[wp-trac] [WordPress Trac] #31772: Browser unresponsive with long password
WordPress Trac
noreply at wordpress.org
Mon Mar 30 03:01:32 UTC 2015
#31772: Browser unresponsive with long password
--------------------------+--------------------------------------
Reporter: BevanR | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Users | Version: 3.7
Severity: normal | Resolution:
Keywords: has-patch | Focuses: javascript, performance
--------------------------+--------------------------------------
Comment (by BevanR):
If building a rainbow table for the purpose of hacking password data, one
would probably not build it from every possible character combination, but
from a dictionary of common password words. As a pessimistic example,
lets assume the following are true;
- The dictionary has only 1000 words.
- The first word is "0000", the default pin for many devices.
- The rainbow table is built from each of the 1000 words, then every
2-word combination of the 1000 words, then every 3 word combination, etc.
up to combinations of at least 8 words.
- The hacker has access to a botnet of a million devices.
- Each device makes an average of a billion comparisons per second.
- The rainbow table already exists.
- Data transfer time is negligible.
Therefore;
- The botnet can make 10^15^ comparisons per second.
- The index in the rainbow table of "0000" repeated 8 times (32
characters) would be a bit over 10^21^
(1000+10^2×3^+10^3×3^+10^4×3^+...10^7×3^).
- "0" repeated 32 times will be identified as the password after 10^6^
clock seconds—on the twelth day.
Of course this is pessimistic. But I think it may still be realistic.
I am not saying that we should check passwords that are 32 characters
long. I just think we need to consider both optimistic and pessimistic
scenarios.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/31772#comment:13>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list