You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
133 lines
5.3 KiB
133 lines
5.3 KiB
<p>You may think your password is secure. Maybe you have chosen an obscure word, mixed in numbers, and added a
|
|
<code>!</code> to the end. Think you’re pretty safe, huh?</p>
|
|
|
|
<p>The truth is, you aren’t. I can crack a 5 character password in less then 139 seconds!</p>
|
|
|
|
<p>We have been trained over time, by
|
|
<em>unproven</em> security techniques, to make our passwords contain numbers and letters; sometimes even an
|
|
<code>@</code> or
|
|
<code>#</code> or
|
|
<code>!</code> is added to the mix.
|
|
<strong>But</strong> the truth is, we are only making it harder on ourselves with passwords that are difficult to remember, but
|
|
easy to guess in a brute-force attack (automated hacking software).</p>
|
|
|
|
<p>Although a 128-character
|
|
<em>totally random</em> password would be phenomenal, 8 characters is about all that can be enforced without frustrating
|
|
users. However, an 8-character password comprised of uppercase, lowercase, and numbers can be cracked overnight in a
|
|
real world brute-force attack.</p>
|
|
|
|
<h2 id="the-scoop-on-alpha-numeric-passwords">The Scoop on Alpha-Numeric Passwords</h2>
|
|
|
|
<p>Even though we are trained to think that a password of
|
|
<code>Blu3D0g5</code> is the most secure type of password, it can still be cracked by a brute-force attack.
|
|
</p>
|
|
|
|
<p>Bare with me while I explain…
|
|
<em>with some maths!</em>
|
|
</p>
|
|
|
|
<p>For every character in an alpha-numeric password there are
|
|
<code>62</code> possibilities. First, you have the
|
|
<code>26</code> character alphabet in lowercase, then
|
|
<code>26</code> more in uppercase, and
|
|
<code>10</code> digits.</p>
|
|
|
|
<div>
|
|
<pre style="text-align: center;"><code>26 + 26 + 10 = 62</code></pre>
|
|
</div>
|
|
|
|
<p>This is to say that if you choose 8 characters,
|
|
<em>completely at random</em>, your password would be very secure. However, we typically take a familiar word, or couple
|
|
of words, and add some uppercase letters, or replace
|
|
<code>e</code> with
|
|
<code>3</code>, etc… which is
|
|
<strong>not</strong> secure.</p>
|
|
|
|
<p>When we calculate the Information Entropy (known as the lack of order or predictability) we can see that a completely random
|
|
character set is great, but when it is derived from an English word, or contains a date, it is simply terrible. The equation
|
|
looks like this:</p>
|
|
|
|
<div>
|
|
<pre style="text-align: center;"><code>[Password_Length] * log2([Number_of_Possibilities]) = "Information Entropy"</code></pre>
|
|
</div>
|
|
|
|
<div>
|
|
<pre><code>8 * log2(62) = "~48 bits"
|
|
# which would take almost 9,000 years at 1,000 guesses per second</code></pre>
|
|
</div>
|
|
|
|
<p>
|
|
<em>But, when your password isn’t
|
|
<strong>completely</strong> random, it’s not that simple.</em>
|
|
</p>
|
|
|
|
<p>Because the password we chose was actually two words,
|
|
<code>blue</code> and
|
|
<code>dogs,</code> with some uppercase and numbers mixed in, the total Entropy is
|
|
<strong>MUCH</strong> less. Something closer to
|
|
<code>~28 bits</code>.</p>
|
|
|
|
<p>
|
|
<strong>So let’s calculate what this actually means.</strong> A brute-force attacker can easily guess 1,000 times per second.
|
|
The total number of options to guess can be calculated by taking the base 2 to the total number of bits.</p>
|
|
|
|
<div>
|
|
<pre><code>2^28 = 268,435,456
|
|
# This is the total number of possibilities the password could be.</code></pre>
|
|
</div>
|
|
|
|
<p>In theory though, an attacker only needs to guess about half the total number of options before stumbling upon the correct
|
|
one. So:</p>
|
|
|
|
<div>
|
|
<pre><code>268,435,456 / 2 = 134,217,728
|
|
# Total number of guesses it takes to guess your password
|
|
|
|
134,217,728 / 1,000 = ~134,218
|
|
# At 1,000 guesses per second, it takes about 134,218 seconds
|
|
|
|
134,218 / 60 = ~2,237
|
|
# Or 2,237 minutes
|
|
|
|
2,237 / 60 = ~37
|
|
# Or 37 hours to guess your password</code></pre>
|
|
</div>
|
|
|
|
<hr>
|
|
|
|
<h2 id="in-contrast">In Contrast</h2>
|
|
|
|
<p>Let’s say we use 4
|
|
<strong>random</strong> words, without any numbers, and all lowercase. For example:
|
|
<code>yellow</code>
|
|
<code>tiger</code>
|
|
<code>note</code>
|
|
<code>basket</code>. There are an incalculable amount of words for you to choose from, but most likely, you will choose from
|
|
about 7,000 of the most commonly used words. If you use unique words like
|
|
<code>laggardly</code> or
|
|
<code>pomological</code>, the total time to crack your password will increase
|
|
<strong>exponentially</strong>!</p>
|
|
|
|
<p>Using this new data, the Information Entropy is now calculated as:</p>
|
|
|
|
<div>
|
|
<pre style="text-align: center;"><code>[Number_of_words] * log2(7,000)</code></pre>
|
|
</div>
|
|
|
|
<p>So, this new password now has
|
|
<code>~51 bits</code> of Entropy, and using the same time calculations above, we estimate our password would take about
|
|
<code>35,702 years</code> to crack at the rate of 1,000 guesses per second.</p>
|
|
|
|
<p>That is in stark contrast to the short 37 hours it takes to crack the
|
|
<code>Blu3D0g5</code> password.</p>
|
|
|
|
<hr>
|
|
|
|
<h2 id="the-take-away">The Take Away</h2>
|
|
|
|
<p>By simply increasing the length of our passwords and using words randomly mixed together, we can have the most secure passwords
|
|
that attackers will struggle to figure out, but that we can actually remember. I personally will never forget
|
|
<code>yellow</code>
|
|
<code>tiger</code>
|
|
<code>note</code>
|
|
<code>basket</code> as long as I live. However, now I can’t use it.</p>
|