I'm still trying to find time between work and life to continue with personal projects, but by the time I get home I generally just want to veg. So my apologies for the lapse in posting. Tonight, however, I decided to build a Sequential Brute Force application for cracking passwords. Yes, yes, it all sounds very nefarious, but I only did it for fun and to test some benchmarks on my P.C.
For those unfamiliar, a Sequential Brute Force program basically iterates through every possible non-special character combination until it finds a match. Kind of like trying every combination of a Master Lock (I know you've tried this too!), but instead of dealing with just 0-9, which is a nice small range, passwords can generally be a-z and 0-9 giving us 35 possible characters. With longer passwords this is a less than ideal approach. For instance a 6 character password has 1,838,265,625 possible keys. Considering most security systems require at least 6-8 characters as the minimum, that value could be much, much higher. My computer took 31 minutes and 8 seconds to crack a 6 character password, while only 53 seconds for a 5 character password, and only 2 seconds for a 4 character password. A better solution would be to skip all possible 1 to 5 length combinations since they are very unlikely and just focus on the heavy end.
A more human approach to this problem would be to predict likely combinations. Social studies show that most people use passwords that are real words but with numerical characters tagged on the head or tail. Meaning a dictionary database with numerical variations might provide for faster results than testing each individual character, but it is hit or miss. It can only provide a set of 'common' keys. Brute force is the more thorough, but also more time intensive.
Both of these methods can be rendered useless by putting a maximum number on the amount of attempts allowed within a specific time before being locked out.
