Originally Posted by
antichef
That helps, thanks ^
Since we are really talking about an offline brute force cracking it presumably means that length and mixed character types are the only thing that will take time and slow up the attacker? Hence my query about 20 letters, so that
!1234567890.Abcdefgh Is a magnitude smaller than !1234567890.Abcdefghi
and therefore much less secure?
I am really trying to gauge how long it will hold back the attacker so that changes could be made if the hack became public!
In the end, people tend to follow particular patterns. The people who write cracking software take advantage of those -- it's not 100% brute force.
A lot depends on what they're trying to do; if the goal is to break as many passwords as possible out of a given file, they're going to go for the low-hanging fruit first -- in the worst case, if the idiots running the site didn't salt the hashes, they can just look at known hashes in the file (e.g. 286755fad04869ca523320acce0dc6a4 is the md5 hash of "password"
) and you've got probably the top 100 most common passwords just for looking them up.
Adding a letter always adds some entropy, but even there things are surprisingly predictable.