Brute force cracking

Today at work I got an e-mail from the IT department saying everyone needs to set new, stronger, passwords.1 They suggested several things, like:

• “tomandjerry” is not as strong a password as “$H2mlf”
• “Fishing123” is not as strong as “Fish123ing”

Assuming a black hat hacker is really determined to crack your password, they’re probably going to attack it like they mean it.  Let’s assume there’s no defect in your system that allows a cracker to get in without actually entering the correct password.  They might try a dictionary attack first, followed by a database of common passwords, but after that they’re left with brute force.

Here’s the most amusing part.  Assuming none of the four “passwords” above are in any dictionary or a database of common passwords.  Let’s rank the passwords, 1 being the strongest and 4 being the weakest.

1. “tomandjerry” is strongest, with 11 characters
2. Fishing123″ is tied exactly with “Fish123ing”, with 10 characters each
3. “$H2mlf” is weakest, with only 6 characters

The only things that really matter in passwords are that you’re not using (a) a dictionary word or a common password and (b) the length of  your password.2

In any case, it’s concerning when information technology professionals don’t understand fundamentals of password security or how a malicious attacker would attempt to compromise a system.

1. Photo courtesy of akashgoyal [↩]
2. If you’re using a multi-word password, it is possible an attacker knowing this could use a system that combines words – but this doesn’t really save them a lot of time – we’re talking about numbers with 20-30 zeros in them [↩]