PASSWORDS! They're everywhere! Turn on your computer, you need a password for your user account, log in to your facebook, you need a password, go to an ATM machine, you need a password, make online transactions, you need a password. They're de facto standard of our modern lifestyle. In terms of access control, passwords are one of the 3 types of information ('something you know', 'something you have', 'something you are') that can be used for authentication -or simply- logging in.
The main purpose of having a password is simple. The private or confidential information of an individual or an organisation must not be revealed to another person or party. Access to an information system must be limited to a person or group of people. That's why passwords come into picture but just having a password based access is not a solution at all!
Most of the times, passwords are created by users and as goes the principles of psychology, people tend to choose passwords which are easier to remember. Examples of such passwords include, "password", "password123", "iloveyouangelina", "123456", or the person's own name, their gf/bf's name, their birthdate, their birthplace or usually it is something they admire the most like their son/daughter's name, name of a celebrity or some word related to their religion. I'm pretty sure more than half of the people use these kind of passwords. The problem lies here, these passwords are easier for you to remember, but also these are easy to guess for antagonists out there who hate you! The point here is, the passwords which you use for your online accounts or any other, should be "strong password". This might prevent your facebook account from being accessed by your stalking ex who just 'guessed it'! :P
A strong password maybe something which satisfies the following:
1. It should be min. 10 characters in length. (passwords upto 25-30 in length are okay, but that gives you more pain in remembering them. Also there are chances for you to forget them.)
2. It should have both uppercase letters, lowercase letters, numbers and special characters. Having these four types of characters in the password is exceptionally useful, it exponentially increases the strength of your password. Some websites now make it mandatory to have atleast one from these four sets of characters in your password while registering.
3. It goes without saying, but weak passwords as mentioned above are a big NO NO!
4. Although it is not mandatory, some organisations and websites enforce a policy of changing your password every 3 or 4 months and they have a limit of 10-12 on password repetition cycle.
Before going ahead, I'd like to brief you about brute forcing. Brute forcing is a way of gaining access to somebody's account by simply trying out all the possible combinations of characters. It's like throwing mud (well, alot of mud!) against a wall and seeing what sticks! There are automated programs that try out all the possible passwords (like a, b, c, d, ...aa, ab, ac, .. zazaa ... aaa1.. awdg343 and so on) until one of them matches for the given username. Obviously anyone's password will be one of all the permutations of characters. However, one point is in our favour. This process of generating all possible combinations of characters and trying them against a password field takes a lot of time and computing power. But then there is Moore's law of increase in computing power. Your best bet would be to adhere to strong passwords.
Now let's consider few password combinations and the time required to crack them by brute force:
1. "facebook"
Take for example, 'facebook' as your password. This password is 8 characters long and has only lowercase letters. Let us assume that an attacker knows that you have only lowercase letters in your password. Therefore, each character must be any one from the set of 26 smallcase letters {a, b, c, d, e ... y, z}. Since there are 8 positions in the password, each position may have one of the 26 smallcase letters independent of others. Hence, total there are 26x26x26x26x26x26x26x26 = 2.088E11 i.e. 208 billion possible combinations!
But that's really not a big deal, with today's computing power of trying ~ 4 billion passwords per second, this password can be cracked in less than a minute!
P. S. This is excluding the fact that if your password is as simple as "facebook", attacker would simply guess it! :D
2. "FeedBackForm"
Now this password has little more length - 12 characters. This one contains both uppercase and lowercase letters. Therefore, each position out of 12 can have one out of 26 (uppercase) + 26 (lowercase) = 52 characters. In computers, we treat uppercase A and lowercase a separately. Again, irrespective of other characters. Chances of each position being occupied by one of 52 letters is mutually exclusive i.e. probability for each character is 1/52. (I miss my discrete mathematics class :P ). So, if we calculate,
52x52x .... 12 times. This amounts to, 3.909E20 ! That's 390 billion billion combinations. Now that will take 3 thousand years to crack the password. It is nearly impossible for anything to stick that long. If supercomputers are employed and grids of high-performing computers are engaged, this task can be distributed to all of them which can reduce the maximum time required to few months if not years.
3. "LinkHere73"
Notice that we reduce the password length to 10. One more character set is now added to the password, that is, digits. Digits can be any character from 0-9. Now, the character set for our password becomes 52 (uppercase n lowercase letters) + 10 (digits) = 62. Again, each of the 10 characters from the password can be any one of these 62. So, 62 objects, for 10 positions, that gives us 8.39E17 or 83 million billion. This will take ~ 6 years for a conventional PC to crack it.
4. "h@cK52Mon!l"
Here we have used additional special characters-@,! in our password. Length of this password is 11 characters. This is a typical example of a strong password. Total character set is both case letters + digits + special characters. That comes out to be around 95 (I have considered only printable characters from the ASCII set here). So, again, 95 characters individually for 11 positions, 95^11 = 5.688E21. 5688 billion billion. Considering the same computing power, this will take 4 thousand years to crack this password which is near to impossible to be done by a single computer.
5. "S00p3r!!$7r0nGPa$$wrD"
This monster over here, is an example of super strong password. This is a type of password that we hackers and security professionals use. It has got all the four character sets and it is 21 characters long. Calculating with permutations, we get 95^21 = 3.4E41. This is a really really huge number. Even if we double up the power of a high-performance desktop PC, (10 billion combinations per second, provided that the target system doesn't crash :D), it would take some thousand billion billion years i.e. 13 sextillion years to crack one single 21 character password! That is waaaayyy greater than the age of universe which started 14 billion years ago!
It is a waste of time to deploy computers to crack this type of super strong passwords, one has higher probability of success in mere phishing or social engineering.
One last note, in the examples mentioned above, we assume that the target system gives us unlimited number of attempts to try a username-password combination. This is not the case in real world. After a few unsuccessful attempts, websites or servers may block you for a predefined period of time. If this action persists, the admin may block the IP address or the account altogether. Also, having a strong password is not the foolproof solutions since there are many other methods like trojans, keyloggers, MITM attacks that can be used to extract your password without even interacting with the authentication system.
related: http://vipulchaskar.blogspot.in/2010/07/you-are-on-target-common-user.html
Most of the times, passwords are created by users and as goes the principles of psychology, people tend to choose passwords which are easier to remember. Examples of such passwords include, "password", "password123", "iloveyouangelina", "123456", or the person's own name, their gf/bf's name, their birthdate, their birthplace or usually it is something they admire the most like their son/daughter's name, name of a celebrity or some word related to their religion. I'm pretty sure more than half of the people use these kind of passwords. The problem lies here, these passwords are easier for you to remember, but also these are easy to guess for antagonists out there who hate you! The point here is, the passwords which you use for your online accounts or any other, should be "strong password". This might prevent your facebook account from being accessed by your stalking ex who just 'guessed it'! :P
A strong password maybe something which satisfies the following:
1. It should be min. 10 characters in length. (passwords upto 25-30 in length are okay, but that gives you more pain in remembering them. Also there are chances for you to forget them.)
2. It should have both uppercase letters, lowercase letters, numbers and special characters. Having these four types of characters in the password is exceptionally useful, it exponentially increases the strength of your password. Some websites now make it mandatory to have atleast one from these four sets of characters in your password while registering.
3. It goes without saying, but weak passwords as mentioned above are a big NO NO!
4. Although it is not mandatory, some organisations and websites enforce a policy of changing your password every 3 or 4 months and they have a limit of 10-12 on password repetition cycle.
Before going ahead, I'd like to brief you about brute forcing. Brute forcing is a way of gaining access to somebody's account by simply trying out all the possible combinations of characters. It's like throwing mud (well, alot of mud!) against a wall and seeing what sticks! There are automated programs that try out all the possible passwords (like a, b, c, d, ...aa, ab, ac, .. zazaa ... aaa1.. awdg343 and so on) until one of them matches for the given username. Obviously anyone's password will be one of all the permutations of characters. However, one point is in our favour. This process of generating all possible combinations of characters and trying them against a password field takes a lot of time and computing power. But then there is Moore's law of increase in computing power. Your best bet would be to adhere to strong passwords.
Now let's consider few password combinations and the time required to crack them by brute force:
1. "facebook"
Take for example, 'facebook' as your password. This password is 8 characters long and has only lowercase letters. Let us assume that an attacker knows that you have only lowercase letters in your password. Therefore, each character must be any one from the set of 26 smallcase letters {a, b, c, d, e ... y, z}. Since there are 8 positions in the password, each position may have one of the 26 smallcase letters independent of others. Hence, total there are 26x26x26x26x26x26x26x26 = 2.088E11 i.e. 208 billion possible combinations!
But that's really not a big deal, with today's computing power of trying ~ 4 billion passwords per second, this password can be cracked in less than a minute!
P. S. This is excluding the fact that if your password is as simple as "facebook", attacker would simply guess it! :D
2. "FeedBackForm"
Now this password has little more length - 12 characters. This one contains both uppercase and lowercase letters. Therefore, each position out of 12 can have one out of 26 (uppercase) + 26 (lowercase) = 52 characters. In computers, we treat uppercase A and lowercase a separately. Again, irrespective of other characters. Chances of each position being occupied by one of 52 letters is mutually exclusive i.e. probability for each character is 1/52. (I miss my discrete mathematics class :P ). So, if we calculate,
52x52x .... 12 times. This amounts to, 3.909E20 ! That's 390 billion billion combinations. Now that will take 3 thousand years to crack the password. It is nearly impossible for anything to stick that long. If supercomputers are employed and grids of high-performing computers are engaged, this task can be distributed to all of them which can reduce the maximum time required to few months if not years.
3. "LinkHere73"
Notice that we reduce the password length to 10. One more character set is now added to the password, that is, digits. Digits can be any character from 0-9. Now, the character set for our password becomes 52 (uppercase n lowercase letters) + 10 (digits) = 62. Again, each of the 10 characters from the password can be any one of these 62. So, 62 objects, for 10 positions, that gives us 8.39E17 or 83 million billion. This will take ~ 6 years for a conventional PC to crack it.
4. "h@cK52Mon!l"
Here we have used additional special characters-@,! in our password. Length of this password is 11 characters. This is a typical example of a strong password. Total character set is both case letters + digits + special characters. That comes out to be around 95 (I have considered only printable characters from the ASCII set here). So, again, 95 characters individually for 11 positions, 95^11 = 5.688E21. 5688 billion billion. Considering the same computing power, this will take 4 thousand years to crack this password which is near to impossible to be done by a single computer.
5. "S00p3r!!$7r0nGPa$$wrD"
This monster over here, is an example of super strong password. This is a type of password that we hackers and security professionals use. It has got all the four character sets and it is 21 characters long. Calculating with permutations, we get 95^21 = 3.4E41. This is a really really huge number. Even if we double up the power of a high-performance desktop PC, (10 billion combinations per second, provided that the target system doesn't crash :D), it would take some thousand billion billion years i.e. 13 sextillion years to crack one single 21 character password! That is waaaayyy greater than the age of universe which started 14 billion years ago!
It is a waste of time to deploy computers to crack this type of super strong passwords, one has higher probability of success in mere phishing or social engineering.
One last note, in the examples mentioned above, we assume that the target system gives us unlimited number of attempts to try a username-password combination. This is not the case in real world. After a few unsuccessful attempts, websites or servers may block you for a predefined period of time. If this action persists, the admin may block the IP address or the account altogether. Also, having a strong password is not the foolproof solutions since there are many other methods like trojans, keyloggers, MITM attacks that can be used to extract your password without even interacting with the authentication system.
related: http://vipulchaskar.blogspot.in/2010/07/you-are-on-target-common-user.html
No comments:
Post a Comment