The Flux
Passwords, Whys and Hows
I don’t think there is another subject with as much misinformation in all of Techdom. So I’m going to clear the air, dispel a few myths, and make it easy for you to understand the whys and hows of password importance and tip you on a new way of looking at password creation.
THE WHYS
Computer security has never been as important and as far reaching as it is right now. The truth is that hackers want your passwords for a variety of nefarious purposes. We’ve all been on websites or on office computers that require you to create “complex” passwords. This means that the password requires a combination of upper and lowercase letters, numbers, and special characters. Common logic suggests that combining all of these characters adds to the length of time it takes for various hacking programs to “guess” your password. This is true, but to a smaller extent than you might think. It is actually the password’s length that is the more important factor. Most websites and corporate environments require a minimum of eight characters. Some only six! So, how long should your password be?
Here is an example of what hackers could accomplish in an offline brute force attack scenario in a theoretical high performance computing environment (assuming 100 billion guesses per second).
Substituting one number for one special character did increase the character base and the number of possible passwords; however, adding length is way more effective at increasing the number of possible passwords. In my example it assumes that the hacker has access to a computing environment that can guess passwords at a rate of 100 billion per second. If this seems unreasonably high to you consider reading these two articles.
Password cracking power of graphics cards
Home built computer that can attempt 33.1 Billion passwords per second
If, by looking at the example above, 10 characters seems to be sufficient, consider that these estimates are based on what computers are currently capable of. What about next year or five years from now. You want to make sure your password is future proof.
THE HOWS
If you’ve read the two articles above you should now have an understanding that hackers can cheaply and easily build computers that can crack passwords at insanely high speeds. It may seem like the odds are stacked against us. So, how do we beat them at their own game? In order to beat the hackers you first have to start thinking like one. In order to think like one you first have to know the different methods hackers use and the likely order they will use them.
Social Engineering: One method to getting someone’s password is by simply asking for it. This can be accomplished through a social engineering scheme where users are tricked in to providing their passwords. Many users will simply give up their password if the request is made in an innocent context. Some social engineering schemes may provide the hacker with enough personal information to effectively guess your password. Also, many people freely give their passwords to friends, family and colleagues who are in turn also subject to this kind of attack. Your best defense against this kind of attack is to use common sense. Do not share your passwords with anyone for any reason.
Guessing: Another common method to accessing a password is by guessing. Most people choose passwords that are easy to remember and the easiest ones to remember are ones that are related to you as a person. Passwords that include your name, your spouse’s name, birthday, graduation date, and addresses are very common. You may unintentionally divulge this information as part of a social engineering scheme or in an online forum. The best defense against this type of attack is to create a password that is completely unrelated to you as a person.
Dictionary Attack: This type of attack does exactly as its name implies. Using software, it runs an attack on a password from a prearranged list of values. This “word list” is derived from the most commonly used passwords and from words out of a dictionary (hence its name). Most often, this kind of attack will first try the most commonly used passwords like Password1, 123456, abc123, then may go on to try all the words from the dictionary as well as backwards words and passwords with common character substitutions, like P@$$w0rd. To protect yourself from this kind of attack, don’t use passwords that:
•Are among the most commonly used passwords
•Names
•Words from the dictionary
•Words with character substitutions
•Backwards words
Below is a list of the most commonly used passwords from the site breach of rockyou.com in 2009 that led to the public release of 32 million passwords. More detailed analysis of the breach can be found HERE.
Brute Force Attack: This type of attack is the slowest and is usually used when all other methods have failed. Using software, it systematic and exhaustively tries all possible character combinations until the correct one is found. The time required to crack a passwords using this method is dependent on two things.
•The number of characters in the password
•The number of possible characters used also known as the character base.
To protect yourself from this type of attack you should make your password a sufficient length. I recommend 12 or more characters. It should contain at least one uppercase letter, one lowercase letter, one digit, and one special character. By doing this it forces a search of the most characters possible.
Now that you know the various methods hackers will use you can construct a strategy to defeat them. Assuming you are going to be hacked, you want to force your hacker into using a brute force method because it is the slowest and least successful. You can force your hacker into this position by creating a password completely unrelated to you as a person thereby not able to be guessed and by making sure our password is not subject to dictionary attacks.
Now you’re left with a task of creating a password that is going to take the brute force method a LOOOONG time to crack. You know it has to be a sufficient length, contain uppercase and lowercase letters, numbers and special characters. Sounds like our password is going to be long, complex, difficult to remember, and to type, right? It doesn’t have to be if you employ the method called “password padding”.
Password Padding: Password padding is the process of taking an easy to remember, non-complex password and hardening it with additional characters in an easy to remember pattern.
Example: Let’s say your easy to remember password is your cat’s name “Tom”. Using password padding your password could look like {{{{{{T0m}}}}}}. It looks kind of like you’re hugging Tom right? Notice I also substituted the “o” for a “0”. By doing this we’ve taken a password that would have taken less than one second to crack and turned it in
to a password that would take 1.49 billion centuries to crack. You can make up your own types of padding patterns. You can even use easy to remember things like your birthday as long as it’s padded sufficiently. Like, if your birthday is June 2, your padded password could look like <<===June02===>> or ||—June02—||. Be creative and design your own padding patterns.
So why is a password like {{{{{{T0m}}}}}} stronger than a password like IaH?$PXxGB1k? It’s because both the passwords contain at least one uppercase and one lowercase letter, one number, and one special character leaving length as the only factor to increasing the number of possible passwords. A lengthy and easy to remember padded password is stronger than a shorter non-padded randomly generated password.
To learn more about password padding, why and how it works, I highly recommend visiting The haystack web page by Steve Gibson which includes a nice brute force search space calculator. For a look at password padding from a human cognitive approach have a look at this article by Eric Gerlach.
