Darren points to a great article over on Coding Horror (Jeff Attwood) about the folly of trying brute force attack keys. While I agree that this is true – especially for keys, I would like to point out that this is not true for relatively short passwords. For example, if someone gave me a SHA1 hashed password my laptop would probably be able to crack it in about three or four days (assuming a six character alpha numeric password which lots of web-sites use these days). If I had a network of a thousand or so machines I could have the answer in about five minutes.

Mind you, I’d have to first get my hands on an unsalted password to commence the attack which means I would had to have punched a hole through into someones data centre to rip the password out of their database. It would normally be easier to mug someone to steal their credit card :P