Cracking Passwords
Suppose that a hacker has stolen a company’s SQLite database, inside of which is a table with hashes of users’ passwords, including your own.
And suppose that each password has been hashed with generate_password_hash
and can be checked against a non-hashed password with check_password_hash
, as in Problem Set 9.
-
(3 points.) Suppose that your password (foolishly!) happens to be an English word and that the hacker knows that. Assuming the hacker has a dictionary of English words, as from Problem Set 5, the hacker could try to “crack” (i.e., figure out) your password by writing a program that iterates over that dictionary, comparing each word therein against the stolen hash of your password, using
check_password_hash
until it returnsTrue
. Assuming there are n English words in the dictionary, what’s the running time of the adversary’s algorithm, using big-O notation? In no more than three sentences, why? -
(4 points.) Suppose that your password happens to be an English word to which you’ve concatenated an additional ASCII character, so that your password is no longer an English word, and that the hacker knows that but still has access to that same dictionary. In no more than three sentences and/or pseudocode, how would the hacker’s algorithm need to change, and what would be its new running time, using big-O notation? In no more than three sentences, why?
-
(4 points.) Suppose that your password happens to be two English words (separated by a space) and that the hacker knows that. In no more than three sentences and/or pseudocode, how would the hacker’s algorithm need to change, and what would be its new running time, using big-O notation? In no more than three sentences, why?
-
(3 points.) Suppose that your password happens to be a random sequence of n decimal digits and that the hacker knows that. Using big-O notation, what would be the running time of an algorithm that tries to crack that password of yours via “brute force,” by trying all possible sequences? In no more than three sentences, why?