Brute force cracking
Today at work I got an e-mail from the IT department saying everyone needs to set new, stronger, passwords.1 They suggested several things, like:
- “tomandjerry” is not as strong a password as “$H2mlf”
- “Fishing123” is not as strong as “Fish123ing”
Assuming a black hat hacker is really determined to crack your password, they’re probably going to attack it like they mean it. Let’s assume there’s no defect in your system that allows a cracker to get in without actually entering the correct password. They might try a dictionary attack first, followed by a database of common passwords, but after that they’re left with brute force.
Here’s the most amusing part. Assuming none of the four “passwords” above are in any dictionary or a database of common passwords. Let’s rank the passwords, 1 being the strongest and 4 being the weakest.
- “tomandjerry” is strongest, with 11 characters
- Fishing123″ is tied exactly with “Fish123ing”, with 10 characters each
- “$H2mlf” is weakest, with only 6 characters
The only things that really matter in passwords are that you’re not using (a) a dictionary word or a common password and (b) the length of your password.2
In any case, it’s concerning when information technology professionals don’t understand fundamentals of password security or how a malicious attacker would attempt to compromise a system.
- Photo courtesy of akashgoyal [↩]
- If you’re using a multi-word password, it is possible an attacker knowing this could use a system that combines words – but this doesn’t really save them a lot of time – we’re talking about numbers with 20-30 zeros in them [↩]
