Introduction:
We have all seen them, you know the password strength meter. These meters let users determine what a quality password is; however they can be misleading. Most of these tools assess the strength of a password when attacked by one specific attack, the brute force attack. For instance this one,
(http://howsecureismypassword. ) featured in a recent post on lifehacker.com.
The featured strength meter implemented in JavaScript does not send data back to a server so I thought why not try it. I started by entering some variations of passwords I have used and confirmed they are indeed strong. After a little tinkering I thought “you know this is not very realistic” they are only calculating strength against a brute force attack. If I were trying to crack passwords, the very last type of attack I would use would be a brute force attack.
Why? Because there are many other ways to crack passwords in a fraction of the time.
I decided to set up a test. I selected 12 variations of the word password which research shows is among the top twenty most commonly used passwords. As you would expect the strength meter indicated it would be cracked almost instantly. I quickly learned this particular strength meter places a premium on password length and the use of special characters even if the password is a variation of a common password. The 12th password I used was “P@ssw0rd1234” given the use of special characters and a length of 13 characters the strength meter felt it would take about 100 million years for this particular password to be cracked leaving the user with the impression that “P@ssw0rd1234” is indeed a good password to use. Let me be clear here “P@ssw0rd1234” is not a good password to use because it is a variation of a very commonly used password or dictionary word.
Analysis:
I used two common methods for cracking passwords the first is a standard dictionary attack and the second cryptographic analysis. Dictionary attacks are just that they take a word list and present each word in the list as a password. A good dictionary attack tool will append each word with numbers and replace letters with commonly used symbols such as @ for a and ! for i. The second type of technique is called cryptographic analysis based upon the mathematic concept of time memory tradeoffs. These are commonly called rainbow tables. The basic theory here is if we pre-compute chains of password hashes then in a relatively short period of time we can load the chains in memory and do comparisons (this type of attack is very common and very successful against windows passwords). In table 1 you will notice no matter what the projected time to complete cracking the password using either attack method it took less than a minute to crack each of them, and when attacked as a lot all 12 passwords were cracked in less than 5 minutes. You will see cryptographic attacks take a little longer than dictionary attacks, but still contain many advantages when assessing non-dictionary passwords.
| Username | Password | Estimated time for a desktop PC to crack | Actual crack time | Type of attack |
| G1 | password | common (It would be cracked almost instantly) | 32 sec | Cryptographic analysis |
| G2 | Password | common (It would be cracked almost instantly) | 7 sec | Dictionary Attack |
| G3 | password1 | About 117 days | 7 sec | Dictionary Attack |
| G4 | password12 | About 11 years | 7 sec | Dictionary Attack |
| G5 | password123 | About 417 years | 22 sec | Cryptographic analysis |
| G6 | password1234 | About 15 thousand years | 26 sec | Cryptographic analysis |
| G7 | About 6 days | 7 sec | Dictionary Attack | |
| G8 | About 3 years | 67 sec | Cryptographic analysis | |
| G9 | About 237 years | 7 sec | Dictionary Attack | |
| G10 | About 17 thousand years | 7 sec | Dictionary Attack | |
| G11 | About a million years | 7 sec | Dictionary Attack | |
| G12 | P@ssw0rd1234 | About 100 million years | 7 sec | Dictionary Attack |
| |
Conclusion:
In reality if an attacker is going to crack passwords using only a brute force attack then long passwords (12+ characters) with the use of special characters(?@#$#&*) would suffice. This is also a good technique to use against cryptographic analysis only I would recommend a 15+-character password, but in any case, I would forget the use of dictionary based words. The problem with these recommendations is, either the user will use one “complex” password or they will write them down on paper in word documents etc… My recommendation is to do just that write them down only in a secure place like a password safe and use one long and complex password that you can remember to access the rest of them. Password safes have auto generate functions, which allow for the creation of long complex non-dictionary passwords automatically and better yet, you will never have to remember them.
No comments:
Post a Comment