Page 1047 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1047
36 days
15 characters (13 lowercase letters, 1 uppercase, 1 number): About
1,753 years
As processors get better and cheaper, it will be easier for attackers to
cluster more processors into a single system. This allows the systems
to try more passwords per second, reducing the amount of time to
takes to crack longer passwords.
With enough time, attackers can discover any hashed
password using an offline brute-force attack. However, longer
passwords result in sufficiently longer times, making it infeasible
for attackers to crack them.
Birthday Attack
A birthday attack focuses on finding collisions. Its name comes from a
statistical phenomenon known as the birthday paradox. The birthday
paradox states that if there are 23 people in a room, there is a 50
percent chance that any two of them will have the same birthday. This
is not the same year, but instead the same month and day, such as
March 30.
With February 29 in a leap year, there are only 366 possible days in a
year. With 367 people in a room, you have a 100 percent chance of
getting at least two people with the same birthdays. Reduce this to
only 23 people in the room, and you still have a 50 percent chance that
any two have the same birthday.
This is similar to finding any two passwords with the same hash. If a
hashing function could only create 366 different hashes, then an
attacker with a sample of only 23 hashes has a 50 percent chance of
discovering two passwords that create the same hash. Hashing
algorithms can create many more than 366 different hashes, but the
point is that the birthday attack method doesn’t need all possible
hashes to see a match.
From another perspective, imagine that you are one of the people in
