If that were brute force the only thing that would matter would be length. The character complication of the password is irrelevant to it's strength against brute force.
e:
Every single one of you is ignoring the first five words of this reply and it's fucking annoying. The context is brute force, any other method is irrelevant as any other method is not brute force.
If that were brute force the only thing that would matter would be length. The character complication of the password is irrelevant to it's strength against brute force.
Wrong. The extra class of characters adds more combinations. For example, an 8 character password of just lowercase letters = 268. Add in uppercase and you get 528. It's the difference between 5 seconds and 22 minutes per the chart.
None of what you stated makes any difference to what I said.
Yes it adds more complication, but it adds more complication to every length password. So to get t 123456789 you would have to test every 8 length password combination with this new class of characters.
The literal ONLY thing that matters with resepect to brute force is password length. That's it.
None of what you stated makes any difference to what I said.
You're fucking retarded. I gave you basic math that matches the chart that shows it is using brute force to come up with the numbers. You were wrong. That is all.
One does not brute force everything one character after the other. First you do a dictionary attack. Then a number attack, then a lowercase letter attack. With some stepping to vary approaches as length increases.
Just add a second or so to each login attempt. This is already done by bcrypt, luks and probably most other sane systems that are also "timing attack" safe (research.kudelskisecurity.com).
This works for remote systems. Once you have local access, or the hashed database, all bets are off.
first you do these series of attacks that aren't brute force
Did you even read my post?
If that were brute force
Five words in and the context is set. "brute force".
(post is archived)