Today at work I got an e-mail from the IT department saying everyone needs to set new, stronger, passwords.1 They suggested several things, like:
- “tomandjerry” is not as strong a password as “$H2mlf”
- “Fishing123” is not as strong as “Fish123ing”
Assuming a black hat hacker is really determined to crack your password, they’re probably going to attack it like they mean it. Let’s assume there’s no defect in your system that allows a cracker to get in without actually entering the correct password. They might try a dictionary attack first, followed by a database of common passwords, but after that they’re left with brute force.
Here’s the most amusing part. Assuming none of the four “passwords” above are in any dictionary or a database of common passwords. Let’s rank the passwords, 1 being the strongest and 4 being the weakest.
- “tomandjerry” is strongest, with 11 characters
- Fishing123″ is tied exactly with “Fish123ing”, with 10 characters each
- “$H2mlf” is weakest, with only 6 characters
The only things that really matter in passwords are that you’re not using (a) a dictionary word or a common password and (b) the length of your password.2
In any case, it’s concerning when information technology professionals don’t understand fundamentals of password security or how a malicious attacker would attempt to compromise a system.
- Photo courtesy of akashgoyal [↩]
- If you’re using a multi-word password, it is possible an attacker knowing this could use a system that combines words – but this doesn’t really save them a lot of time – we’re talking about numbers with 20-30 zeros in them [↩]
This is the primary reason why I use a password manager and just generate really long and unique passwords for each service I use. That way, the encryption key for the password database can be complicated but easy for me to remember because it’s only one password.
When it comes to cracking passwords, though, it’s usually done by applying permutation rules to password lists. This way, even if a password isn’t on a list, it can still be easily cracked if it is only slightly different from one on the list.
You’re assuming a brute force attack would include a list of over 30 easily-typed non-alphanumeric characters in addition to 62 alphanumeric characters. increasing the number of possible characters increases the time needed to check them exponentially, so it’s not hard to believe that a brute force algorithm would leave them out in favor of softer targets. That is, assuming that there is not a rule (that the attacker is aware of) requiring passwords to include a special character.
You’re right, though, that there is often too much emphasis on the character space and entropy and not enough on sheer length. You can create an extremely strong password by taking a weak password and zero-padding it out to 32 characters, assuming the attacker has no knowledge of this pattern (which is relatively easy to gain by shoulder-surfing).
@Whosawhatsis: Well, I was just trying to evaluate the statement from our IT guys. They claimed that the programs used by crackers were black market brute force programs for gaining entry into systems. But, let’s assume two different crackers attacking each of the passwords.
Let’s assume a cracker using an alphanumeric-only program attacking the 11 character “tomandjerry” password. There are 26 lower case, 26 upper case, 10 numerals, and a space for a total of 63 possible characters. The number of combinations would be 63^11 or 62,050,608,388,552,823,487.
Now let’s assume a cracker using all easily typed characters attacking “$H2mlf,” a 6 character password. We’ve got (26 letters + 10 numerals + 11 symbols)*(2 symbols per key) + space = 95 easily typed characters. The number of combinations would be 95^6 or 735,091,890,625.
The password “tomandjerry” should be more than 84 million times as secure as “$H2mlf.”
@Cyrozap: I like Password Safe – which password manager do you use?
According to passfault:
tomandjerry: 3 days to crack from hash
fishing123: less than a day
Fish123ing: 7 days
$H2mlf: less than day
https://passfault.appspot.com/
@MTO: That’s interesting! Thanks for the link – I’ll definitely have to try out that site.
I’m curious how long it would take to crack “tomandjerry” without a hash. My “armchair analysis” was really only just based upon a consideration of the number of alphanumeric (and other key) combinations possible for each password. The actual cracking time, assuming uniformly fast and powerful computers, would depend upon how each program approached the cracking of a password.
For instance, if you wrote a cracking program that started with “aaaaaaaaaaa,” it would take you a lot longer than a program that started with “taaaaaaaaaa” to crack “tomandjerry.” Using hashes is a bit different and assumes some additional knowledge gleaned by using a hash and comparing it to a hash table. The “3 days to crack from hash” is artificially low, since that program wouldn’t be cracking the password from scratch, it would be relying upon the hard work of the computers which went into creating the hash table (I think these are sometimes called rainbow tables?) against which the hash was compared.
Also, it makes sense to me that “fishing123” would take less time than “Fish123ing,” even though they’re both of the same length, and use almost the same exact characters. An ideal program, written by someone familiar with password formulation behavior, would probably want to try “alpha” + “numeric” combinations before trying a mixture of the two. But, in terms of pure upper/lowercase letter/number combinations, “fishing123” and “Fish123ing” should still be the same strength.