[real-eyes] Password Haystacks
- From: Steven Clark <kcpadfoot@xxxxxxxxx>
- To: nutkc@xxxxxxxxxxxxxxx, real-eyes@xxxxxxxxxxxxx
- Date: Thu, 15 Dec 2011 19:13:35 -0600
The following is a copy and paste from the Password Haystacks page at
grc.com
https://www.grc.com/haystack.htm
There is an article about this in the January 2012 edition of Consumer
Reports, its been mentioned in Time Magazine, and featured on an ABC
station in LA.
Give it a try, its not hard to come up with an easy to remember password
that is difficult to guess. I used ;realize#0 in the below example.
Steve
Gibson Research Corporation
What we're about
blog icon
Twitter Icon
RSS Icon
Search
[Home]
[Products]
[Services]
[Freeware]
[Research]
[Other]
Haystack Logo
... and how well hidden is YOUR needle?
divider
Every password you use
can be thought of as a needle hiding in a haystack. After all searches
of common
passwords and dictionaries have failed, an attacker must resort to a
“brute force”
search – ultimately trying every possible combination of letters,
numbers and then
symbols until the combination
you chose, is discovered.
If every possible password is tried, sooner or later yours will be found.
The question is: Will that be too soon . . . or enough later?
This interactive brute force search space calculator allows you to
experiment with
password length and composition to develop an accurate and quantified
sense for the
safety of using passwords that can only be found through exhaustive
search. Please
see the discussion below for additional information.
KABC-TV-Logo
The Password Haystack Concept in 150 Seconds
Los Angeles' KABC-TV produced a terrific & succinct two
and a half minute explanation of the Password Haystacks
concept:
Click this link to view their quick introduction
.
GRC's Interactive Brute Force Password “Search Space” Calculator
(NOTHING you do here ever leaves your browser. What happens here, stays
here.)
class0
No Uppercase
class0
7 Lowercase
class0
1 Digit
class0
2 Symbols
10 Characters
;realize#0
Enter and edit your test passwords in the field above while viewing the
analysis
below.
Brute Force Search Space Analysis:
Search Space Depth (Alphabet):
26+10+33 = 69
Search Space Length (Characters):
10 characters
Exact Search Space Size (Count):
(count of all possible passwords
with this alphabet size and up
to this password's length)
2,
482,167,502,723,212,150
Search Space Size (as a power of 10):
2.48 x 1018
Time Required to Exhaustively Search this Password's Space:
Online Attack Scenario:
(Assuming one thousand guesses per second)
7.89 hundred thousand centuries
Offline Fast Attack Scenario:
(Assuming one hundred billion guesses per second)
9.47 months
Massive Cracking Array Scenario:
(Assuming one hundred trillion guesses per second)
6.89 hours
Note that typical attacks will be online password guessing
limited to, at most, a few hundred guesses per second.
(The Haystack Calculator has been viewed 679,637 times since its
publication.)
ConsumerReportsLogo
The prestigious “
Consumer Reports
” has also picked up on the
simplicity and power of the “
Password Haystacks
” concept. HI!
IMPORTANT!!! What this calculator is NOT . . .
It is NOT a “Password Strength Meter.”
Since it could be easily confused for one, it is very important for you
to understand
what it is, and what it isn't:
The #1 most commonly used password is “123456”, and the 4th most common
is “Password.”
So any password attacker and cracker would try those two passwords
immediately. Yet
the Search Space Calculator above shows the time to search for those two
passwords
online (assuming a very fast online rate of 1,000 guesses per second) as
18.52 minutes
and 17.33 centuries respectively! If “123456” is the first password
that's guessed,
that wouldn't take 18.52 minutes. And no password cracker would wait
17.33 centuries
before checking to see whether “Password” is the magic phrase.
Okay. So what IS the “Search Space Calculator” ?
This calculator is designed to help users understand how many passwords
can be created
from different combinations of character sets (lowercase only, mixed
case, with or
without digits and special characters, etc.) and password lengths. The
calculator
then puts the resulting large numbers (with lots of digits or large
powers of ten)
into a real world context of the time that would be
required (assuming differing search speeds) to exhaustively search every
password
up through that length, assuming the use of the chosen alphabet.
How can I apply this to my daily life?
Answering that question is the reason this page exists. The whole point
of using
padded passwords is to adopt a much more
you-friendly approach to password design. On June 1st, Leo Laporte and I
recorded
our weekly
Security Now! podcast
as part of
Leo's TWiT.tv
(This Week in Tech) audio and video podcasting network. You may
download a shortened,
37-minute, excerpted version presenting the padded password and Haystack
calculator
concepts:
•
37 minute, high-quality, 64kbps MP3 audio file
, 17.9 MB
•
37 minute, lower-quality, 16kbps MP3 audio file
, 4.47 MB
The main concept can be understood by answering this question:
Which of the following two passwords is stronger,
more secure, and more difficult to crack?
D0g.....................
PrXyc.N(n4k77#L!eVdAfp9
You probably know this is a trick question, but the answer is: Despite
the fact that
the first password is HUGELY easier to use and more memorable,
it is also the stronger of the two
! In fact, since it is one character longer and contains uppercase,
lowercase, a
number and special characters, that first password would take an
attacker approximately
95 times longer to find by searching
than the second impossible-to-remember-or-type password!
ENTROPY:
If you are mathematically inclined, or if you have some security
knowledge and training,
you may be familiar with the idea of the “entropy” or the randomness and
unpredictability
of data. If so, you'll have noticed that the first, stronger password has
much less entropy
than the second (weaker) password. Virtually everyone has always
believed or been
told that passwords derived their strength from having “high entropy”.
But as we
see now, when the only available attack is guessing, that long-standing
common wisdom
. . . is . . . not . . . correct!
But wouldn't something like “D0g” be in a dictionary, even with the 'o'
being a zero?
Sure, it might be. But that doesn't matter, because the attacker is
totally blind
to the way your passwords look. The old expression
“Close only counts in horseshoes and hand grenades” applies here. The
only thing
an attacker can
know is whether a password guess was an
exact match . . . or not. The attacker doesn't know how long the
password is, nor
anything
about what it might look like. So after exhausting all of the standard
password
cracking lists, databases and dictionaries, the attacker has no option
other than
to either give up and move on to someone else, or start guessing every
possible password.
And here's the key insight of this page, and “Password Padding”:
Once an exhaustive password search begins,
the most important factor is password length!
The password doesn't need to have “complex length”, because “simple
length” is just
as unknown to the attacker and
must be searched for
, just the same.
“Simple length”, which is easily created by padding an easily memorized
password
with equally
easy to remember (and enter) padding
creates unbreakable passwords that are also easy to use.
And note that simple padding also defeats all dictionary lookups, since
even the
otherwise weak phrase “Password”,
once it is padded
with additional characters of any sort, will not match a standard
password guess
of just “Password.”
One Important Final Note
The example with “D0g.....................” should not be taken
literally because
if everyone began padding their passwords with simple dots, attackers
would soon
start adding dots to their guesses to bypass the need for full searching
through
unknown
padding. Instead, YOU should invent your own personal padding policy
. You could put some padding in front, and/or interspersed through the
phrase, and/or
add some more to the end. You could put some characters at the
beginning, padding
in the middle, and more characters at the end. And also mix-up the
padding characters
by using simple memorable character pictures like “
<->” or “[*]” or “^-^” . . . but do invent your own!
If you make the result long and memorable, you'll have super-strong
passwords that
are also easy to use!
Common Questions & Answers
Q:
If only password length matters, why does the “Haystack Calculator”
change when my
test passwords are all lowercase or have all kinds of characters?
A:
The use of every type of character forces the attacker to search through
the largest
possible space. We must always assume that an attacker is as smart as
possible (and
most are). So, knowing that 41.69% of all passwords consist of only
lowercase alphabetic
characters, a smart attacker who is forced to resort to a brute force
search won't
initially bother spending time guessing passwords that contain
uppercase, digits
and symbols. Only after an all lowercase search out to some length has
failed will
an attacker decide that the unknown target password must contain
additional types
of characters.
So, in essence, by deliberately using at least one of each type of
character, we
are forcing
the attacker to search the largest possible password space, because
our password
won't
ever be found in any of the smaller spaces.
Q:
So, from the answer above, that means that our passwords should always
contain at least one of each type of character?
A:
Yes, that's exactly what it means.
Take, for example, the very weak password “news.” If another lowercase
character
was added to it (for example to form “newsy”), the total password search
space is
increased by
26 times
. But if, instead, an exclamation point was added, (making it “news!”),
the total
search space is increased by a whopping
1,530 times!
That's how important it is to choose passwords having at least one of
every type
of character. If anyone ever does try to crack your password, you will
have eliminated
all shorter searches.
Q:
Is there an optimum character mixture?
A:
Yes.
Since most users will likely always be choosing all lowercase
characters you'll
want to stay as far away from that as possible. And, similarly, the
fewest number
of users will ever be using many special symbol characters. So the
wisest attacker
will aim for the herd, searching through lowercase passwords first and
symbol-oriented
passwords last. Since this is one race which you want to finish last
(meaning never)
using more symbol characters is highly recommended.
But remember: Not only
symbols, since you first want to have every type of character
represented to force
a “full depth” search.
Password Related Links
A Large-Scale Study of Web Password Habits
‑ THOROUGH & interesting 9-page Microsoft Research PDF.
Analysis of the passwords SONY lost
‑ in one of their 2011 network breaches.
The password cracking power of GPU's
‑ the need to recalibrate our password length thinking.
A homebrew password cracking system
‑ that cracks at 33.1 billion passwords per second!
An analysis from a major site breach
of the passwords users had chosen. VERY interesting!
Top 10 Most Common Passwords
‑ Another interesting snapshot of typical users.
The Top 500 Worst Passwords of All Time
‑ (Profanity Warning) ‑ A list that wasn't edited.
Why Steve Gibson's Password Padding Works for Humans
‑ An interesting post about cognitive science.
Click Seal for Details
Jump to top of page
Gibson Research Corporation is owned and operated by Steve Gibson. The
contents
of this page are Copyright (c) 2011 Gibson Research Corporation.
SpinRite, ShieldsUP,
NanoProbe, and any other indicated trademarks are registered trademarks
of Gibson
Research Corporation, Laguna Hills, CA, USA. GRC's web and customer
privacy policy
.
Jump to top of page
Last Edit: Dec 12, 2011 at 13:27 (3.15 days ago)
Viewed 2,424 times per day
--
Please visit my blog
www.blindbites.wordpress.com
Please follow me on twitter
www.twitter.com/blindbites
Text follow blindbites to 40404 in
the United States
To subscribe or to leave the list, or to set other subscription options, go to
www.freelists.org/list/real-eyes
Other related posts:
- » [real-eyes] Password Haystacks - Steven Clark
