Question

Suppose that Bob’s first, cheaply built online business webserver allowed cyber attackers to attempt 1000 passwords per second, but its authentication system makes the user wait 2 seconds after each 5 attempts. Calculate the amount of time required for the attacker to guarantee revealing a password of four digits. Each digit can be 0 through 9

Answer 1

Since the range of 4 digit password is from 0000 to 9999. So there are 10000 possible passwords.

So to guarantee revealing the correct password, total 10000 attempts are required in worst case.

Now as per question, although webserver allowed cyber attackers to attempt 1000 password per second, so to attempt 10000 password, just 10000/1000 = 10 seconds is required.

But after every 5 attempt there is delay of 2 seconds.

So, out of 10000 attempts, total number of chunks of 5 attempts = 10000/5 = 2000 chunks.

Since one chunk of 5 attempts cause delay of 2 seconds, so 2000 chunks of 5 attempts will cause delay = 2000*5 = 10000 seconds

So, total amount of time required = time to attempt 10000 passwords + delay associated with 2000 chunks of 5 attempts each = 10000 + 10 = 10010 seconds.

Please comment for any clarification.