Let’s say that I’m opening a new online banking account with an institution that doesn’t require special symbols or numbers in the password. For whatever reason I decide to use ThatbitchArachnehaditcoming,Pallasdamnit! as my password. That’s 41 characters which can be divided into nine words, all of which are in the dictionary, but as there are no spaces the password itself cannot be found in any dictionary. How vulnerable would that be to a password cracking program? More or less vulnerable than, say, a ten or eleven character password containing symbols & numbers?
You wouldn’t try a brute force attack on an online banking system. It is futile.
First of all it takes at least 2 seconds from the time you hit “Submit” and the system’s response about whether the password is valid or not. It would take ages just to test a handful of passwords.
Then, the system would probably lock you out for some time (usually 30 minutes) after three or five failed login attempts.
But there is such a thing as a password-cracking program, no? For what are they used?
Forget the online banking thing. I was just wondering about the utility of that sort of password format and chose online banking as an example. It’s not like anyone cares what my DeviantArt password is.
Currently I tend to select passwords by taking the initials of a line from a story I’m reading, interpersing various numbers for various letters. Say, MDsswbtf# (for Mrs. Dalloway said she would buy the flowers herself).
For a password “cracker” to work, the attacker must have their own copy of the encrypted passwords for analysis. You can’t just, say, decide to “crack” Gmail passwords out of thin air. Obtaining this database would require a large-scale breach of Google’s systems.* There are other types of password “cracking” that are applicable to different scenarios, such as attacking a wireless network, but that is notably different from attempting to obtain username and password information to remote computer systems.
As an aside, when most people say their Gmail or Facebook account or whatever has been “hacked” they are almost always incorrect. The site in question has not been compromised. The breach is actually a result of the victim falling for a phishing email or keylogging malware installed on their computer, or a personal acquaintance who knows enough about the victim to make an educated guess at their password or security question. “What is your mother’s maiden name” isn’t going to protect my bank account from my mom, for example.
When I say hacked, I am including social engineering or phishing among the possibilities, but your point is taken.
What you are proposing is similar to Diceware, which is basically selecting a password randomly from a set of short dictionary words. The Diceware FAQ states,
[quote]
A five-word Diceware passphrase has an entropy of at least 64.6 bits; six words have 77.5 bits, seven words 90.4 bits, eight words 103 bits, four words 51.6 bits. Inserting an extra letter at random adds about 10 bits of entropy. Here is a rough idea of how much protection various lengths provide, based on updated estimates by A.K. Lenstra (See www.keylength.com). Needless to say, projections for the far future have the most uncertainty.
[ul]
[li] Four words are breakable with a hundred or so PCs.[/li] [li] Five words are only breakable by an organization with a large budget.[/li] [li] Six words appear unbreakable for the near future, but may be within the range of large organizations by around 2014.[/li] [li] Seven words and longer are unbreakable with any known technology, but may be within the range of large organizations by around 2030.[/li] [li] Eight words should be completely secure through 2050. [/ul][/li][/quote]
There are a bunch of websites that can test the strength of your password. Here’s can example: http://www.passwordmeter.com
The brute force cracking programs are used to make millions of repeated guesses on local files such as Microsoft spreadsheets or documents. Encrypted zip or PDF files would more examples of local files.
The attack strategy for online accounts is different. You can’t iterate through millions of possible passwords. The network speed is too slow and most websites have a limit of 3 to 5 tries, after which the account is locked out.
To compromise the password of online accounts, the attacker would either:
[ul]
[li]use some type of social engineering to trick you into revealing your password[/li][li]install software such as hidden keystroke logger on your computer[/li][li]install software or a fake wireless network access point to trick you into thinking you’re logging into your bank website (man-in-the-middle attack)[/li][li]have an insider working at the bank reset your password to something the attacker could use[/li][li]physically enter your house as a plumber and fumble through your desk drawers hoping you wrote your password down on a piece of paper[/li][/ul]
Windows XP had a particularly weak password encryption system. Using several hundred megabytes of Rainbow tablesand Ophcrack, I was able to crack the Admin password of a deceased friend’s computer in around 30 seconds.
There are programs used to crack passwords for Excel sheet sor rar files and they work but take an awfully long time. The longer the password the longer it takes, in General. Like for instance on the rar file cracker program it will give you choice, brute force, dictionary attack, combo, etc. If you take brute force it can take weeks. If you choose dictonary the program starts with, what it thinks, are the most common dictionary words and then goes from there.
I tired it with Mark as a password and the rar program took about an hour to crack it. Of course it depends on CPU usage and such at how fast it cracks the password.
Also whether it’s case sensitive or not adds yet another layer
To be clear, my question is academic; I’m not wondering how to make my online accounts more secure. I mentioned online banking just as an example.
As Cleophus said, they’re used for when you already have a copy of the password database from a system, web site, etc. This is generally done in order to gain knowledge of users’ passwords on that system, which can usually then be used elsewhere.
Most times, passwords are not stored in a decryptable form. They are generally stored using one-way hash algorithms. These algorithms will generate a string of data, or a “hash” that is uniquely paired with the input data, but the algorithm is not reversible to derive the input data from the hash value.
When you enter your password to authenticate to such a system, it does not check your password against a stored password. Instead, it runs the text you typed through the hash algorithm and checks that the hash value matches a stored hash value. When you change your password, it saves the hash value of the password you’ve set. This enables the system to authenticate you, without having a decryptable password stored in a file or database.
What a password cracker will do is basically the equivalent of a brute-force login, but with the advantage of speed on its side. Since the cracker has a copy of the password hash gleaned from a compromised system, their software can try thousands or even millions of passwords per second, running them through the hash algorithm and comparing them with the hashed version of your password. When the hatches mash, they’ve found the password.
Whether or not the length will increase security depends on the hash algorithm used. For example, Microsoft’s LanManager hash, which was used prior to NT based systems, only supported up to 14 character passwords, which were split into two 7-byte strings and converted to upper case before hashing them. Anything after 14 bytes is truncated. I LM-hashed your example above, and ran it through a cracker, which got the first string, ‘THATBIT’ within seconds, and got ‘CHARACH’ shortly thereafter. Older UNIX style password hashes are similarly weak.
On modern systems, however, the situation has improved greatly. My Ubuntu machine for example uses a 512bit SHA-2 hash, which would absolutely hash your whole sentence.
Cracking utilities don’t just try iterate through trying passwords, aaaaaaaa, aaaaaaab, aaaaaaac, etc. Most will have dictionary files containing common words, proper nouns, etc, in one or more languages. They will also generally use algorithms to improve their guesses based on common traits in password selections, e.g. ch4ng1ng s0me numb3rs t0 l3tt3rs won’t improve security one bit.
ETA: They will try different word combinations, different grammar, etc, but a full sentence like that will likely take quite a long time to crack. It’s not impossible, though. When using completely random strings, though, the difficulty goes up by orders of magnitude as the program must essentially randomly guess or use brute-force incremental guesses. To iterate through all possible combinations of say a 10 character password using all available numbers, letters and punctuation, would take over 5,000 years even if you could achieve a rate of 100,000,000 guesses per second.
Academically speaking, your password would be hard to crack because at 41 characters, it’s very long.
However, the password crackers count on the average person not going to the trouble of contriving long passwords. The victim could end up outsmarting himself with a complicated password.
For example in 2001, I encrypted several gigabytes of data with a long synthetic password similar to your technique such as “ToBeOrNotToBeThatIsTheQuestion” but I can’t decrypt it because I don’t remember exactly what I actually typed. Did I type in, “ToBeOrNotToBe.ThatIsTheQuestion” with a period in the middle? Or did I type “Tobeornottobethatisthequestion.” in lowercase with a period on then end? Did I tack on some digits at the end of it? I can’t even hack my own brain! :eek: About once a year, I try and crack the file with another slight variation on my password but I haven’t had any luck yet.
Which, of course, require you to submit a password you’re considering to a potentially-untrustworthy third party. In other words, any password checked on such a site is unsecure.
And I don’t know if anyone’s ever done this, but it would probably be possible to construct a password-cracker that took a large sample of the target’s writing and used that to bias a dictionary search. In your example, for instance, there’s a very large selection of your writing available, in which you mention “Pallas” far more often than is statistically typical, so a smart password cracker might try that with higher priority than it would for some random schmo.
That particular website is safe because it’s just a javascript loop that checks each character – no “submit” required. However, your overall point is valid because the typical web surfer wouldn’t be able to differentiate between a legitimate website vs a malicious one.
Oh, I realize that. But the Pallas sentence sounded so typically Rhymeresque I couldn’t pass it up. It was either that or IwillreleasethebeesonthenextpersonwhosayssomethingniceaboutWales!
It’s not 41 random characters long, though. I think it’s better to think in terms of symbols (nine words and two puncuation marks in this case), and how big a pool those symbols are drawn from (about 100 in the case of alphanumeric + punctuation symbols, maybe 20,000 in the case of English words including some proper nouns). 100[sup]41[/sup] is vastly bigger than 20,000[sup]9[/sup].
Seems to me a 41-character password of random characters is pointless unless being used by an android or Mr. Spock. You have to write it down.
I was just making a point. It’s a bit of a hobby horse of mine - you often see advice like “you need (say) a 12-character password to be secure”. But it depends how you construct those 12 characters. If you just join a couple of dictionary words together, that’s way, way less secure than other methods that introduce more randomness. You can’t just say “oh, my passphrase is 30 characters long, therefore it’s as secure as other 30-character passphrases”.
I understand your point, actually. The strength of that password scheme is that it’s easy for me to understand because it has actual meaning, but that’s its weakness too. I suppose what I was really wondering was how much weaker it is because of the semantic content.
Though I suppose non-Skald persons might have written Zeusdamnit at the end rather than Pallas. But I am not responsible for the heresies of others.
I thought there were about 500,000 to 1 million words (depending on how you count variations in roots and word endings.) However, when I looked it up, the Oxford Dictionary website says its about 171,000. Ok, I don’t remember where I got 500k from but we can use the 171k number.
Although 171000[sup]9[/sup] is not as big as 100[sup]41[/sup], it’s big enough. If a computer could try passwords at the rate of 1 billion per second, it would take longer than the age of the universe to complete.
(Yes, the brute force password cracker could reduce the search space of tokens if the algorithm incorporated rules of grammar – subject-verb-order and/or word frequencies but I’m not sure if the the pruning would be significant enough to make it solvable with today’s computational horsepower. Maybe it could also prune the search space by only using candidate words from a list of 10,000 well known books. However, that type of intelligent algorithm assumes a lot of behavioral aspects that may not apply. Skald the Rhymer may have constructed the password from a non-English book. Maybe he strung together the words from a nonsensical (but funny and memorable) sentence his daughter said at her birthday party.)
Maybe we can work backwards from a realistic password attack. Let’s say we want a password that will withstand a brute force attack of a password cracker that tries 1-billion-passwords-per-second for 10 years. If you assume 5 words strung together as the minimum, only 3161 distinct words would be needed in the pool. (Yes, I know the probability distribution for repeated multiple attacks is actually more complicated than that but I’m keeping it simple for illustration purposes.) This is probably not good enough to ward off the National Security Agency and their supercomputers but is it good enough for the rest of us?