Originally Posted by Boyboyd
Doesn't problem difficulty increase exponentially with each character? Or did i just hallucinate that?
The exponent is based on the length of the password. If there are 100 possible characters (26 uppercase, 26 lowercase, 10 numerals, and ~28 specials), then there are 100 possible answers to a one-digit password. A two-digit password would have 100^2 combinations, or ten thousand possible answers. A four-digit password would have 100^4, or 100 million possible combinations.
If it takes 7 hours to crack a 7-digit password, a 10-digit password should take (7 * [100^(10-7)] = ) seven million hours -- just over 799 years. And a 16-digit password would take almost 800 quadrillion years -- roughly 57,000 times the current age of the universe.
Originally Posted by EvanPitts
Of course, this is more easily solved by some low tech practices - like slowing down the process of entering a password, and chucking the connection if a password is entered incorrectly three times in a row. If a system allows thousands or tens of thousands of attempts per second, multiplied by hundreds or thousands of connection points - brute force attempts are entirely capable of breaking even the strongest passwords. This however, is not really breaking or cracking, but rather, using every possible random combination until one works.
Three attempts in a second then a five second pause, would do great damage to those that attempt brute force entries - even the fanciest, multiple GPU with the nastiest code would yield defeat unless it was spectacularly lucky to strike gold.
I don't think any human will ever need three connection attempts in a second. You could slow those attempts down to once every 2-3 seconds and no legitimate user would notice.