Any decent security program or algorithm has at least one weakness: the user. Encryption can only be as strong as the user makes it, and generally the only say that users have in the process is the password that they choose. It doesn't matter how good an encryption process is, it is only as strong as the password. Having a good password is critical to having good encryption, period. In this article, I explain how to choose good passwords. This article is much longer than it needs to be if it were merely providing you with instructions on how to create a strong password. I can do that in one sentance: Use lots of characters and make if very long. But rather, this articles explains, in detail, WHY you need to, and how your password can be broken otherwise.
Brute-forcing:
Encryption programs and hashes can do alot to secure your data. However, *everything* in the world is vulnerable to one thing: The brute-force attack. Brute-forcing is litterally trying to guess the correct (or a correct) answer by guessing everything! For example, if you said that you were thinking of a number between 1 and 10, a smart person would ask if it were greater to or less than 5, then they would try 7, then 9, then 8, and bingo, they would have it in the maximum number of tries that it could take. That would be a "smart" approach to the problem, and many programs use similar tactics to that when trying to break encryption. Sometimes, however, due to the process of the encryptiong/hashing that was used, the cracker trying to break the password has no way of isolating the correct password elegently, and will simply take the non-elegent path, which in our example would be starting at 1 and counting to 10, guessing each number. So in our case, where the number was 8, the elegent guesser made 4 guesses (which was the maximum), while the brute-force guesser made 8 (out of a maximum of 10). So there wasn't a big difference between the two methods in that example, but now let's raise the range of numbers so that it's between 1 and 1000. The elegent guesser will guess 500, then 750, then 625, then 563, then 591, then 577, then 584, then 580, and bingo, he found it in 8 tries, out of a maximum of 10. Then our brute-force guesser goes, and it takes him 580 tries out of a possible 1000. Is the significance of the difference between the two methods becoming more obvious to you? Brute-forcing is simple, yet very protracted.
So now we have established that the brute-forcing process can take a long, long time. And since this will be the most likely potential attack run against most your passwords, it would be a good idea to choose a password that makes the brute-forcer's job as hard as possible, right?
Choosing a strong password:
There are simply two factors that influence the time it takes to brute-force a password: The length and the potential range of characters.
First, let's deal with the character range factor, as it will effect the length factor. What I mean by "character range" is the variety of keyboard characters that are used. For example, you could use the password "abc", but that is nothing but lowercase letters, meaning that if the cracker knows this, he only has 26 possible values for each character of your password. So instead you could use "aBc" as your password, and now there are 52 possible values per character because you've introduced the uppercase character set. Now start throwing in numbers, punctuation, and other oddball characters (like #, %, $) and you have roughly 100 possible values per character! This may not seem significant, but it can litterally take what was just an ardeous task for the brute-forcer, and make it humanly impossible. I recommend doing things like simply replacing normal letters with look-a-like symbols and such, like the following: "1 @m tHe '8eS7' @t Th1s!". Or use AOL speak, "1 @/\/\ 73h 8357 @7 7h15!" That kind of password has a very high character range and is the brute-forcer's nightmare, believe me, I would know.
A simple way to introduce abnormal characters and extra length to your password is to simply enclose what would by your normal password in the stanrdard HTML end tag format, ie: </password>. So if your password was just "irock", you could make it "</irock>". By using this method, you add a decent bit of length to your password and introduce abnormal characters, and the idea is easy to remember since most people are familiar with HTML.
Another simple advantage to using odd symbols is that few people do it, so brute-forcers, in an effort to shorten the brute-forcing process, often gamble that the password they're trying to break won't have them and will use a limited character set of lower/uppercase characters and numbers, usually. Thus, simply by inserting a period or something, you can instantly throw your password outside the range of characters that 95% of brute-forcers will even try!
Now let's deal with the password length factor. Being as how there are a certain number of potential values per character, the total number of guesses that will have to be made to guess every possibility increases expenentially (litterally) with ever character that we add to the password length. Assume that we're using a 62 character value range for our brute-forcing (we're assuming that the user didn't use anyting outside the upper and lower case alphabet, plus numbers). For a one character password, we will have to simply guess 62 times, but for a two character password, we will have to guess 62 values for the first character, but since there is a second one with an equal number of possible values, we will have to make 62 guesses at the first character for ALL of the 62 values of the second one! That means that when the second character is 1, the first one will have to cycle through all 62 different values, when the second character is 2, the first one will have to cycle through all 62 values again, and so on. This means that we have 62 * 62 (62 ^ 2) possibilities, which equals 3,844. This doesn't look too shabby, until you realize that my computer alone can make over 4,000,000 trys a second (in certain conditions). So let's introduce a third character, now the number of possible cominations is at 62 * 62 * 62 (62^3) which equals 238,328. Ok, but still nothing really secure. Let's jump ahead and try 5, which results in 916,132,832 combinations. Not bad, but it could take me as little as 7.5 minutes to break that. Let's skip to 7 characters, which has 3,521,614,606,208 (over 3 thousand million, yes, that is correct, "thousand million") combinations. Not bad, eh? This could take days to break, which few brute-forcers are willing to do. But just for fun, let's bump the character range up to about 100 and our password length up to 24, so that we can see the number of combinations for something like what I used earlier: "1 @m tHe '8eS7' @t Th1s!" That would be about 1,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000 (one thousand billion billion billion billion billion) combinations! No computer now or anything along the lines of what we could soon have could ever come close to possibly breaking that! And not only do you have that total many combinations for that length of characters, but, assuming that the brute-forcer does not know the length of the password (they rarely do), they will have start with the least number of characters and work their way up, so they will have to generate all the combinations for a length of 1, and 2, and 3, etc, which addes up really big, really fast.. Hopefully now you realize why longer passwords are so much more secure. Even one character on the end, like a period, helps TREMENDIOUSLY, as it can throw millions of more possibilitys onto the brute-forcer's sholders.. On a side note, I actually personally recommend adding periods on the end because periods are easy to remember, they add one character in length to your password, and very few people include punctuation when brute-forcing.
Also, notice that the password I just used as an example is actually a short sentance, not really a word. This is commonly refered to as a "passphrase" rather than a "password", because you're using a phrase instead of a word. Passphrases are much better then plain passwords, because they are MUCH longer and make it easier to include punctuation and other odd characters. Plus, they can also be easier to remember. Try remembering "Brad" versus "I visited Brad's site" for a week and see which one phrase you remember best. OK, so you remember both, now, which one is more secure by a LOT? What have you to lose? Use passphrases, they make getting length into your passwords a farily easy task. Plus most words out there are only 7 or 8 characters long, and all in the same case, to begin with, do you know how easy that would be to brute-force? Passphrases aren't just a nice idea, with the speed of the computers that crackers have access to, they're starting to become a neccessity.
Thwarting brute-forcing "shortcuts":
Crackers who are brute-forcing your password know that they are oftentimes up against a potentailly endless problem. So they, like everyone else in the world, try to find shortcuts. What they do is simple, they generate "wordlists" of commonly used words and/or combinations of letters that they manipulate and use. They figure, and rightly so, that not many people, realistically, use passwords such as "Aab89$skl", so instead of trying every possible combination of letters, they will try only somewhat sensible combinations of letters and words. This can cut their work down by thousands of times, while still keeping a very good chance of finding the password. Your job, then, when creating a password, is to thwart this process. Make the attacker sweat for his money, don't give him anything easy. Make it a long passphrase and use characters instead of letters, inject numbers and punctuation, and avoid common words like "the" and common letter sequences like "tion".
Conclusion:
- Use lots of different characters in your password, like ending it with a period and switching normal letters for numbers and/or symbols.
- Use long passwords.
- Don't use common words or phrases.
Follow these tips and you should have a password that you can engrave in stone. Just don't make the mistake of using it too often in different places, so that if someone gets a hold of it, which usually by accident or chance, they don't have access to everything you have.
Oh, and just in case it needs to be pointed, out, make sure that your password is something you can actually remember. Many services use a form of hashing/encryption that cannot be reversed easily, and they are not willing to try and break it for you, which, since you did chose a good password, should be virtually impossible anyway. So if you lose your password, tough, because you're screwed. Just don't forget it.
I hope you learned something here, and I hope that you never, ever, have your password brute-forced by anyone, as that would bring disgrace to my teaching skills.
Brute-forcing:
Encryption programs and hashes can do alot to secure your data. However, *everything* in the world is vulnerable to one thing: The brute-force attack. Brute-forcing is litterally trying to guess the correct (or a correct) answer by guessing everything! For example, if you said that you were thinking of a number between 1 and 10, a smart person would ask if it were greater to or less than 5, then they would try 7, then 9, then 8, and bingo, they would have it in the maximum number of tries that it could take. That would be a "smart" approach to the problem, and many programs use similar tactics to that when trying to break encryption. Sometimes, however, due to the process of the encryptiong/hashing that was used, the cracker trying to break the password has no way of isolating the correct password elegently, and will simply take the non-elegent path, which in our example would be starting at 1 and counting to 10, guessing each number. So in our case, where the number was 8, the elegent guesser made 4 guesses (which was the maximum), while the brute-force guesser made 8 (out of a maximum of 10). So there wasn't a big difference between the two methods in that example, but now let's raise the range of numbers so that it's between 1 and 1000. The elegent guesser will guess 500, then 750, then 625, then 563, then 591, then 577, then 584, then 580, and bingo, he found it in 8 tries, out of a maximum of 10. Then our brute-force guesser goes, and it takes him 580 tries out of a possible 1000. Is the significance of the difference between the two methods becoming more obvious to you? Brute-forcing is simple, yet very protracted.
So now we have established that the brute-forcing process can take a long, long time. And since this will be the most likely potential attack run against most your passwords, it would be a good idea to choose a password that makes the brute-forcer's job as hard as possible, right?
Choosing a strong password:
There are simply two factors that influence the time it takes to brute-force a password: The length and the potential range of characters.
First, let's deal with the character range factor, as it will effect the length factor. What I mean by "character range" is the variety of keyboard characters that are used. For example, you could use the password "abc", but that is nothing but lowercase letters, meaning that if the cracker knows this, he only has 26 possible values for each character of your password. So instead you could use "aBc" as your password, and now there are 52 possible values per character because you've introduced the uppercase character set. Now start throwing in numbers, punctuation, and other oddball characters (like #, %, $) and you have roughly 100 possible values per character! This may not seem significant, but it can litterally take what was just an ardeous task for the brute-forcer, and make it humanly impossible. I recommend doing things like simply replacing normal letters with look-a-like symbols and such, like the following: "1 @m tHe '8eS7' @t Th1s!". Or use AOL speak, "1 @/\/\ 73h 8357 @7 7h15!" That kind of password has a very high character range and is the brute-forcer's nightmare, believe me, I would know.
A simple way to introduce abnormal characters and extra length to your password is to simply enclose what would by your normal password in the stanrdard HTML end tag format, ie: </password>. So if your password was just "irock", you could make it "</irock>". By using this method, you add a decent bit of length to your password and introduce abnormal characters, and the idea is easy to remember since most people are familiar with HTML.
Another simple advantage to using odd symbols is that few people do it, so brute-forcers, in an effort to shorten the brute-forcing process, often gamble that the password they're trying to break won't have them and will use a limited character set of lower/uppercase characters and numbers, usually. Thus, simply by inserting a period or something, you can instantly throw your password outside the range of characters that 95% of brute-forcers will even try!
Now let's deal with the password length factor. Being as how there are a certain number of potential values per character, the total number of guesses that will have to be made to guess every possibility increases expenentially (litterally) with ever character that we add to the password length. Assume that we're using a 62 character value range for our brute-forcing (we're assuming that the user didn't use anyting outside the upper and lower case alphabet, plus numbers). For a one character password, we will have to simply guess 62 times, but for a two character password, we will have to guess 62 values for the first character, but since there is a second one with an equal number of possible values, we will have to make 62 guesses at the first character for ALL of the 62 values of the second one! That means that when the second character is 1, the first one will have to cycle through all 62 different values, when the second character is 2, the first one will have to cycle through all 62 values again, and so on. This means that we have 62 * 62 (62 ^ 2) possibilities, which equals 3,844. This doesn't look too shabby, until you realize that my computer alone can make over 4,000,000 trys a second (in certain conditions). So let's introduce a third character, now the number of possible cominations is at 62 * 62 * 62 (62^3) which equals 238,328. Ok, but still nothing really secure. Let's jump ahead and try 5, which results in 916,132,832 combinations. Not bad, but it could take me as little as 7.5 minutes to break that. Let's skip to 7 characters, which has 3,521,614,606,208 (over 3 thousand million, yes, that is correct, "thousand million") combinations. Not bad, eh? This could take days to break, which few brute-forcers are willing to do. But just for fun, let's bump the character range up to about 100 and our password length up to 24, so that we can see the number of combinations for something like what I used earlier: "1 @m tHe '8eS7' @t Th1s!" That would be about 1,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000 (one thousand billion billion billion billion billion) combinations! No computer now or anything along the lines of what we could soon have could ever come close to possibly breaking that! And not only do you have that total many combinations for that length of characters, but, assuming that the brute-forcer does not know the length of the password (they rarely do), they will have start with the least number of characters and work their way up, so they will have to generate all the combinations for a length of 1, and 2, and 3, etc, which addes up really big, really fast.. Hopefully now you realize why longer passwords are so much more secure. Even one character on the end, like a period, helps TREMENDIOUSLY, as it can throw millions of more possibilitys onto the brute-forcer's sholders.. On a side note, I actually personally recommend adding periods on the end because periods are easy to remember, they add one character in length to your password, and very few people include punctuation when brute-forcing.
Also, notice that the password I just used as an example is actually a short sentance, not really a word. This is commonly refered to as a "passphrase" rather than a "password", because you're using a phrase instead of a word. Passphrases are much better then plain passwords, because they are MUCH longer and make it easier to include punctuation and other odd characters. Plus, they can also be easier to remember. Try remembering "Brad" versus "I visited Brad's site" for a week and see which one phrase you remember best. OK, so you remember both, now, which one is more secure by a LOT? What have you to lose? Use passphrases, they make getting length into your passwords a farily easy task. Plus most words out there are only 7 or 8 characters long, and all in the same case, to begin with, do you know how easy that would be to brute-force? Passphrases aren't just a nice idea, with the speed of the computers that crackers have access to, they're starting to become a neccessity.
Thwarting brute-forcing "shortcuts":
Crackers who are brute-forcing your password know that they are oftentimes up against a potentailly endless problem. So they, like everyone else in the world, try to find shortcuts. What they do is simple, they generate "wordlists" of commonly used words and/or combinations of letters that they manipulate and use. They figure, and rightly so, that not many people, realistically, use passwords such as "Aab89$skl", so instead of trying every possible combination of letters, they will try only somewhat sensible combinations of letters and words. This can cut their work down by thousands of times, while still keeping a very good chance of finding the password. Your job, then, when creating a password, is to thwart this process. Make the attacker sweat for his money, don't give him anything easy. Make it a long passphrase and use characters instead of letters, inject numbers and punctuation, and avoid common words like "the" and common letter sequences like "tion".
Conclusion:
- Use lots of different characters in your password, like ending it with a period and switching normal letters for numbers and/or symbols.
- Use long passwords.
- Don't use common words or phrases.
Follow these tips and you should have a password that you can engrave in stone. Just don't make the mistake of using it too often in different places, so that if someone gets a hold of it, which usually by accident or chance, they don't have access to everything you have.
Oh, and just in case it needs to be pointed, out, make sure that your password is something you can actually remember. Many services use a form of hashing/encryption that cannot be reversed easily, and they are not willing to try and break it for you, which, since you did chose a good password, should be virtually impossible anyway. So if you lose your password, tough, because you're screwed. Just don't forget it.
I hope you learned something here, and I hope that you never, ever, have your password brute-forced by anyone, as that would bring disgrace to my teaching skills.
Post a Comment