Question

Given the following password generator:
● |Σ| = 94 (the printable characters on a US keyboard)
● |k| = 7
● Assume that the password generated is a random arrangement of k characters from Σ

a) What is the entropy of a password generated by this system (show your work)?
b) Assume an attacker has the hash and seed for a password generated by this system. The attacker also has a computer that can generate 10¹⁰ hashes per second. How long (in seconds,
hours, days, or years) will it take the attacker to find the password?

Answer 1

Generating a password with same characters is bit easy to crack, whereas generating a password containing alphabets, digits and symbols makes it difficult to crack it.

_________________________________________________________________________

a) Entropy of a password defines how much difficult it is to predict and crack the password.

    Here's the formula to calculate the Entropy,

• Entropy (E) =|K| * log₂(), where |K| is the length of the password and is the number of printable characters in the US keyboard.
• We have |K| = 7 and = 94
• Number of available characters ^ length of the password, gives the total possible combination of the password.
• ^|K| = 94^7
• 94^7 = 64,847,759,419,264 possible combinations of the password.
• Entropy (E) = 7 * log₂(94)
• log₂(94) = 6.554588852
• Let's round off the value to one decimal place, therefore log₂(94) = 6.5
• 6.5 is the value of entropy per character
• Now, Entropy (E) = 7 * 6.5 , where 7 is the length of the password
• Entropy (E) = 45.5

_________________________________________________________________________

b) Hashing is a technique used to shorten the length of a data, it is similar to encryption but it is a one way encryption.

• Hashing the password creates a new random string for that password, which can be used to store it in a memory.
• If we create a username and password to signup into a system/website. a hash for our password will be created and it will be stored in the memory. Our actual password will not be stored in the memory.
• Next time if we enter the password to login to a system, the system generates a hash for the password we have entered and the system checks the newly generated hash with the already stored hash in its memory.
• If both the hashes successfully matches, then we gain access to the system, else we have to try again.
• Hashing a password ensures the safety of the password, even if a attacker gets the hash, it is nearly difficult to get back the

Calculation the time taken to crack the password:

• Number of available characters ^ length of the password, gives the total possible combination of the password.
• 94^7 = 64,847,759,419,264 possible combinations of the password.
• The attacker has to hash all these 64,847,759,419,264 possible combinations of the password to match with the hash value he already have with him.
• He adds the seed to each possible combination of the password to get the hash.
• The seed is a 'salt' which is added to the actual password to create the hash value.
• As he can generate 10¹⁰ hashes per second, and we there is 64,847,759,419,264 combination of hashes to check with, it roughly takes long years.
• 10¹⁰ = 10000000000
• 10000000000 x 60(seconds) = 600000000000 generated hashes per minute
• 600000000000 x 60(minutes) = 36,000,000,000,000 generated hashes per hour
• 64,847,759,419,264 / 36,000,000,000,000 = 1 hr 48 minutes
• It takes 1 hr and 48 minutes to find the password.

_________________________________________________________________________

We were unable to transcribe this image

We were unable to transcribe this image

We were unable to transcribe this image

We were unable to transcribe this image

We were unable to transcribe this image

We were unable to transcribe this image

We were unable to transcribe this image

We were unable to transcribe this image

We were unable to transcribe this image

We were unable to transcribe this image