Cracking Weak Passwords

Full article

Preaching about secure passwords won’t command a big wow factor. Ever. Those of us interested in computer security have to accept that.

A few might pay attention momentarily when big-tech luminaries are hauled over the coals before Senate Select Committees for privacy issues, leakage of millions of account-holder details, etc., tut-tut and then quickly move on to the next blaring headline.

But let’s run a few figures on password guessing to maybe paint a more tangible picture – and computers do the guessing of course, not humans. But humans tell the computer what to do. These numbers won’t be technically precise and are just for illustration purposes.

100 Billion program instructions per second. That and a lot more is well within the capability of any reasonably good laptop you can go out and buy these days, probably for less than €1000. Further down I’ve sketched out a 6-instruction pseudo-program to guess passwords, if you get that far. But to be generous let’s say it takes 10 instructions for a computer to guess a password. It might be different in reality, but tag along for the sake of argument.

So then our computer can guess 10 Billion passwords or more per second!

Ok, so let’s say we have a 6-letter password from the upper and lowercase alphabet. So for each character there’s a choice of any of the 52 characters, and character repetition is allowed, just to make it more challenging. That means there are 52^6 (fifty-two to the power of 6) possible passwords. It’s a big number – about 20 Billion possible passwords. Impossible to guess the right one, you may think!

But, 20 Billion possible passwords, a computer that can guess 10 Billion passwords per second automatically and what have you?

About 2 seconds is all it will take our computer to try every possible password – in our particular scenario!

And it may only take about 1 second if you believe in averages, as there are only 2 possibilities, right or wrong, so the computer has an evens chance of guessing the password after it has tried half the possibilities.

If the password is increased to 8 characters, and numbers from 0 to 9 are included, the time to try half the possibilities goes up to about 3 hours. Still not great.

But, with 10-character passwords and the 62-character choice pool, time to try half the possibilities jumps to over a year. Not many hackers have this amount of time to spend on each password unless it’s critically important.

So 10-character passwords using upper and lowercase letters and numbers could be considered a minimum-level every-day secure password format.

If you include special characters such as $, ?, etc in the choice pool for a 10-character password, time to guess half the possibilities rockets to many years – and this is currently the recommended format for secure passwords.

But in a few years, as computers evolve, the 10-character with all letters, numbers and special character format passwords will no longer be secure. By then perhaps biometrics for secure access control will have evolved to a similar extent.

Hopefully this demonstrates the need for long, strong passwords! An extra character adds a lot to the difficulty in cracking.

And for those not already gone elsewhere for something a little more exciting to read, a look at a few of the technicalities.

In the lingo the above is known as a dictionary attack, where a computer is looking for a match for a plain text password against a plain text dictionary database. And absolutely huge dictionary databases are easily available online.

Ok you say, if you know something about how passwords are transmitted on the wire and stored in many systems databases, but the passwords are encrypted.

True, strong encryption is normally used for passwords in transit, but they are also normally stored in database servers as hash values, and let’s assume a strong hash algorithm – not all are. Guess what, common hash algorithms are in the public domain and baddies have been working for years to calculate and tabulate hash values for huge dictionaries of password possibilities. So if they can breach the organisation network and hack the database server, get their hands on the hashed password file all they need to do is run the file against the hash value tables. Back to the same old problem – all they need is time. This is known as a rainbow table attack.

The endless stream of high-profile data breaches is solid proof of the vulnerabilities of weak passwords and hashed password storage files. The bottom line is, strong passwords help mitigate weaknesses in the password storage file systems, for those individuals who have used them.

I mentioned above pseudo-code to guess passwords. Programming a computer to take each word from a dictionary database file or rainbow file and try it against the account password to see if it is correct is quite a trivial programming task.

For example, the pseudo-code might read:

Not at all rocket science.

I will have a look at a popular online password manager another time.