Password Strength and Age Considerations

-


At Redzone, we are frequently asked about password strength and policy recommendations as it relates to password cracking. There are a few considerations around password strength, length, and changes when it comes to establishing a good password policy. Let’s take a look at three common methods of password cracking: brute force, dictionary, and rainbow tables.
With brute force attacks, a password is created and hashed using the same hashing algorithm of the operating system then the hash is compared to the hash for an existing user’s password. A brute force attack will systematically analyze combinations until the right password is found. Let’s look at the following statistics using GRC’s Password Brute Force Calculator:
Short Password with Varying Complexities
 Password
password
Password
Passw9rd
P@ssw9rd
 Length
8
8
8
8
 Size of Character Seta
26
52
62
95
 Possible Passwordsb
2.17 x 1011
5.45 x 1013
2.22 x 1013
6.70 x 1015
 Fast Crackc
2.17 sec
9.08 sec
36.99 min
18.62 hours
 Really Fast Crackd
> 1 sec
> 1 sec
2.22 sec
1.12 min
Long Password with Varying Complexities
 Password
longpassword
Longpassword
Longpassword
Longp@ssw9rd
 Length
12
12
12
12
 Size of Character Seta
26
52
62
95
 Possible Passwordsb
9.92 x 1016
3.99 x 1020
3.28 x 1021
5.46 x 1023
 Fast Crackc
1.64 weeks
127 years
1,043 years
1.74 thousand centuries
 Really Fast Crackd
16.54 min
1.52 months
1.52 months
1.74 centuries
a – Unique characters from each character set: uppercase, lowercase, digit, symbol
b – Possible character combinations based on the character set and length used
c – Time to assess all possible passwords assuming 100 billion guesses per second
d – Time to assess all possible passwords assuming 100 trillion guesses per second
In the calculations above simply adding complexity to an 8-character password will increase the calculation time of the total possible passwords by a multiple of 30,890. Increasing that complex 8-character password to a complex 12-character password would increase the calculation time by another multiple of over 81 million. Clearly, a longer more complex password will take longer to brute force crack (you already knew that).
The crack times measure the total time it would take to assess the total possible passwords, but simple logic would indicate that a password would likely be found in less time, as it is unlikely that the last password combination is your password. So divide the crack time by 4 or 5 for a likely scenario. Most GPU password cracking software can guess a few billion passwords per second meaning the fast crack calculation are a worst-case scenario today. With those points of context, a long, fully complex password of 12 characters or longer is unlikely to be brute force cracked any time soon.
While brute force tools have their limitations, one must consider the other approaches to password cracking and their implications. Dictionary attacks will create passwords and their hashes, which can be indexed for quick look up. Dictionary attacks can be very quick if the hash in question is based on a combination in the dictionary. Often dictionary attacks use common words that can be circumvented by requiring complexity of case, digits, and symbols. With complexity, one would have to have a very large dictionary for all of the combinations. Assuming 12 character passwords and 32 character hashes (with spaces and return characters), you are looking at 46 bytes per combination. Just the lower case combinations would require over 4 Million Terabytes of storage. Keep your passwords long and complex and this technique is unlikely to succeed.
Rainbow tables were created, to balance the time demands of brute force attacks and the storage demands of dictionary attacks. Without going into the gory details, rainbow tables use algorithms that allow a smaller file lookup on the password. Unlike a dictionary attack, where a hash and password combination are simply found, there is some calculation involved. With rainbow tables, SSDs to accelerate file reads, and GPUs for processing speed, there have been examples of extremely fast cracking as seen in this article. The challenge with rainbow tables is that there is still a storage requirement and most tables only address passwords from 8-16 characters (see Ophcrack’s tables for an example). There are multiple techniques to prevent rainbow table based cracking, but again long, complex passwords are one approach.
There are other methods and times to crack passwords will continue to decrease as hardware and software techniques improve. Redzone Local Security Solution can be used to apply and manage unique, complex passwords to that are changed on a sufficiently frequent interval to reduce the risk of compromise.

JOIN US ON FACEBOOK:- CLICK HERE


Comments

Post a Comment

Popular posts from this blog

AntiCloud Trojan Reverse Engineering Analysis

-
Image
Introduction In this paper we are going to talk about the Anticloud Trojan, also know as the  TrojanDropper:Win32/Bohu.A and  B  variant. This malware originated in China and was designed to target the Cloud-Based Technology of major Chinese AntiVirus Vendors. For this reason, Bohu has also been called  AntiCloud Trojan . This is the first malware to specifically target cloud based technologies and will likely set a trend. As more corporations and governments move applications and services into the cloud, it will become an increasingly important target for malware developers. We can expect sophisticated malware that attacks clients and embeds itself into cloud-based apps, potentially without the user being able to determine that the cloud-based service is compromised. This trojan presents some interesting features, such as: Hash Check Evasion. Packet Interception via NDIS Filter. Cloud-Servers Access Lock via SPI network filter in order to Bypass antivirus Detection. So
Read more

SQL Injection: The Equal Opportunity Vulnerability

-
Image
Introduction In the  first installment of this series , we discussed application security within the Software Development Process by demystifying the adoption of security controls within the development organization. We also took a deeper dive into identifying potential vulnerabilities based on threats to attack surfaces exposed to the application, a process known as threat modeling. In this installment, we are going to take a technical dive into specific vulnerabilities that can be used to compromise the attack surfaces and discuss what is arguably one of the most prevalent attacks to applications and inflicts the most exposure of sensitive data: SQL Injection. Injection attacks attempt to infiltrate an application by injecting malicious content into the application through available input channels. Input channels can be in the form of form fields, uploads, 3 rd  party API, data access channels, configuration files, input files: essentially, any point at which the application r
Read more

Secure Sockets Layer (SSL)

-
Image
Secure Sockets Layer (SSL): How It Works What Happens When a Browser Encounters SSL > A browser attempts to connect to a website secured with SSL. > The browser requests that the web server identify itself. > The server sends the browser a copy of its SSL Certificate. > The browser checks whether it trusts the SSL Certificate. If so, it sends a    message to the server. > The server sends back a digitally signed acknowledgement to start an SSL encrypted session. > Encrypted data is shared between the browser and the server. Encryption Protects Data During Transmission Web servers and web browsers rely on the Secure Sockets Layer (SSL) protocol to help users protect their data during transfer by create a uniquely encrypted channel for private communications over the public Internet. Each SSL Certificate consists of a key pair as well as verified identification information. When a web browser (or client) points to a secured website, th
Read more