Question

Consider a system that uses a 32-bit unique salt where users have a 4-digit number as a password (e.g. 6813). Eve wants to crack the accounts of two users, Alice and Bob. Eve performs an online attack, and is able to guess 1 password per second, though there is no lockout after guessing too many times. In the worst case, in seconds, how long will it take Eve to crack both Alice's and Bob's accounts

Answer 1

5 hr. 33 min. 20 sec.

Step-by-step explanation:

Let P₁ be the number of possible passwords Alice can choose

Let P₂ be the number of possible passwords Bob can choose

In a 4 digit password, since the passwords are made up of 10 digits from 0 to 9, therefore the user can choose:

P₁ = 10⁴ = 10000

P₂ = 10⁴ = 10000

The total number of possible passwords combinations that both Alice and Bob can choose is therefore P₁ + P₂ = 10000 + 10000 = 20000.

If Eve performs an online attack and is able to guess 1 password per second.

Eve is therefore able to crack both Alice's and Bob's accounts in:

1 × 20000 = 20000 seconds

Converting 20000 seconds to hours, minutes and seconds will give 5 hr. 33 min. 20 sec.

Eve is able to crack both Alice's and Bob's accounts in 5 hr. 33 min. 20 sec.

Answer 2

18000 seconds or 300 minutes.

Step-by-step explanation:

In the example given in the question, it is stated that the system uses 32-bit unique salt which is equal to 4 bytes where every digit takes up 1 byte thus forming the 4 digit passwords.

Considering that the passwords are 4 digits, starting from 1000 and up to 9999, there are 9000 possible password combinations.

If Eve has to go through the whole range of possible password combinations and it takes her 1 second to guess 1 password. Then in the worst case scenario, it would take her 18000 seconds or 300 minutes to crack both accounts, assuming that it is possible for them to use the same passwords.

I hope this answer helps.