undefined | Better HN

0 pointsmlyle4y ago0 comments

In passwordle, the input is a 14 character password made up of letters, numbers, and punctuation, chosen with some bias. There's less than 92 bits of entropy (the bias shaves off a few bits of effective entropy but I'm too lazy to calculate it).

That is-- out of the range of current brute force, but if it were just a few characters shorter, it could be attacked with this oracle technique no problem.

0 comments

selestify4y ago

How would the oracle technique help at all? Like the other commenter said, they could just give you the hash upfront, and you'd still be stuck with bruteforcing the entire space of characters.

mlyleOP4y ago

> How would the oracle technique help at all?

If they give you the hash upfront (or this oracle), you can test passwords offline without using up a limited number of guesses. It may be very computationally expensive to brute force the space, but the information is there.

If they don't, you get 10 guesses, and you have effectively no chance of guessing the password.

selestify4y ago

Ah, I see what you mean. Yes, if you don't even have the entire hash, you're kind of out of luck.

> It may be very computationally expensive to brute force the space, but the information is there.

If the password is long enough, it will take longer than the heat death of the universe to brute force the space. So in practice, brute forcing secure passwords might as well be impossible.

1 more reply

j / k navigate · click thread line to collapse

0 pointsmlyle4y ago0 comments

That is-- out of the range of current brute force, but if it were just a few characters shorter, it could be attacked with this oracle technique no problem.

0 comments

selestify4y ago

How would the oracle technique help at all? Like the other commenter said, they could just give you the hash upfront, and you'd still be stuck with bruteforcing the entire space of characters.

mlyleOP4y ago

> How would the oracle technique help at all?

If they don't, you get 10 guesses, and you have effectively no chance of guessing the password.

selestify4y ago

Ah, I see what you mean. Yes, if you don't even have the entire hash, you're kind of out of luck.

> It may be very computationally expensive to brute force the space, but the information is there.

If the password is long enough, it will take longer than the heat death of the universe to brute force the space. So in practice, brute forcing secure passwords might as well be impossible.

1 more reply

j / k navigate · click thread line to collapse