Passwords


Constant bane of our computing life, but here are some resources:

Update (25 June 2017): Comparitech added.

A little commentary …

Security of a password when it comes to brute force hacking of passwords depends very much on the number of characters used in the password, since the number of combinations to be tried increases exponentially (well, not precisely exponentially in pure mathematical terms, but you know what I mean from a layman’s perspective. The maths would bore you) as more characters are added.

The common rules applied to make a password 8 characters (or at least more than 6) with at least one upper case, one digit and one special character are well and good, but really are not super-effective against a concerted hack, especially if one uses a “standard” type of password. What do I mean by a “standard” type of password? Well, in many instances, people use a word, with a capital as the first letter, then a special character (sometimes optional) then 1 or 2 digits at the end. The whole string is only 8 to 10 characters in length maximum. Knowing this type of behaviour, a hacker will apply some heuristics in their crack-search, to vastly reduce the amount of time to crack the password.

Thus, the first site above suggests that a 6 character only password with 1 capital letter could be cracked in 2 seconds and a 2 digit number could be cracked in 10 nanoseconds. If you had an 8 character password with 6 letters beginning with 1 capital and then 2 digits at the end, the site suggests it would take 6 hours to crack it (brute force approach), whereas cracking each independently and then trying all combinations of the two sets being brute-forced independently as one went would theoretically only take 20 seconds (hopefully my maths is correct).

Say adding the extra complexity of a special character just before the 2 digits would add an extra 2 nanoseconds for the special character and take 40 seconds for the whole lot to be cracked.

The same would apply if one turned the digits and special characters around (digits first, then special character then letters).

Furthermore, using a word search through a known dictionary even further reduces the number of permutations to search and the time to crack (very substantially).

The following snippet from a Wikipedia article on the subject is very informative:

Human-generated passwords

People are notoriously poor at achieving sufficient entropy to produce satisfactory passwords. According to one study involving half a million users, the average password entropy was estimated at 40.54 bits.[8] Some stage magicians exploit this inability for amusement, in a minor way, by divining supposed random choices (of numbers, say) made by audience members.

Thus, in one analysis of over 3 million eight-character passwords, the letter “e” was used over 1.5 million times, while the letter “f” was used only 250,000 times. A uniform distribution would have had each character being used about 900,000 times. The most common number used is “1”, whereas the most common letters are a, e, o, and r.[9]

Users rarely make full use of larger character sets in forming passwords. For example, hacking results obtained from a MySpace phishing scheme in 2006 revealed 34,000 passwords, of which only 8.3% used mixed case, numbers, and symbols.[10]

The full strength associated with using the entire ASCII character set (numerals, mixed case letters and special characters) is only achieved if each possible password is equally likely. This seems to suggest that all passwords must contain characters from each of several character classes, perhaps upper and lower case letters, numbers, and non-alphanumeric characters. In fact, such a requirement is a pattern in password choice and can be expected to reduce an attacker’s “work factor” (in Claude Shannon’s terms). This is a reduction in password “strength”. A better requirement would be to require a password NOT to contain any word in an online dictionary, or list of names, or any license plate pattern from any state (in the US) or country (as in the EU). In fact if patterned choices are required, humans are likely to use them in predictable ways, such a capitalizing a letter, adding one or two numbers, and a special character. If the numbers and special character are added in predictable ways, say at the beginning and end of the password,[11] they could even lower password strength compared to an all-letter, randomly selected, password of the same length.

The take-away: read all the Wikipedia articles on passwords and cracking etc, and follow the latest advice. At the moment, it appears to be to use a longer phrase (the more characters the better) and insert special characters and digits in random places in the phrase, if possible (not just at the front and the end).

 

Website Pin Facebook Twitter Myspace Friendfeed Technorati del.icio.us Digg Google StumbleUpon Premium Responsive

Comments are closed.

%d bloggers like this: