Calculate the timing of password-guessing attacks:

What will be an ideal response?

(a) If passwords are three uppercase alphabetic characters long, how much time would it take to determine a particular password, assuming that testing an individual password requires 5 seconds? How much time if testing requires 0.001 seconds?
(b) Argue for a particular amount of time as the starting point for “secure.” That is, suppose an attacker plans to use a brute-force attack to determine a password. For what value of x (the total amount of time to try as many passwords as necessary) would the attacker find this attack prohibitively long?
(c) If the cutoff between “insecure” and “secure” were x amount of time, how long would a secure password have to be? State and justify your assumptions regarding the character set from which the password is selected and the amount of time required to test a single password.
(d) 26 * 26 * 26 = 17,576 combinations. 17,576 * 5 seconds is 87,880 seconds, or a bit longer than 1 day. 17,576 * .001 seconds is 17.576 seconds, or less than 1 minute.
For access passwords (e.g., login information), the expected x must be greater than the frequency with which the password is changed. For accessing data (e.g., a password-protected file), the expected x must be greater than the anticipated useful lifetime of the data protected by the password.