Most sites save/allow an 8 character password. Allowing alphanumerics and underscore, period and pound (_, ., #), that is 39^8, or 5,352,009,260,481 or about 5 trillion possible passwords. If you allow more than 8 characters, that number increases. On Tue, 24 Jun 2003, Marco Tabini wrote: > On Tue, 2003-06-24 at 09:36, JeRRy wrote: > > Hi, > > > > Hmmm okay... So if the passowrd was. > > > [snip] > > There are ways to avoid this. Typically, you can add a random token (or > a salt) to the password before you calculate its checksum. This way, two > users with the same password will have two different hashes. > > However, a brute-force approach as the one suggested is *not* quite as > simple and powerful as it looks. assuming that there are even just 62 > valid characters for the password (uppercase+lowercase+digits) to go > over passwords as short as five characters you'd have to do 380,204,032 > iterations. Add one more digit and you're already up to 19,770,609,664. > Sure, these are not insurmountable numbers, but they quickly add up with > more and more characters (and I'm not even counting all the > possibilities when it comes to making this more secure). > > Mt. > > > -- > PHP Database Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > --------------------------------------------------------------------------- Peter Beckman Internet Guy beckman@purplecow.com http://www.purplecow.com/ --------------------------------------------------------------------------- -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
