Due to time constraints, I am going to have to split this week’s crypitcide posting into two parts – I have a lot going on at work, and this weekend likewise, so I will cut down to the meat of the matter and then dress it up with some finesse in the next few days.

As I implied in Crypticide I, my attempt to kill the Unix crypt() algorithm has been going on for over 13 years now. A few more weeks won’t make much difference.

So, consider the figure of “6.7 trillion” as computed here:

1+95^1+95^2+95^3+95^4+95^5+95^6+95^7+95^8 =
6,704,780,954,517,121 decimal =
17,d1f6,7717,3e81 hex =
10111,11010001,11110110,01110111,00010111,00111110,10000001 binary

…the number occupies 7 bytes; it fits comfortably within a 64 bit word, leaving at least 8, if not 10 or 11 bits spare, to play with for other encoding purposes.

Alas that is the number of plaintext passwords that we computed last week, on the assumption of using the 95-character typeable keyboard characters in standard ASCII. As previously stated I recognise that this is no longer a cast-iron certainty that people’s passwords are entirely composed of 7-bit ASCII, but it’s a pretty good assumption for a significant portion of the world’s computing userbase.

In short: it’s a good enough assumption that it can bite, painfully.

Now: let’s think around some of the implications of this math.

First, think of this in terms of storage requirements. In calculating how many passwords exist (6.7 trillion) we have also (excluding metadata) computed approximately how much storage is needed to create a dictionary that contains every possible password:

95^0 = 1 (one, zero-length password; 1 byte, or specialcase it)
95^1 = 95 (95, 1-char passwords, 95 bytes)
95^2 = 9025 (9025, 2-char passwords, (9025*2) bytes = 18050 bytes)
…

So, following that math:

((95^1)*1)+((95^2)*2)+((95^3)*3)+((95^4)*4)+((95^5)*5)+((95^6)*6)+((95^7)*7)+((95^8)*8)
53,566,920,179,174,020

which is this much storage:

53566920179174020 / (1024^4)
48,718

About 49,000 Terabytes. That sounds like an awful lot, doesn’t it? Enough to be secure even in this day and age?

The thing is, you don’t need to do that. More later.

For those of you who want to experiment with the maths, I recommend use of the Unix arbitrary precision calculator /usr/bin/bc as available on most Unix flavours; I am writing this article on an Apple iBook and am using bc with its ibase and obase converters to produce most of the maths for this series of articles, and pasting the computation directly into the window, merely adding commas for clarity. Hopefully this should reduce risk of typos, etc, going unspotted.

Crypticide Project RSS: [www.crypticide.com]