in reply to Improve password solver

There are quite a few problems with your program/approach:

  1.  0-9, that isn't doing what you want.
  2. Next, you're doing way to much work.

    I modified your code a little to count the duplicates generated and on one example run I got this output: 

    Guessing: Bk#           Try # 288987    Skipping *Ry - already attempt
+ed
Guessing: *Ry           Try # 288988    Skipping Try - already attempt
+ed
Guessing: @hY           Try # 288991    Skipping YrQ - already attempt
+ed
Guessing: YrQ           Try # 288992    Skipping WKM - already attempt
+ed
Guessing: WKM           Try # 288993We found your password. It is pas!

It took 213 seconds and 288994 tries (and 121500 duplicates).

    [download]

    Your charset (taking the above faux pas into account), has 62 chars. For a 3-char password that gives just 238328 possibilities. But you had to try 288,994 before you found it because you are generating duplicates.

  3. You will run out of space using a hash as a duplicates detection system.
    1. 3-chars * 62 := 238,328 possibilities.
    2. 4-chars * 62 := 14,776,336 possibilities. (That's already a big hash, but ... )
    3. 5-chars * 62 := 916,132,832 possibilities. ( this one would require 32 Gigabytes ... )
    4. 6-chars * 62 := possibilities. ( and this one would take 2 Terabytes! )

    You need to find another way to detect duplicates. And the easiest way to do that is to not generate them.

    Shuffling an array to create your passwords is highly inefficient, especially using a pure Perl shuffle.

Update: Besides, in the real world, the slow bit is not generating the possibilities--assuming you use sensible methods--it is testing each possibility. You obviously do not have the actual password to directly compare to (else you wouldn't need to do this:), so you have to inject the password into the application or remote interface (along with the account name or user id). That involves IO which means it will invariably take far longer than even the suckiest password generation algorithm.

Also, in the real world, any authentication mechanism that doesn't detect rapid and repeated failed login attempts should be justification for having the programmers ritually disembowelled in public with a rusty spoon! At the very least they should double the time before another attempt may be made to log in with each failure. And in this world, people being what they are, some relatively low limit on the number of consecutive failed attempts should lock out the password for human supervised verification and reset.

Examine what is said, not who speaks -- Silence betokens consent -- Love the truth but pardon error.
"Science is about questioning the status quo. Questioning authority".
In the absence of evidence, opinion is indistinguishable from prejudice.
RIP PCW

In Section Seekers of Perl Wisdom