Fun Password Facts Revisited
by kaige (kaigex@yahoo.com)
While the point hairball makes in "Fun Password Facts (19:1) is technically valid - that it is not realistic to store a dictionary containing all possible passwords, his conclusion that this is a problem with the password crackers available today is ill founded.
As stated, "...brute force is a real time-consuming game. It takes raw power that most of us just don't have available." To be more precise, brute-forcing every possible password takes raw power that nobody has access to.
Going by hairball's numbers there are 17,393,337,673,075,145,131 possible ASCII passwords. Even if a program could be written that tested 1,000,000,000 passwords per second it would still take over five hundred years to attempt all of these passwords. (Depending on the type of password you are trying to crack this is actually a very optimistic estimate since 1,000,000,000 is orders of magnitude faster than is currently achievable against many of the algorithms used in practice.)
It is then pointed out that most passwords only use ASCII codes 32-139, which would lead to a password that can be cracked in just a few years at 1,000,000,000 tries per second. Almost feasible - if you have a decent size distributed network of blazing hardware and a few years to wait. Usually, none of these is true.
So, what is the solution?
It turns out that the best solution, in general, is exactly what many of the password crackers have implemented. Really, it is just an extension of already demonstrated logic.
We reduced the search space by 432,197,966,893,081,601 because of the observation that most passwords will only use ASCII codes 32-126. We can reduce this even further if we just take a moment to figure out if there are any other subsets we can remove.
As it turns out, there are lots.
For example, it is not often you will find a password such as Xtn(DJ"z, $N40NzJH, DxdL(&$&, etc.
Most people would not be able to remember a password with even this paltry amount of entropy. Thus, most passwords will be easier to remember. Think about what would make a password easier to remember.
Most people:
- Use a dictionary word.
- Use some combination of dictionary words.
- Try to obscure it somehow (such as using 1337).
Because of this, it is usually completely unnecessary to bother brute forcing through even the keyboard printable characters. A good dictionary - one that extends beyond basic English by including the names of favorite television/movie characters, slang, etc. - can directly break the vast majority of passwords.
Some password crackers will even go the next step and perform transformations on the dictionary, trying to account for whatever little things people may do (such as appending a number to a word).
As crackers go, I recommend John the Ripper. Not only does it support dictionaries with transformations and brute-forcing, but it is easy to edit the config files to add whatever transformations you might come up with, and can even be extended to employ external programs to crack algorithms it does not natively support. It is freeware and works in both Linux and Windows, so go get it. Do try and find a better dictionary though, because the one it comes with is not the greatest.
So, the point being, the crackers available out there are not flawed because they use dictionary files, they are just using probability to try and crack the target passwords given the constraints in power and time. In practice, they successfully break the vast majority of passwords in less than a day.
Better Password Practices
If you are still using simple passwords like those discussed above, please stop. Stop now. You are endangering your own data and the data of everybody else on your network. Shame on you.
And please do not tell me that you are using the same password on every single one of your accounts! If you are, your accounts are only as secure as your weakest password.
For instance, while your Linux password is probably MD5 hashed (along with some extra crap just to make brute forcing take longer), your Windows password probably exists somewhere on your computer as a LAN Manager hash, which is considerably weaker.
Hell, you might even be using the same password for instant messaging! (Almost all instant messaging passwords are trivial to break.) Or (the horror), for your FTP password - which is sent plaintext over the network.
So:
- You need better passwords.
- You need more passwords.
- You need to remember all these things.
What to Do?
A common solution is to use password phrases. This is where you take a long phrase that you can remember and compress it down to a nice little password.
For example, the phrase "We the people of the United States, in order to create a more profitable union" could compress down to: WtpotUSiotcampu
Unfortunately, this only involves upper and lowercase letters and there would only be 5248 possible passwords, which our hypothetical billion password per second machine could brute-force in just over 14 hours.
So we want to mix some numbers in there, and maybe some random other characters. But what is a good way to do this?
We could combine the above with some sort of number, but it is a bad idea to use a personally meaningful number (such as birthday, SSN, street address). We could just mix numbers in randomly, but then it becomes difficult to remember a large number of these passwords.
My solution to this dilemma is to use a "password safe."
A password safe is a program that stores passwords and protects them all under one master password. This makes it so that the user only has to take the time to memorize a single (strong) password. It is then possible to use very strong passwords across all of your other accounts, and it doesn't matter whether you can remember them.
In fact, since it does not matter how complex the passwords are once you are using a password safe, make them as complicated as possible. I recommend randomly generating them.
I recommend Password Safe 1.71 by CounterPane. It is freeware and it is good. Even better, Password Safe 2.0 is going to be open-source (eventually).
I personally have well over 50 accounts (most of them obligatory) on various websites, and for each one of them I use a random password generator to generate my password as long as the site will allow and using whichever characters they will allow as the random pool.
There are lots of programs out there to do this, but be a little careful in picking one because some of them are not all that random. Do not just write one using rand() or some other crapass pseudo-random scheme.
I wrote a program called PasswordGen. In Linux it uses /dev/random and in Windows it uses CryptoAPI to generate cryptographically random passwords. Email me and I can send it to you if you really cannot find anything else worthwhile.
Some people will now complain that the password safe solution does not work for them because they move from computer to computer too often. My solution to this issue is to purchase a very small USB hard drive and store the password safe there. Not only does this make the safe completely portable, but it has the nice little benefit for the paranoid of making it so that the password database itself does not even exist on a computer to be hacked unless the drive is plugged in.
I find solace in the fact that my passwords are nice and random, and different from account to account, so that it would take incredible amounts of brute-forcing to break them all. I find solace in the fact that this makes my password database the primary target for acquiring my passwords, which would mean breaking the encryption on the safe (128-bit Blowfish for Password Safe). I especially find solace in the fact that you would have to physically accost me to even get the database file to hack at!
PS: Even if you do all of the above, there are other methods for getting at your passwords. Somebody could walk by and watch you as you type a password in or install a keyboard monitor on your system or drill out a pinhole video camera aimed at your keyboard. Because of this, change your passswords frequently, and keep track of your accounts regardless of how good your passwords might be.