It seems like we all know what to choose and not choose when picking a secure password and we all know the consequences of a compromised password and if not then I have to ask what you're doing reading this before part one by Kleenedge :). I am writing this article to explain in a little more depth how passwords work and what kinds of passwords Joe Cracker hates coming across (nb - the exact kind of password you want).
Most often the first attempt that a cracker will make at getting your password is simply done by guessing. The three most common choices in guessing a password are no password at all (leaving it blank), the username of the account, and "password", so NEVER choose any of those. You'll also want to avoid these other common guesses including "1234" or another pattern of numbers, your first name, last name, or a combination thereof, date of birth, names of pets, name of the 'significant other' or 'ilove--significant-other-here--', phone number, zip code, or anything else close to you that anyone might possibly guess. Another thing to avoid is using two passwords in more than one place. If a cracker has stolen your password from your home email account for example, you don't want him to be able to use that same password to break into the secret corporate accounting database you use at work. You also want to avoid having anyone find out that your password is also your bank or voicemail pin number or credit card so avoid those as well. More commonly guessed password examples can be found in part one.
The next step Joe Cracker will take after failing to guess your password is the standard dictionary cracking tool. Dictionary crackers take a wordlist, generally containing every word in the biggest dictionary he can find, along with other common passwords and names of places or proper names, and tries every one of them. If you've ever been told not to use a word or words as in your password this is exactly why. Some more advanced dictionary crackers will try all of the words in the list and common variations of these words. For example if it tries the word 'noodle' and fails it might next try 'noodle1' followed by 'noodle2' etc, or it might combine it with other words in the list such as 'fish' to make 'fishnoodle'.
The third and final step taken by Joe Cracker is called a brute force crack. It is called 'brute force' because it relies completely on the capabilities of the cracker's and possibly server's hardware. This type of attack simply takes a set of characters, such as the alphabet, and tries every possible combination of these characters to see if any of the combinations is your password. A brute force attack starts small and then grows to bigger lengths, it will guess every possible one letter password in generally under a second, while two letter passwords will come next and take exponentially longer, followed by three letter passwords etc. Common sets of characters used in english ASCII brute force cracking are:
The lowercase alphabet (26 characters)
The lowercase alphabet and numbers 0-9 (36 characters)
The lowercase and uppercase alphabet and numbers 0-9 (62 characters)
The previous 62 character set and the common symbols !@#$%^&*()_=-+? (79 characters)
All the characters found on the standard 104 key US keyboard including the uppercase alphabet (94 characters)
Or the entire ASCII charset (255 characters)
When performing a brute force crack Joe Cracker must choose a charset, very often one of the above although not always, and a maximum length. Password complexity and length are necessary because any password more complex than the character set chosen by the cracker, or longer than the maximum length chosen, will never be found even if the brute force crack has enough time to be completed. Assuming Joe Cracker does select a character set and length which include your password, complexity and length are still very important. Approximate password strength can be shown mathematically as the number of characters in the charset to the power of the password length. For example if I choose a one letter lowercase password then the length would obviously be one, and the character set would contain 26 characters assuming joe cracker gets lucky and doesn't choose a larger set, so the strength of the password would be 26^1 or 26. The most possible guesses that it would take a brute force cracker to guess my password is 26 although it could still get lucky and guess it on the first try. Simple increases in complexity or adding one or two characters to the length of your password can have a huge effect, take the password "we5lc", a decent five letter password from the 36 character charset, it would have a complexity of 36^5 or 60,466,176. Now let's add a single uppercase character to the end of that password and make it "we5lcD". The new password is 6 characters long and from a 62 character charset making its complexity 62^6 or 56,800,235,584, nearly 1000 times more complex than the original password, meaning it will take about 1000 times as long to crack. The change in strength one character can add to a password is even more evident if we add one more symbol to that password to make it seven letters long. Lets see what happens when we add a character not found on the keyboard, "§", to make our password "we5lcD§". Now the password is from the entire 255 character set, making its complexity 255^7 or about 70,110,200,000,000,000, over a million times more complex than the six character password and over a billion times more complex than the original five letter password.
Brute force cracking programs generally try passwords in alphabetical order, so "a" would be tried first and "z" 26th, but this isn't always the case and they can guess in some pretty random orders although they will almost always guess the entire set of possible passwords of a certain length before moving to the next length, so you will never find a two character password be guessed anywhere before the 27th guess, it will go through all 26 single letter passwords first. Brute force cracking can take anywhere from around five guesses a minute to thousands per second depending on the type of encryption used and the level of security around the encrypted passwords but no matter what the situation in terms of security the more complex a password the better. Hope you learned something from this, and stay secure.
Note: by k0te
This article was originally published by CyberArmy.net in the CyberArmy Library.
|
|