my @set = ( "ä", "ö", "a" .."z" ); # ranges and lists to permute
my $result;

sub create_perm($$){

   my($cur,$max)=@_;

   if($cur>=$max){
       # print "$result\n";
      setpgrp (0,0);
     system("echo $result | 2>/dev/null /opt/tor/local/bin/openssl bf -pass stdin -d -in encryptefile -out out.txt && file -b out.txt | grep -q '^ASCII text' && echo -n 'Found passphrase: ' && echo $result && kill 0");
       return;
   }

   for(@set){
       substr($result,$cur,1)=$_;
       create_perm($cur+1,$max);
   }
}

for ($j=1;$j<=$n;$j++){
create_perm(0,$j);
}


That will run the openssl command on each loop iteration (slow) and exit rudely when it is successful.  For a 30 char passphrase this may not be within the lifetime of this universe; you might like to prove the concept on a short passphrase.

I found the permutation code on another board and adapted.  There is other code on the perlmonks board which is probably more efficient.

It would be quicker to directly compare against the known password string also.

This doesn't filter out aaa etc.  Close the shell to kill it off, I didn't put a signal trap in.

(Revision for me since if I don't so a little Perl every few months it starts to look like Finnish to me ;=) ):

Next Page...
original here.