My personal website https://leviolson.com
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

132 lines
5.3 KiB

6 years ago
  1. <p>You may think your password is secure. Maybe you have chosen an obscure word, mixed in numbers, and added a
  2. <code>!</code> to the end. Think you’re pretty safe, huh?</p>
  3. <p>The truth is, you aren’t. I can crack a 5 character password in less then 139 seconds!</p>
  4. <p>We have been trained over time, by
  5. <em>unproven</em> security techniques, to make our passwords contain numbers and letters; sometimes even an
  6. <code>@</code> or
  7. <code>#</code> or
  8. <code>!</code> is added to the mix.
  9. <strong>But</strong> the truth is, we are only making it harder on ourselves with passwords that are difficult to remember, but
  10. easy to guess in a brute-force attack (automated hacking software).</p>
  11. <p>Although a 128-character
  12. <em>totally random</em> password would be phenomenal, 8 characters is about all that can be enforced without frustrating
  13. users. However, an 8-character password comprised of uppercase, lowercase, and numbers can be cracked overnight in a
  14. real world brute-force attack.</p>
  15. <h2 id="the-scoop-on-alpha-numeric-passwords">The Scoop on Alpha-Numeric Passwords</h2>
  16. <p>Even though we are trained to think that a password of
  17. <code>Blu3D0g5</code> is the most secure type of password, it can still be cracked by a brute-force attack.
  18. </p>
  19. <p>Bare with me while I explain…
  20. <em>with some maths!</em>
  21. </p>
  22. <p>For every character in an alpha-numeric password there are
  23. <code>62</code> possibilities. First, you have the
  24. <code>26</code> character alphabet in lowercase, then
  25. <code>26</code> more in uppercase, and
  26. <code>10</code> digits.</p>
  27. <div>
  28. <pre style="text-align: center;"><code>26 + 26 + 10 = 62</code></pre>
  29. </div>
  30. <p>This is to say that if you choose 8 characters,
  31. <em>completely at random</em>, your password would be very secure. However, we typically take a familiar word, or couple
  32. of words, and add some uppercase letters, or replace
  33. <code>e</code> with
  34. <code>3</code>, etc… which is
  35. <strong>not</strong> secure.</p>
  36. <p>When we calculate the Information Entropy (known as the lack of order or predictability) we can see that a completely random
  37. character set is great, but when it is derived from an English word, or contains a date, it is simply terrible. The equation
  38. looks like this:</p>
  39. <div>
  40. <pre style="text-align: center;"><code>[Password_Length] * log2([Number_of_Possibilities]) = "Information Entropy"</code></pre>
  41. </div>
  42. <div>
  43. <pre><code>8 * log2(62) = "~48 bits"
  44. # which would take almost 9,000 years at 1,000 guesses per second</code></pre>
  45. </div>
  46. <p>
  47. <em>But, when your password isn’t
  48. <strong>completely</strong> random, it’s not that simple.</em>
  49. </p>
  50. <p>Because the password we chose was actually two words,
  51. <code>blue</code> and
  52. <code>dogs,</code> with some uppercase and numbers mixed in, the total Entropy is
  53. <strong>MUCH</strong> less. Something closer to
  54. <code>~28 bits</code>.</p>
  55. <p>
  56. <strong>So let’s calculate what this actually means.</strong> A brute-force attacker can easily guess 1,000 times per second.
  57. The total number of options to guess can be calculated by taking the base 2 to the total number of bits.</p>
  58. <div>
  59. <pre><code>2^28 = 268,435,456
  60. # This is the total number of possibilities the password could be.</code></pre>
  61. </div>
  62. <p>In theory though, an attacker only needs to guess about half the total number of options before stumbling upon the correct
  63. one. So:</p>
  64. <div>
  65. <pre><code>268,435,456 / 2 = 134,217,728
  66. # Total number of guesses it takes to guess your password
  67. 134,217,728 / 1,000 = ~134,218
  68. # At 1,000 guesses per second, it takes about 134,218 seconds
  69. 134,218 / 60 = ~2,237
  70. # Or 2,237 minutes
  71. 2,237 / 60 = ~37
  72. # Or 37 hours to guess your password</code></pre>
  73. </div>
  74. <hr>
  75. <h2 id="in-contrast">In Contrast</h2>
  76. <p>Let’s say we use 4
  77. <strong>random</strong> words, without any numbers, and all lowercase. For example:
  78. <code>yellow</code>
  79. <code>tiger</code>
  80. <code>note</code>
  81. <code>basket</code>. There are an incalculable amount of words for you to choose from, but most likely, you will choose from
  82. about 7,000 of the most commonly used words. If you use unique words like
  83. <code>laggardly</code> or
  84. <code>pomological</code>, the total time to crack your password will increase
  85. <strong>exponentially</strong>!</p>
  86. <p>Using this new data, the Information Entropy is now calculated as:</p>
  87. <div>
  88. <pre style="text-align: center;"><code>[Number_of_words] * log2(7,000)</code></pre>
  89. </div>
  90. <p>So, this new password now has
  91. <code>~51 bits</code> of Entropy, and using the same time calculations above, we estimate our password would take about
  92. <code>35,702 years</code> to crack at the rate of 1,000 guesses per second.</p>
  93. <p>That is in stark contrast to the short 37 hours it takes to crack the
  94. <code>Blu3D0g5</code> password.</p>
  95. <hr>
  96. <h2 id="the-take-away">The Take Away</h2>
  97. <p>By simply increasing the length of our passwords and using words randomly mixed together, we can have the most secure passwords
  98. that attackers will struggle to figure out, but that we can actually remember. I personally will never forget
  99. <code>yellow</code>
  100. <code>tiger</code>
  101. <code>note</code>
  102. <code>basket</code> as long as I live. However, now I can’t use it.</p>