These security headaches just get bigger – now it is Sony’s Playstation hack with reportedly 77 million people affected of whom some 700,000 are Australians, all with their credit cards at risk.
Some months ago I wrote about secure passwords but there are serious reasons why I have reprised this topic.
You may not use the online gaming device but you, just like me, are loaded down with a never ending string of user names and passwords these days. In my case the list that I just counted, is a startling 71 items long. Most systems force us to use different usernames but the use of the same password is fraught with dangers. Let me try to explain how a hacker works. It may well raise some serious concerns with you about your own security.
The elementary terms used to describe cracking are “brute force”, “dictionary” and “rainbow tables”. There are more which I will ignore here.
In the context of computer security, a brute force attack is a particular strategy used to break your lovingly crafted password. This is the most widely used method of cracking passwords and it involves running through all the possible permutations of keys until the correct key is found. For example, if your password is two characters long and consists of letters and numbers – and is case sensitive, then a brute force attack would see a potential 3844 different “guesses” at your password. This is because:
First character: lower case letters (26) + upper case letters (26) + numbers (10) = 62
Second character: same = 62
Total permutations = 62*62 = 3844
That sum we could achieve with pen, paper and some patience. These days computers do it all for us using logic mathematically described as algorithms.
You can see that the longer the password, the more “guesses” and time are needed for the brute force attack to be successful. A “brute force attack” is based on assumptions although here assumptions is the wrong word; you will see why as we proceed.
To cut down the time it takes to find the correct password, the cracking algorithm will look for popular patterns in words. For example, if the password is “waters”, the following will be tried first: waters; Waters; WATERS.
These guesses take precedence, because they are more popular ways of representing the password. That is, the crackers take into account human behaviour. If the password was WaTErS, it would eventually get cracked but it would take more time. Cracking algorithms also take into account the tendency of people to make their passwords easy to remember, by incorporating meaningful sequences of characters – like real words. This gives the cracker an opportunity to make educated guesses using these predictable patterns of characters.
The brute force attack will still try every permutation of characters, but it will start with commonly used ones first, in an attempt to reduce the time it takes to crack the password.
The next method is a “dictionary” attack. The term is almost self explanatory.
A dictionary attack consists of trying “every word in the dictionary” as a possible key for an encrypted password. A dictionary of potential passwords is more accurately known as a wordlist. This kind of attack is generally more efficient than a brute-force attack, because users typically choose poor passwords.
There are two methods of improving the success of a dictionary attack: the first method is to use a larger dictionary or more dictionaries (technical dictionaries and foreign language dictionaries will increase the overall chance of discovering the correct password); the second method is to perform string manipulation on the dictionary.
The simplest form is aaa, aab, aac and so on. For example, the dictionary may have the word “password” in it. Common string manipulation techniques will try the word backwards (drowssap), appending numbers to the end of the string (password00 – password99), or with different capitalisation (Password, pAssword, … passworD).
The combination of two attacks mentioned above is known as “syllable attack”. It may be used when a password is deformed or nonexistent word is used, and the cracker can combine the syllables to get such a word.
The most powerful attack is “rule-based attack”. It can be used in any case when cracker obtains some information about the password he wants to crack. For example, he knows the password consists of a word and one- or two-digit number. He writes the rule and the program generates only suitable passwords (user1, mind67, snapshot99 etc). Another example – he knows that the first letter is in upper case, the second is a vowel and the password length is not greater than six. This information can decrease the number of possible passwords by 20-30 times. This method includes all – brute force, dictionary and syllable attacks.
To go much further immerses us in high brow mathematics which is best left alone. Suffice to say that cryptography is a huge subject but even so it uses spreadsheets of predefined code sequences, cracked passwords if you will, to do much of the code breaking and defines this as a rainbow table.
So how long does it take to crack a password? Those times depends on firstly how long the passwords are and secondly on how many characters are allowed in each position (uppercase, lowercase, numbers, special characters). This is illustrated in Table 1.
There is one final important variable; the speed of the computer(s) used. The above table is somewhat out of date taking today’s multy core computers into account. I have just exposed one of my passwords consisting of five letters and two numbers in 10.2 minutes using an average laptop and readily available software such as used by security companies.
The real world has plenty of sites that limit passwords to eight characters, some prohibiting symbols. Adding an extra capital letter to my code extended the time to 4.5 hours.
Considering that our greatest exposure is on the Internet it is unlikely that an amateur hacker would achieve a result. A professional is unlikely to waste his resources to pick me at random when there are targets of greater value to be had.
Most of our financial institutions limit either the number of tries permitted or the time available to log on. This then becomes the best safeguard. That aside the suggestions I made in my earlier article still stand.
A password consisting of eight upper and lower case letters, numbers and symbols could be cracked in 193 years on a very average laptop processor capable of handling one million passwords per second.
But after 193 years would you care?