I still remember so clearly the frustration I felt back in the 90′s when starting in the security industry and trying to sell my services. It was so difficult trying to emphasize just how much at risk potential clients were and then get them to pay me to fix their stuff. Too often I came off like the paranoid conspiracy theorist–their sky wasn’t falling and they saw no wolf.

I remember one particular conference call at the peak of my frustration where a network administrator confidently bragged to me and the managers on the call just how secure their network really was. What the managers didn’t know at the time was that as we were all talking, the network administrator was scrambling to lock things down as I was furiously trying to break in. Being that I was pretty good at that stuff at the time, I was able to quickly drop a little program called cdtray.exe onto a number computers, including the admin’s own PC, and used the at command to schedule all of their CD trays to open in one minute. I started asking the admin some questions and could hardly contain my amusement sixty seconds later as he suddenly seemed distracted. Then I went in for the kill: “are you convinced now you need more security?” I asked.

I didn’t get that job.

Nor did I get any work from Bank of America when I notified them of a glaring security flaw that exposed their global.asa file which contained their database username and password. That was over a decade ago but I still remember the password: superchicken. More on email security

RSA recently announced their new Distributed Credential Protection (DCP) product which they proudly tout as a “revolutionary” way to secure user credentials. But looking closer (especially at that $160,000 per license price tag), I’m not so sure this product will do much to protect anyone’s credentials.

But let me say this first, the technology itself is absolutely brilliant. Without getting into the details of threshold cryptography (there’s an excellent article by Peter S. Gemmell on page 7 of this PDF), what it does is allow you to split up a secret into any number of parts but you only need a specified number of parts to reproduce the data.

It’s kind of like how you see nuclear missile launches in movies: two people have to insert and turn their keys at the same time to initiate the launch. But threshold cryptography is even more advanced, it would be like handing out 5 keys but you only need any 2 of them to fire the missile. What makes the technology so cool is that it gives you redundancy, integrity, and secrecy but no single piece is useful for obtaining the secret. This technology has many uses in cryptography (it would be perfect for Bitcoin) but I think that RSA’s claim that it will revolutionize password protection is greatly overstated.

The problem is that yes, you are splitting up credentials into multiple parts but all of those parts are components of the same system. It would be like handing both missile launch keys to the same person. Yes, someone would have to steal both keys, but if they can steal one from you couldn’t they just steal the other?

Now one of the claims RSA makes is that if you suspect that an attacker has compromised one of the databases, you can immediately randomize and rescramble the pieces so when they grab the second database the data is useless. So yeah if you happen to catch an attack right after an attacker grabs the first bundle of data but before they grab the second bundle, and you are able to immediately identify all points of intrusion and lock out the attacker so they can’t go back in and re-grab the first bundle, then yes this will work. What are the chances of that happening? Slim to none.

Splitting the databases into two locations is not particularly helpful because both must be accessible to the web server, which is usually the point of entry in these types of attacks, and therefore if an attacker can access one database they can likely access them both. Again, it’s like handing both keys to the same person.

The thing is that RSA’s DCP product is addressing the wrong problem with the wrong solution. The reason most companies get their data leaked is because they have poorly secured their public-facing servers and applications and that they don’t follow best practices for storing user credentials. Both of these problems already have solutions and any organization would be better off spending their money on some code audits and pen-testing.

The fact is that if you have problems with hackers getting into your databases, I think you will still have problems even after shelling out $160,000 for DCP. If you don’t have that problem because you have proper security controls and practices already in place, chances are you don’t even need DCP.

To be fair I have to mention that I have not seen or reviewed this implementation in depth so I could in fact be completely wrong with my criticisms. Perhaps this system could be deployed in such a way that it is much more resilient than I am supposing. And certainly RSA acknowledges that this product is just one layer in a multi-layered defense-in-depth strategy. But I still come back to the fact that you are giving both keys to the same person.

What I would like to see is this technology implemented in a much smarter manner. For example, distributing credentials across multiple distinct trust authorities. For example, it would be a great way to overcome many of the weaknesses and distribution issues we see with SSL certificates. Having multiple holders of a secret not only better protects the secrets but upholds integrity in the case a small number of authorities are compromised. This technology could be helpful for preventing insider attacks and would be useful if you have your servers at third-party data centers that you may not completely trust. There are also some legal advantages with having databases distributed across multiple jurisdictions. And hey, if this technology prevented just one attack, in the absence of other attacks it would probably be worth the expense.

There are many other areas that could greatly benefit from threshold cryptography, but splitting credential storage within an organization is probably not one of them. The concept of a black box authentication appliance (although this is vm-based) is a great direction to be going, considering how many organizations simply don’t implement credential storage correctly, but they seem to be overselling (and overpricing) what this product really can accomplish.

I always enjoy browsing through password-related patents to see all the flawed, silly, or outright dumb ideas that people come up with in an attempt to improve how we authenticate ourselves in the digital realm. What amazes me though is how many patents I encounter that have been granted for some of the most obvious, well-known and ordinary techniques we use in the authentication process. In fact, every imaginable aspect of password selection, authentication, storage, and recovery seems to be covered by one or more patents. Continue reading “Want to Block Common Passwords? Sorry, That is Patented” »

I would like to welcome LinkedIn to the not-so-exclusive club of major web sites that have experienced major password leaks. Like any other major leak it is hard to visit any forum or tech blog without seeing some mention of it. And like any other leak my inbox is starting to fill up with press requests for comments.

But what is interesting here is that there’s nothing interesting here. It’s the same thing we have seen so many times in the past and surely will continue to see.

One thing that highlights this, brought up to me by blogger Johnvey Hwang, is that 93% of the passwords in my Top 10,000 passwords list appear in the LinkedIn hashes dump. Here it is in his words:

I was curious as to what percentage of the most common passwords were present in this dump, as a proxy for gauging the password choices for a supposedly more professional population. A quick search led me to security guy Mark Burnett, who maintains a list of the top 10,000 most used passwords across the internet. He admits to some skew caused by a significant amount of sourcing from adult websites, but I don’t think it really matters.

The fact that such a large number of the LinkedIn passwords appear on the top 10,000 list certainly does help validate my data but more importantly it shows that despite all we have learned, very little has ever changed.

Here are some other interesting facts Johnvey discovered about the list:

• 7,142 of the most common passwords were present
• 546 of the most common passwords were not present
• 2,312 of the most common passwords were too short for LinkedIn’s 6 character minimum

I think that 93% is an amazing number, yet again, the biggest story here is that nothing really has changed.

Sidenote:

I personally have three LinkedIn accounts that I maintain. None of those three passwords appear on the list. Apparently the list is not complete, but the question now is what criteria put those particular passwords on the list.

Since I wrote my last post on CISPA a few weeks ago, a number of things have changed and my own opinion has evolved some as well. I still feel that the EFF’s interpretation was perpetuation a great amount of FUD, but that doesn’t really justify the merits of CISPA. There are many things to say about CISPA but I thought I would share some random thoughts here:

The Quayle Amendment Changed Things

While there is some debate whether this amendment is good or bad from the perspective of privacy is debatable, the question here is why was that amendment necessary? And why was the vote pushed forward right after including this amendment? In my opinion, this amendment alone is reason enough to hate this bill. I want to get that out first because although I agree with the premise of the bill, the risks of passing it as it stands are just to great. I don’t agree with the FUD involved in fighting this bill, such as saying it is the new SOPA, but I am always very wary of unintended consequences and it since it is so much harder to undo a law, this must be approached with great caution.

How Much are they Spying Already?

I’m not saying they should pass this bill because they already spy on you, I am saying that if this is a big concern we need to put more effort into laws that limit what they are already doing. Most companies already have intrusion detection and spam prevention systems in place to identify and log attacks and other unwanted threats to their networks. Much of this involves deep packet inspection and storing personal information about those who trigger alerts, including the many false alerts. There really aren’t many rules on what these companies can and cannot do with that information and their terms of service open us all up to huge intrusions of privacy. We do need legislation that clearly defines a threat and clearly defines (and limits) what can be done with that information.

And then there’s the NSA. Certainly we can’t even imagine how much information they gather on every one of us. Really, that just need stop, I don’t remember any U.S. citizens getting any say in allowing them to do that.

It appears that this law allows for better coordinated sharing of information but the fact is we are already threatened with huge invasions of our privacy. If you can be called a customer, an employee, or a citizen, you can be spied on.

Terms of Service vs Law is a Big Distinction

One very important thing to remember is that a company spying on it’s users is often covered under it’s terms of service. You agree to allow that in exchange for using their service. However, law enforcement agencies are limited by law which is much more restrictive. A law such as CISPA would allow law enforcement to fall under the umbrella of terms of service which would greatly expand their access. While this is good in the sense that it would make certain evidence legally admissible in court, the potential for unintended consequences are huge.

We Need Buffers for Stretched Interpretations

We have already seen how easily law enforcement can stretch interpretations or employ secret interpretations of laws. As a parent I see that, like children, you need to be very specific about things or law enforcement will go with the absolute most permissive interpretation. CISPA simply does not do this. Laws are difficult to reverse so we must be very careful before allowing laws that could have great potential for abuse.

Who Profits from CISPA?

Many have said that the RIAA and MPAA are clearly behind this bill but I don’t buy that. I certainly hate everything about the RIAA, MPAA, and anything they back, but I just don’t see this bill benefiting them that much without greatly stretching the interpretation and exposing themselves to significant liability. I’m not saying that is out of the question, it just doesn’t seem to fit here.

Nevertheless, whenever Congress passes any bill nowadays I am always suspicious of who stands to profit here. Yes I am sure there are some sincere motivations here but since when has a law been passed based on it’s sincerity?

Don’t Forget Who Makes the Decision, But Does it Matter?

I have seen a number of misleading articles state that CISPA would allow the Government can go trolling for information and take anything they want in the name of cybersecurity. First of all, I think law enforcement already has enough power through the Patriot Act and other laws that they can already demand just about anything. However, it is important to note that CISPA does not allow the Government to demand this information, it only allows companies to volunteer the information.

Now having said that, if the Government starts paying good money for that info, I’m sure that most companies would be happy to volunteer anything that law enforcement asks for.

Long is Bad but so is Short

One thing that always bothered me about the Patriot Act is how in just a matter of days after September 11th, the Justice Department produce such a huge, sweeping bill. In fact, whenever I see a ny100+ page bill introduced to Congress I get suspicious of how many lobbyists had their hand in this. Complexity is the best weapon that special interests have in introducing loopholes that line their pockets. Which is why seeing the short, simple CISPA was so refreshing and reassuring.

But as we have seen, being short has it’s problems too. Complexity introduces loopholes but vagueness can be just as bad. One thing nice about CISPA is that it is probably much easier to fix few pages of vagueness than to scale back a thousand pages of complexity.

There’s a Bigger Message

I think that it is important to look past the words on the bill and see what the opposition here is really about. It’s not so much about who shares what and how, it is that the American people are getting tired of never-ending legislation that continually gives the Government more power and slowly erodes at our rights of privacy. Do we really even need this bill? Yes there are some specific cases where it would be helpful, but we just don’t know how many more doors we are opening.

We are already tired of constantly hearing how law enforcement agencies are stretching and abusing current laws, do we really want to give them even more power? Will using the Internet become just as personally intrusive as the security gates at an airport? Is there greedy some special interest involved here paying off Congress to make themselves even richer?

The fight against SOPA energized many of us and demonstrated that for once the people do have a voice and we are going to use it. Despite any legitimate benefits of CISPA, Congress is voting on a law that most people just don’t want.

Now there is something to agree with.

My first reaction in seeing the recent headlines about CISPA (HR 3523), like many others, was simply being outraged at yet another attempt by the US government to open the doors for spying and censorship. In fact, we have seen so much of this lately and with so many cries that this is worse than SOPA I didn’t even bother reading the bill.

Even the EFF came out with a statement against it and many other respectable organizations have subsequently chimed in and asked for support to block this.

But then someone brought up to me the fact that this bill really isn’t that bad. I spent a few minutes reading the short bill to prove them wrong but in fact I was surprised that this bill is not as evil as everyone has made it out to be. In fact, having worked in the security industry for so long I can see how helpful this law could actually be.Let me explain where I think the EFF got it wrong.

Update: Many have interpreted this post as supporting CISPA, which I do not. I do agree with the premise of CISPA, but the point here is that fear, uncertainty, and doubt really have no place anywhere and I would think that the EFF would be above this. Here are some of my updated thoughts on CISPA.

The Free Pass

The EFF claims that this law gives “companies a free pass to monitor and collect communications, including huge amounts of personal data like your text messages and emails, and share that data with the government and anyone else.”

In fact, the law specifically says that an organization may, for cybersecurity purposes, identify and obtain information about threats to their own rights and property:

(A) CYBERSECURITY PROVIDERS- Notwithstanding any other provision of law, a cybersecurity provider, with the express consent of a protected entity for which such cybersecurity provider is providing goods or services for cybersecurity purposes, may, for cybersecurity purposes–
(i) use cybersecurity systems to identify and obtain cyber threat information to protect the rights and property of such protected entity; and
(ii) share such cyber threat information with any other entity designated by such protected entity, including, if specifically designated, the Federal Government.

The Cybersecurity Purpose

The EFF says that “vaguely-defined ‘cybersecurity threats’” could be used “as a shortcut to bypassing the law.” They go on to say that “Worst of all, the stated definition of “cybersecurity” is so broad, it leaves the door open to censor any speech that a company believes would ‘degrade the network.’”

So what is a cybersecurity purpose? I think the law defines that pretty clearly as well:

(4) CYBERSECURITY PURPOSE- The term `cybersecurity purpose’ means the purpose of ensuring the integrity, confidentiality, or availability of, or safeguarding, a system or network, including protecting a system or network from–
(A) efforts to degrade, disrupt, or destroy such system or network; or
(B) theft or misappropriation of private or government information, intellectual property, or personally identifiable information.

So a cybersecurity purpose is protecting a network or system from a direct attack on the service or a theft of data from that network or system. I just don’t see this as broad and it certainly would be a huge stretch for an organization to say that speech degrades a network.

Intellectual Property

The EFF statement says that “The bill specifically mentions that cybersecurity can include protecting against the “theft or misappropriation of private or government information” including ‘intellectual property.’ Such sweeping language would give companies and the government new powers to monitor and censor communications for copyright infringement.”

As mentioned above, the law states that a cybersecurity purpose is to protect a an organization’s systems or networks from an attack or theft of information, not protecting intellectual property in a general sense. So if someone is breaking into a movie studio’s network to steal a movie that would fall under this law but there is nothing that grants them any rights beyond the scope of their own network.

Monitoring and Censoring

The EFF claims that CISPA allows “a company like Google, Facebook, Twitter, or AT&T could intercept your emails and text messages, send copies to one another and to the government, and modify those communications or prevent them from reaching their destination if it fits into their plan to stop cybersecurity threats.”

But does it really allow this? The bill states that “the term `cyber threat information’ means information directly pertaining to a vulnerability of, or threat to a system or network of a government or private entity…” There is nothing here that allows companies to intercept emails and share them with everyone, the information must directly pertain to a vulnerability or threat and this info must have been gathered in the process of protecting their own network or systems.

There is also nothing that allows or even implies that an organization can modify or block information. This law only addresses the sharing of threats and says nothing about how an organization may deal with those threats.

So what about sharing any info with government? That is actually a good thing because there can be some ambiguity with evidence that I actually wrote about ten years ago. The ability for an organization to share information about an attack with law enforcement without the threat of being sued is a big step in being able to prosecute attackers. Furthermore, the law allows organizations to choose how little information they share with the government in these cases.

Civil and Criminal Immunity

The EFF says that CISPA will “let companies spy on users and share private information with the federal government and other companies with near-total immunity from civil and criminal liability. It effectively creates a ‘cybersecurity’ exemption to all existing laws.”

This too is a stretch. Organizations will not automatically be immune from spying. The law states that the immunity applies if the organization is “acting in good faith” for the purpose of protecting themselves and reading and sharing everyone’s emails hardly falls under acting in good faith. Furthermore, the bill does put oversight in place to address privacy and civil liberty concerns.

So Did the EFF Get it Wrong?

When it came to SOPA I hated those who defended it but in this case I think the EFF got it wrong. While I certainly cannot imagine all consequences of this law and some of the points  surely could use some clarification (such as explicitly saying this info cannot be used other than addressing specific threats), I think the EFF is wrong on this and has created quite a bit of misguided anger. Yes we need to protect our rights but this is not the bill we should be freaking out over.

Don’t take my word for it, go read the short bill and see what you think.

There is much to be said about randomness and many recommend using truly random password generators. However, sometimes you just don’t have internet access to visit a random password generator web site. The solution? this book contains six hundred pages of nothing but random numbers (see sample below).  According to the Amazon.com description, “This book was a product of RAND’s pioneering work in computing, as well a testament to the patience and persistence of researchers in the early days of RAND.”

What is interesting here is the Introduction–which you can read online–of how, in 1947, they produced truly random data.

Of course, before you go out and but this book, you may want to go read the 270+ customer reviews.

Last week I was pre-paying for my gas at the local station and the cashier asked me what type of gas I wanted. I told him “regular.” He looked a little confused and then asked me if I wanted “unleeeded” gas. I hesitated for a second, smiled, then answered “yes, I want unleeeded.”

This clerk was maybe nineteen or so and clearly a native English speaker. So how does one go through life in the United States not knowing how to pronounce unleaded? And how does someone work at a gas station–where the word is likely spoken all day long–and still not pick up on that? He was the only one there running the place so this certainly was not his first day on the job. Has he really never heard anyone else say that word?

So I was looking over the files from the recent Los Angeles County Police Canine Association hack and while there are many newsworthy elements of this story, there is one that stood out to me in particular. In the file admin.txt, which presumably contains system admin information, I found the following:

Now this organization and some of its members have already experienced an untold amount of embarrassment from all of this, but we should not let that overshadow this: they have all set their password as password!

We already know just how common password really is, but I like to think that most people, let alone administrators, have at least figured out how to make their passwords even slightly stronger than that. And I would hope that most software applications would not even allow someone to set their password as password.

After nearly fifty years of using passwords with computer systems, you’d think we would have evolved to some collective security baseline that would preclude us from using password as a password. You really can’t set a password many places without being scolded for not using capital letters or numbers, so how does one not just naturally pick up on these things? Isn’t password security mentioned enough in news media for someone to just pick up on this as common sense?

Certainly people know the difference between a poor password and a strong password, but the real issue here is getting people to actually do it. It’s almost as if user involvement in security is some impenetrable area of the human brain that we have yet to comprehend. There is some mysterious detachment that keeps everyone oblivious to the fact that they personally are a hacker target. There are false metaphors people impose on digital communications that give them a huge sense of false security, leaving so many asleep at the switch.

Public shaming seems to have no affect. Policies are seen as annoyances that are okay to circumvent. Everyone has a favorite password they use everywhere.

I have always despised sensational news headlines that say that some new technology will make passwords obsolete. No matter what we come up with, there will always be some knowledge element the user must provide.

But maybe the problem isn’t with passwords, it is that we let users pick and manage their own.

As I walked out of that gas station I laughed at myself, wondering why I didn’t correct the clerk and even jokingly repeated the mispronounciation back to him. I guess I figured eventually someone else would eventually point out his error.

Password security has always been a hot issue but events in the last few years have made it an even more pressing issue to a greater number of people. When I hear receptionists in a doctor’s office sharing strategies for creating secure passwords I know this is now beyond the realm of network administrators and security professionals.

But one thing I have noticed is that many people don’t truly understand why one password can be so much stronger than another so I thought I would walk through the process of cracking a password. In this case, I decided to use as an example the very password that (until I wrote this) I use for the admin account on this blog.

So like I said in the title, my password is 4.hub.route.edu.

That isn’t the best password I have come up with but it is still fairly strong. It is 15 characters long, contains a number, letters, and some periods. It took me just a couple logins to actually memorize that password. The word components are fast to type because we are trained to type in whole words. And there are four parts, each one ending with a period. The repetition of the period helps the memory process.

Chances are that no one would be able to go to my admin page (which itself is protected by a different password) and just guess that, no matter how much they knew about me and no matter how many of my other passwords they knew because I have never used that password anywhere else. As of writing this article, I can do a Google search for “4.hub.route.edu” and there will be no results.

But the real risk isn’t someone being able to keep trying to guess my password via the admin page, the real risk is someone finding a new 0-day exploit that allows them to dump the users table in my database and get the hash of my password (which happens to be $P$9YCJ/QwbFcgbo7OtfWGYYE8sVJBxtF/). If someone can get your hash, they can now try millions of password combinations without you ever knowing it.

Cracking a password hash is a lot like trying keys in a lock. A hash is a string of characters derived from your password that is calculated in such a way that it is nearly impossible to work backwards to discover the original password so it is relatively safe to store. When you log in to a system, it will run the password you enter through this same complex formula and the result should be the same.

So when I first created my password on this blog I entered 4.hub.route.edu. WordPress ran it through these formulas and came up with the hash $P$9YCJ/QwbFcgbo7OtfWGYYE8sVJBxtF/ which it saved it in the database. The next time I log in, I enter my 4.hub.route.edu password, WordPress runs the same formula on that password and it comes up with $P$9YCJ/QwbFcgbo7OtfWGYYE8sVJBxtF/ which matches the hash it has stored so it knows that I am using the correct password even though WordPress never stored my actual password. Now what is special about these formulas is that it is extremely rare that any two passwords will create the exact same hash (a concept known as collision).

So if someone is able to obtain my hash, they can’t directly get my password from that, but they can try millions or even billions of different passwords and run each one through the formula until they find one that produces that exact same hash. It is a lot like having a lock, you can’t easily create a key from it but you can try a bunch of keys until you find the one that works.

Now when it comes to passwords there are actually hundreds of trillions of possible passwords someone might choose. Even with a cluster of powerful computers it could take decades to try every possible password. Fortunately for hackers, most people aren’t that clever with their passwords. There are a number of strategies they use that can drastically reduce the number of passwords you need to test to crack a password. Below is that strategy

1. Hash Lookup

First, an attacker will check to see if someone else has cracked the password before, using either a local database or an online database such as onlinehashcrack.com or hash-database.net or one of the hundreds of other similar sites. In the past few years there have been many large sites that have been hacked and their passwords leaked. If you password was ever one of these, chances are it will appear in one of these databases. Likewise, if you select a common password that others may also be using, it also might be on this list.

In the case of WordPress, the hashes are created using PHPASS but for the sake of this example, let’s just assume they use MD5 hashes like many other systems use. The MD5 hash for my password 4.hub.route.edu is 7914881ba9b78fa307db6ef0db675e29. You can search any online databases for my hash and you will not find it listed anywhere (at least at the time of writing). If your password is one that you have never used before and others likely have not used, you should be safe (try googling one of your passwords, you may be surprised how many results you get).

If your password hash does not appear in one of these databases, there are also rainbow tables which are massive databases of precomputed hashes consisting of every possible password up to 8-10 characters in length, depending on the algorithm. If your password is less than eight characters long, your password surely will be cracked at this stage. However, you will not find 7914881ba9b78fa307db6ef0db675e29 in any of those databases so I am safe so far.

The lesson here is to never use a password less than ten characters long. Never use the same password on multiple systems. Don’t try to be clever with your password, that never works (NCC-1701 is a very common password).

2. The Word List

Since most passwords consist of dictionary words or something similar, checking every word in a dictionary or a specialized wordlist http://svn.isdpodcast.com/wordlists/ is a quick way to find a weak password. Most hackers will use lists of the most common passwords such as this because chances are very high that someone will be using one of those passwords. It normally doesn’t take more than a minute to go through even a gigantic list of words.

In my case, even a Google search for my password turns up nothing so even if you had the massive list of words that Google has indexed you still wouldn’t be able to crack my password.

Considering this, you can see why so many systems simply probihit any password that is a dictionary word.

3. Rules and Patterns

If a dictionary or wordlist check fails, the next step is to try some of the common (albeit innefective) tricks people use to make a password more complex. If you asked me what I thought was the most common password pattern I would say a proper noun (such as a name) followed by 2-3 numbers. So it would be smart for a hacker to take each word in a wordlist and add ever possible number from 1 through 999. If that doesn’t work, you could try reversing each word or doing simple substitutions like using the number 3 instead of the letter e. It really does not take much effort for a cracking program to try hundreds of different patterns.

For example, a dictionary word may be “password” so a rules-based attack my try PASSWORD, dRowssap, P@SSW0RD, p@ssW0rd, dr0Wss@p, passwordpassword, @ssW0rdp, dp@ssW0r, p@9sW0rd, 1p@ssW0rd, p@$$W0rd, ppp@ssW0rd, 1p@ssW0rd, and thousands of other variants of the word. Depending on the number of rules and the size of the wordlist, this step may take only five to ten minutes and will crack a great number of passwords.

If an attacker has sufficient processing power, another effective strategy is to try two dictionary words together with various delimiters between them (such as dashes or periods). If you had a wordlist of 100,000 words and tried every combination of two words that means you would have ten billion possible combinations. Trying different delimiters between the words would make it a little bit harder but not much.

You probably wouldn’t want to try three-word combinations because that would take you up to a quadillion (1,000,000,000,000,000) possible combinations which would not be an effective strategy. In the case of my password there is a number and three other words that would likely appear in a dictionary but testing for four-word combinations would mean there are 100 quintillion (100,000,000,000,000,000,000) possible passwords, so the odds are my password would still be pretty safe.

The lesson here is that a strong password is not a matter of being clever, it is a matter of beating the numbers. Passwords should always contain three or more words or other sequences.

4. Brute Force

If a password hash doesn’t show up in a database or hasn’t been cracked before, does not show up in a list of common passwords or dictionary words (even after trying hundreds of common variants), the only method left is to simply brute-force the password. This means trying every possible combination of letters until you find the password. It would be like trying to crack a simple bicycle lock, you would start with 000 and try 001, 002, 003, and so on until you got to 999.

In the case of passwords you would need to try every combination of lowercase letters, uppercase letters, numbers, and punctuation symbols. In other words, imagine a bicycle lock where each dial contains abcdefghijklmnopqrstuvwxyz ABCEDFGHIJKLMNOPQRSTUVWXYZ0123456789`~!@#$%^&*()_-+={[}]|:;"'.?/ and there are eight or more dials. This is why so many systems require that you use a variety of characters because using different types of characters is like making each dial larger. And making your password longer is like adding more dials.

Now brute-force attacks are much smarter nowadays using techniques such as mask-based attacks. These types of attacks basically use knowledge about passwords to make the brute-force process much smarter. For example, if you look at this chart http://xato.net/img/UpperCaseLettersLarge.jpg you will see that uppercase letters are very likely to show up in position 1 but are extremely rare after position 8. Knowing this, it would be more effective to not even bother looking for uppercase letters after the first few characters. Now if you look at the distribution of all character sets in this graph http://xato.net/img/CharacterDistributionByPositionLarge.jpg you can see that much can be done to optimize the brute-force process. Nevertheless, these rules become less and less effective the longer and more complex your password gets.

The big secret here is if you can force a hacker to have to use a brute-force attack and you have a password that is at least 15 characters long, chances are that you have won. Eventually computing power will catch up so that even 15 characters might be enough but the good thing is that these numbers grow exponentially so a 16-character password is almost 100 times stronger than a 15-character password and a 17-character is more than 9,000 times stronger!

So What Makes a Password Strong?

Your password must be something very unique and one that you have never used before. In fact it should be so unique that if you did a Google search for it, there would never be any results. You can’t just take a word and dress it up a bit, you need 3-4 words or other sequences to make a password strong. And finally it has to be long. It helps to throw in some numbers and pumctuation but most importantly it has to be long.

Continue reading “Review of Kevin Mitnick’s Ghost in the Wires” »