“You may enter any of ~128 characters as part of a possible password. That gives you the “one in a million” chance of guessing a 3-character password as you suggested. Thing is, most people (given the choice) will only use lowercase letters ... a search space of just 17,576 combinations, which means (in your 1 day halt after 10 bad guesses example) an average of 2.4 years to find the right key, vs your touted 300 years. “
That would be a really stupid security system and the guy that designed should be fired on the spot.
Obviously anyone in cybersecurity can do that calculation a priori. So if he’s designing a password security system why would he limit it to 3 characters and why not force the user to use more than just lower case letter.
If I was designing that system I would only allow passwords of say 8 or more characters and they had to include at least one upper case, one lower case, numbers and special characters. And if you guess wrong x times in a row you get blocked for a certain amount of time.
You can make that system for all practical purposes inviolate even by the fastest super computer. (Most secure sites today force you to do just that) (a system that would let you have 10 tries before blocking you for 10 minutes would require way more than the age of the universe to break it.)
Now you can reduce the “search space” by spying and surreptitiously stealing the password, which is basically what that story you referenced is mostly about.
It’s more a story on espionage than the breaking of a code.
Now take your response and apply it, as it does, to an encryption system based on a poorly designed “random number generator”. The results are the same, albeit more subtle.
To wit: you made my point.