woensdag 26 maart 2014

Complex passwords? As easy as 1-2-3

A few posts back I promised you an new and easy method for composing complex passwords that are, nevertheless easy to remember.

First some background to password complexity.

Why do we need complex passwords in the first place?
We don't.

There are two real reasons, we are told, why need complex passwords.
The first one is that a complex password is more difficult to remember, thereby reducing chances of password leakage. But at the same time creating the Post-It note problem of people writing down the password.

This leads to 2 simple conclusions.

• First: if a cracker uses an English language dictionary, he will not find my Dutch language word, meaning that will have to resort to a brute force attack...
• Second: for a brute force attack the password '1234567890' is just as complex to crack as '6Gr*7jgkhi'. It will probably be found faster because clever cracking tools will know this too and will use this kind of 'semi-dictionary' cracking words too, but in a sense: if a word is not in a dictionary, brute force requires a lot more time if the password is longer.

Proof of this principle:
The old Windows OS uses the lanman hashing algorithm. A password was broken in 2 7-byte segments, that were hashed separately. The hash of a 7 character password was enlarged to a 14 character password by adding a 7 character long Null string hash. If not more than 7 characters were used, the second hash was always the same. So, although the hashed password was 14 characters long, when the password was not longer that 7 characters, cracking the first 7 characters was enough to guess most passwords. If an 8th character was used, brute forcing the complete 14 character password was required.
In effect, this is the reason why many password policies prescribe the use of minimal 8 characters.

This results in a few simple rules:
Use long words that are not in a (regular) dictionary... German speaking people have an advantage here...

Use non-words that are long enough to make brute forcing a lengthy operation but that are easy to remember.

Use your telephone number, but use leetspeak backward.

Example: phone number 01 234 567 89 consisting of only numbers.
Just exchange a few numbers to letters/characters in such a way that you feel comfortable with. A '0' can be an O (oh), or Z (for zero) or N (for Nul), in lower case or upper case, your choice.
So, this simple example may result in NE2D4vzZ8n or zOt3f5sse9. You just need to remember the order of hashing, but you don't need to remember the password, just remember the phone number used.

The entered password may look familiar if you know the algorithm used, but to a password cracking tool these passwords look all very different (all MD5 hash examples):
0123456789 > 84D89877F0D4041EFB6BF91A16F0248F2FD573E6AF05C19F96BEDB9F882F7882
NE2D4vzZ8n > 4DB3EA7E7894603A00091C8AABA25556B0366CF4C7045CF5B862477B44357040
zOt3f5sse9 > 4A384192BB6933877D9B7E29993DE7AF1EBC191DE6C30289F13F084EFD332B1B

Compare that with: