Time Analysis of WPA brute-forcing

[Barry]

Hi, Virchanza.

Can you make some calculations for me please.

From 8 to 15 characters consisting of numbers, lower and uppercase letters.

How many passwords creates this combination and how much GB do i need?

Also not very important but it would be also good to know the required time to brute force all these combinations.

Thnaks.

BTW some time ago i tried to create a wordlist from 8 to 15 with just numbers. At 10 chars, the dictionary became 100 GB and i run out of space

I believe it's in the exebyte range. There's a thread around here with the supporting math, I'm just too lazy to spoon feed it.

[Thorn]

Hi, Virchanza.

Can you make some calculations for me please.

From 8 to 15 characters consisting of numbers, lower and uppercase letters.

How many passwords creates this combination and how much GB do i need?

Also not very important but it would be also good to know the required time to brute force all these combinations.

Thnaks.

BTW some time ago i tried to create a wordlist from 8 to 15 with just numbers. At 10 chars, the dictionary became 100 GB and i run out of space

That math isn't that hard, as it's basic arithmetic. Anyone who graduated grammar school should have the 'math skills' for this. It's called multiplication.

The basic formula is number of possible characters (alphanumeric) raised to the power of the number of characters. With digits, lower and upper-case letters, there are 62 possible variations for every character

So in the case of 15-character length passwords, that's 62 ^ 15 (62 raised to the 15th power) or 768909704948766668552634368 bytes, or about 768909704948766.6 TB. Of course, since you'll not be using 62 ^ 7 (3521614606208 bytes or about 3.5 TB), you'll save a little bit of space.

Do let us know how you do with that.

As far as the time, a 10MB password file takes about 30 minutes for one SSID on a 2GHz machine.

Therefore:
100MB = 300 minutes (5 hours)
1,000MB (1GB) = 3,000 minutes (50 hours)
10,000MB (10GB) = 30,000 minutes (500 hours)
100,000MB (100GB) = 300,000 minutes (5,000 hours or 29.76 weeks, or 7.44 months )
1,000,000MB (1,000GB or 1TB) = 3,000,000 (50,000 hours, or 74.4 months, or 5.7 years)

Based on that, you should have a brute force answer in 4,382,785 billion years in a worse case scenario. Of course, statistically, you might get lucky and get it in half that time.

[streaker69]

Based on that, you should have a brute force answer in 4,382,785 billion years in a worse case scenario. Of course, statistically, you might get lucky and get it in half that time.

They might want to start now, since the world is going to end 12/21/2012.

[Virchanza]

Can you make some calculations for me please.

From 8 to 15 characters consisting of numbers, lower and uppercase letters.

26 lowercase characters, 26 uppercase characters, and 10 digits. That comes to 62 different characters.

How many passwords creates this combination and how much GB do i need?

The amount of passwords is calcuable as follows:

Code:

62^8 + 62^9 + 62^10 + 62^11 + 62^12 + 62^13 + 62^14 + 62^15

Also not very important but it would be also good to know the required time to brute force all these combinations.

I'm gonna be generous and say that you can crack at 1 million keys per second. I'm using the following C code to do the calculations:

Code:

#include <stdio.h>
#include <gmp.h>

void CalcAmountPasswords(mpz_t total,unsigned min,
                                     unsigned const max,
                                     unsigned const radix)
{
    mpz_t temp; mpz_init(temp);

    mpz_set_ui(total,0);

    for ( ; min <= max; ++min)
    {
        mpz_ui_pow_ui(temp,radix,min);
        mpz_add(total,total,temp);
    }

    mpz_clear(temp);
}

int main(void)
{
    char buf[1024];

    mpz_t total; mpz_init(total);

    CalcAmountPasswords(total,8,15,62);
    mpz_get_str(buf,10,total);
    printf("Total amount of keys = %s\n\n",buf);

    mpz_cdiv_q_ui(total,total,1000000lu);
    mpz_get_str(buf,10,total);
    printf("Cracking at 1000000 k/s, so that's %s seconds\n\n",buf);

    mpz_cdiv_q_ui(total,total,60ul * 60 * 24 * 365);
    mpz_get_str(buf,10,total);
    printf("In years, that's %s years\n\n",buf);

    mpz_clear(total);

    return 0;
}

And here's the output I get:

Code:

Total amount of keys = 781514782079070739510782720

Cracking at 1000000 k/s, so that's 781514782079070739511 seconds

In years, that's 24781671171965 years

So we're talking 24 trillion years. The universe is estimated to be at most 14 billion years old.

As for storing a dictionary file, well you'd need to pipe the output of a generator into the input of a cracker, otherwise you'll need a hard disk the size of Jupiter.

[killadaninja]

24 trillion years
well lets hope Erik Tews hurrys up

[imported_vvpalin]

As i said none of you take Moors law into consideration.

24 trillion years will be 23.44 billion years in as little as 15 years

Hell if the current trend keeps up we will have petabyte drives by 2016

And when have any of you unless you walk around with tinfoil hats ever used a password over 20 characters?

[Virchanza]

Not to boast or anything, but one of my e-mail passwords is 24 characters long, and it contains "non-words", or words you wouldn't find in an English dictionary.

[Barry]

As i said none of you take Moors law into consideration.

24 trillion years will be 23.44 billion years in as little as 15 years

Hell if the current trend keeps up we will have petabyte drives by 2016

And when have any of you unless you walk around with tinfoil hats ever used a password over 20 characters?

Mine is the maximum length that was randomly generated by a web site. Putting it into the laptops isn't so bad, but typing it into my phone and iPod was a bitch!

I'm sure in a few years they'll have made a better encryption method anyway. So really this will do until then.

[cool_recep]

Thanks everybody for your efforts.

I am really convinced that this is impossible

I will wait for the GT300 series since they say that it will have MIMP technology which enables those cards to process more threads at a time.

[thorin]

I like it!

These calcs are just as fun as pointing out to people their lack of understanding around generating and storing dictionary files (which we all know I love to do ).

And when have any of you unless you walk around with tinfoil hats ever used a password over 20 characters?

My WPA2 key is 63 characters (though I don't have it memorized) does that count?