Security

A little more about passwords


By now, you've probably heard about ElcomSoft's patent application for a procedure used to crack passwords 25 times as fast using a GPU instead of a CPU. The parallelization that goes on in the modern GPU is to blame for this kind of accelerated password cracking -- what we call "hardware-assisted brute force password cracking" in the security biz.

Here's how brute force password cracking works in practice:

  1. A malicious security cracker gets his or her hands on the hash of your password or otherwise recreates a password test for your user account's password on a local system so he or she can try out passwords to see what works.
  2. He or she then writes or configures a program to generate combinations of characters from a character set -- and up to a reasonable length -- that allows for generating the entire set within a period of time he's willing to wait.
  3. The program then generates combinations of characters within those constraints and tries them against that password test until it finds one that works.
  4. The malicious security cracker uses the newfound password to access your account, assuming you haven't changed it in the meantime (perhaps after reading this article and realizing that uppercase and lowercase alphabetic characters limited to eight characters or less is a bad idea).

According to ElcomSoft's numbers, a dual-core CPU can generate about 10 million password attempts per second, assuming the CPU isn't doing much else (such as running Vista's Aero Glass user interface, for instance). As ElcomSoft correctly points out, that adds up to about two months (61 days) for cracking an eight-character alphabetic password. I'll demonstrate with a little arithmetic in irb (the interactive Ruby interpreter):

> irb

irb(main):001:0> eight_char_alphabetic = 52 ** 8

=> 53459728531456

irb(main):002:0> cpu = 10_000_000

=> 10000000

irb(main):003:0> seconds_per_day = 60 * 60 * 24

=> 86400

irb(main):004:0> max_seconds = eight_char_alphabetic / cpu

=> 5345972

irb(main):005:0> max_days = max_seconds / seconds_per_day

=> 61

As you can see, that's 61 days, give or take. According to ElcomSoft's numbers again, the GPU password-cracking system can generate about 200 million password attempts per second with the $150 graphics adapter used in tests. The numbers look something like this:

irb(main):006:0> gpu = 200_000_000

=> 200000000

irb(main):007:0> max_seconds = eight_char_alphabetic / gpu

=> 267298

irb(main):008:0> max_days = max_seconds / seconds_per_day

=> 3

I'm cheating a little for ElcomSoft here, because I'm using integer arithmetic instead of floating point math. The real numbers are more like 61.9 and 3.1. You get the idea, though.

Now, just for the heck of it, let's take a password that's probably about as strong as the one I happen to be using on the laptop on which I'm writing this. Let's assume the password looks something like this:

    One p^55w0rd

That's a capital letter O in "One," and a zero in "p^55w0rd," in case the font used in your browser doesn't differentiate sufficiently to make it obvious. That combination of characters means we're drawing from a character set of 73 possible characters -- 26 lowercase, 26 uppercase, 10 numbers, and 10 special characters from above the numbers using the [Shift] key, plus the space character. Now, let's figure out how long it would take the GPU method to crack that password at a rate of 200 million generated combinations per second:

irb(main):015:0> strong_p = 73 ** 'One p^55w0rd'.length

=> 22902048046490258711521

irb(main):016:0> max_seconds = strong_p / gpu

=> 114510240232451

irb(main):017:0> max_days = max_seconds / seconds_per_day

=> 1325350002

irb(main):018:0> max_years = max_days / 365

=> 3628610

Notice anything interesting? I do -- the fact that it could take a malicious security cracker using a GPU for hardware-assisted brute force password cracking 3.6 million years to crack that password. The median period for cracking a password of that length and character set would be about 1.8 million years then.

Okay, so a reasonably strong password pretty well armors you against this brute force technique using GPUs. That's not all though -- you're even safer than you think. This means of cracking passwords assumes the malicious security cracker can either download the necessary data to perform automated tests (including upper limits to the character set and password length used, as well as something against which to test passwords such as a hash of your password) or access to your machine such that he or she can run the tests in-place (since trying to do it over the Internet would slow things to such a crawl that "hardware-assisted" becomes a nonissue for brute force password cracking). If your authentication mechanisms don't make password lengths and password hashes (or equivalent) available to the security cracker, things get a lot more complicated for him or her.

So what's left?

Last week, I listed 10 security tips for use with computers running any of the major general-purpose OSes, and the very first item suggested that you use strong passwords. The opposite -- using weak passwords -- is really the biggest threat to your security when it comes to hardware-assisted brute force password cracking attempts.

Consider that a four-character password using nothing but lowercase letters can be cracked in less than a second using a single-core CPU. Even worse, you don't need to do a random brute force with many passwords because people have a tendency to use actual words for passwords. A simple dictionary attack -- comparing words in the dictionary up to a given length until the correct password is found -- suffices in many cases.

Don't expect that ElcomSoft's system means the end of effective password protection. Just don't be the one whose password is "password" and gets his computer owned by a malicious security cracker with minimal effort either.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

17 comments
pjwvieviwdhy
pjwvieviwdhy

Why use Ruby? The "units" utility built into most Linux/Unix distributions is far better for this purpose: You have: 10 million per second You want: days per 52^8 reciprocal conversion * 61.874686 That's all there is to it.

Absolutely
Absolutely

Don't you find that character to be prohibited on so many systems as to be worth excluding from discussion? Also, by just increasing the password length from 8 to 12, one increases the clock cycles required to crack by nearly a factor of 10,000,000. "irb(main):001:0> eight_char_alphabetic = 52 ** 8 => 53459728531456" Keeping 3 significant figures: 5.35e13 With 12 characters instead of 8: 3.91e20 Once the password is "sufficiently" long, adding numbers and/or special characters to the recipe does comparatively little -- only about 2 more orders of magnitude. 73^12=2.29e22 Not to say that it isn't a good idea to employ as many distinct symbols as possible in a password, because it does help, but mathematically, it's the exponent that accounts for most of the difference.

BALTHOR
BALTHOR

What looks to be computer programming here is actually a script interpreter.Many of the software programs that you see today were hardware flash programs.This program includes the fancy software GUI.Programs like FL Studio could be used in arcade games as MIDI file players.These VST synth programs are the flash for the hardware synth.I'm wondering here if the big Moog was digital.Anyways---VST and hardware synths are both susceptible to computer virus just like that injector monitoring chip in your Ford pickup. http://www.esoundz.com/details.php?ProductID=1661 http://www.youtube.com/watch?v=UBt2ils_o24

Jaqui
Jaqui

and you went and got me thinking the BALTHOR had returned.

apotheon
apotheon

"[i]Don't you find that character to be prohibited on so many systems as to be worth excluding from discussion?[/i]" Spaces are allowable characters on both Unix-like and MS Windows systems -- which covers the vast majority of OSes most of us encounter. It's only when you start getting into more obscure (and much older OSes) and certain very limited types of software (such as a lot of websites with memberships) that space characters are disallowed much of the time. I find, as well, that spaces allow me to greatly lengthen the effective length of a password without risking forgetting the password -- because it is easier to remember a password that relates in my mind to a multiword phrase of some sort, even though the password (or "phassphrase") itself is not recognizable to anyone else as being related to actual words, than to simply remember a single unbroken sequence of characters once you get past a mere handful of characters. Also . . . the spacebar is one of the easiest and fastest keys to use in the midst of an oft-typed sequence of characters, which is helpful when I'm devising a password that I'll use a lot. Finally, spaces are still among the least-often used characters in password-cracking software, because it is so rare for people to use spaces in their passwords. For that reason, it is worth more to the difficulty of cracking a password than adding many other (more often used) characters, such as an asterisk.

w2ktechman
w2ktechman

that using certain numbers and/or special characters may already be encoded into malicious programs as substitutes. Some common ones would be 1 for L @ for A 3 for E % because it is used often 5 for S & for and 7 for L * because it is used often and to add to it, the last 2 digits of the current years date. Personally, I used 8 character PWD's in 2k, in '02 I changed it to 9, in 05 I changed it to 10, now I just changed it again, just to feel a little bit safer.

Absolutely
Absolutely

Admittedly, I observed that pattern about 10 years ago, stopped trying to put spaces in my passwords, and didn't try again. [i]Finally, spaces are still among the least-often used characters in password-cracking software, because it is so rare for people to use spaces in their passwords. For that reason, it is worth more to the difficulty of cracking a password than adding many other (more often used) characters, such as an asterisk.[/i] I don't have access to any data on that topic, but I'm a bit surprised by it. First, in the sense that I'm surprised by so-called surveys on topics like the number of times per day that males and females think about sex. Secondly, because I just find it difficult to imagine going to the effort of writing a program, and omitting a key. Weird.

Absolutely
Absolutely

If password guessers start with the typical strings -- kids & domestic partners' names, favorite squash team, etc., then do those kind of replacements, then they might get a high rate of success within an average of just a couple hundred or thousand programmed character combinations, and never even resort to trying truly random combinations. Every admin who's even half serious about security should provide a password creation app powered by a random number generator.

apotheon
apotheon

Yeah, if I was limited to only one change I could make, I'd go for a longer password too.

Absolutely
Absolutely

Trying combinations that lack the same characters that the population of correct guesses is known to lack, or to use relatively infrequently, makes perfect sense. Not trying them at all (which I now understand is not what you meant) is what struck me as strange. I guess I should limit my remarks more because I really wanted to focus on pointing out how much advantage is gained by increasing the password's length. If end users make just one change to their passwords, I'd opt for 12 character minimums. (I'm not counting users whose password is in the dictionary, because trying a couple 100,000 combinations of letters can be finished in a blink of an eye. They might as well use "Welcome!" as their password!)

apotheon
apotheon

For general-purpose tools that depend on statistical rates and luck, you need to exclude options. If you don't exclude options, something like "god" as a password may not be found for thirty-seven years. You have to eliminate the least likely possibilities to be able to spend more time on the most likely possibilities up front, thus likely shortening the time it takes significantly. Omitting space characters and semicolons reduces the number of options you have to try out to get through the entire set of potential combinations of characters. Including them, by obvious contrast, increases that number. If you increase it to a point where it takes too long on average to discover a password to bother, you need to start omitting the least-likely cases. Tell me -- when you misplace your car keys, do you look in the oven first, or on the living room coffee table? I probably wouldn't check the oven [b]at all[/b]. I'd probably omit it entirely, just as many people omit spaces and semicolons from brute force password cracking attempts -- because by the time it becomes a statistically significant possibility for general purpose password cracking, you've already been trying to crack that password for, say, a hundred years (just making up a number off the top of my head for argument's sake). edit: By the way, it's not difficult at all to write a brute force password guess generator. It's a little more involved creating one that generates guesses relatively quickly, but even that isn't outside the realm of triviality. The difficult part comes in trying to get it to come up with the most likely combinations first, then the next most likely combinations, and so on. Part of the key to achieving this is to omit, or at least defer until much later, inclusion of characters that almost nobody uses (and that's really the easiest part of focusing on more likely combinations -- it gets to be more of a black art after that). . . . so, really, it shouldn't be surprising at all that someone would write a brute force cracking tool that ignores one of the least likely password characters.

w2ktechman
w2ktechman

"One way or another, we have to keep people thinking in terms of making the password difficult to defeat but easy to remember. And then get them into the habit. " That is all we can do really, without forcing too harsh a policy where everyone needs it written down...

Tig2
Tig2

But how do you know I didn't use a magazine instead? And if I gave you the titles, how do you know I was reading the current issue? My point was to stop thinking in words and think in phrases. Make random substitutions. Or use a generator. Problem is that 8 was good yesterday, marginal today- 9 or 10 is better, 12 even better. Upper/lower cases, special chars, alpha numeric, and the complexity requirement continues to climb. Dual factor is good but the average home user won't think of it and likely wouldn't use it regardless. One of the things I am playing with lately is a hexidecimal conversion of a base 10 numeric string. All I have to do is recall the base 10 string, feed that to my PDA (password protected) and convert to hex. Might be workable, might not. One way or another, we have to keep people thinking in terms of making the password difficult to defeat but easy to remember. And then get them into the habit. *sigh*

Absolutely
Absolutely

So, wanna tell me about any good books you're read lately? ]:)

w2ktechman
w2ktechman

Usually I recommend to abbreviate or alter several words and use numbers and special characters as well. This makes it harder than any single word, or 2 words put together. And when done, it would not really be recognizeable as words, but the strings of words are easier to remember for most people.

Tig2
Tig2

Rather than a string of characters conforming to an 8, 9, or 10 character requirement, I use pass phrases frequently that can be based on the first paragraph of the book I am reading at the time. By taking the first letter of every word in a sentence or paragraph and making random substitutions, I have a reasonable password of reasonable strength. But a generator is MUCH easier to manage!

w2ktechman
w2ktechman

I recommend several things for PW strength. Use special characters that are not 'common' ones. if using words, string several abbreviations of said words. and longer is better.

Editor's Picks