woensdag 26 maart 2014

Complex passwords? As easy as 1-2-3


A few posts back I promised you an new and easy method for composing complex passwords that are, nevertheless easy to remember.

First some background to password complexity.

Why do we need complex passwords in the first place?
We don't.

There are two real reasons, we are told, why need complex passwords.
The first one is that a complex password is more difficult to remember, thereby reducing chances of password leakage. But at the same time creating the Post-It note problem of people writing down the password.

The second is that a complex password takes more time to attack using brute force password cracking techniques, but it doesn’t in itself prevent the use of dictionary based password cracking techniques. A dictionary based attack compares the hashed password in a password file to a words in a dictionary that are hashed using the same hashing algorithm. If the hash of a word in a dictionary is the same as the hash in a password file, then the corresponding word is the password. A clever cracking tool subsequently tries several permutations of the word, by replacing lower case letters by upper case letters or numbers or symbols, 'P@ssw0rd' will be discovered just as quick as 'password'. That way using leetspeak doesn't make password more secure that regular speak. If a word is not in the dictionary, another technique is required: just trying out all combinations to see is a hash resembles a hashed password of the target account. And in all simplicity that means that the longer the password, the more time it costs to crack it.


This leads to 2 simple conclusions.

  • First: if a cracker uses an English language dictionary, he will not find my Dutch language word, meaning that will have to resort to a brute force attack...
  • Second: for a brute force attack the password '1234567890' is just as complex to crack as '6Gr*7jgkhi'. It will probably be found faster because clever cracking tools will know this too and will use this kind of 'semi-dictionary' cracking words too, but in a sense: if a word is not in a dictionary, brute force requires a lot more time if the password is longer.

Proof of this principle:
The old Windows OS uses the lanman hashing algorithm. A password was broken in 2 7-byte segments, that were hashed separately. The hash of a 7 character password was enlarged to a 14 character password by adding a 7 character long Null string hash. If not more than 7 characters were used, the second hash was always the same. So, although the hashed password was 14 characters long, when the password was not longer that 7 characters, cracking the first 7 characters was enough to guess most passwords. If an 8th character was used, brute forcing the complete 14 character password was required.
In effect, this is the reason why many password policies prescribe the use of minimal 8 characters.

This results in a few simple rules:
Use long words that are not in a (regular) dictionary... German speaking people have an advantage here...

Use non-words that are long enough to make brute forcing a lengthy operation but that are easy to remember.


My advise:

Use your telephone number, but use leetspeak backward.

Example: phone number 01 234 567 89 consisting of only numbers.
Just exchange a few numbers to letters/characters in such a way that you feel comfortable with. A '0' can be an O (oh), or Z (for zero) or N (for Nul), in lower case or upper case, your choice.
So, this simple example may result in NE2D4vzZ8n or zOt3f5sse9. You just need to remember the order of hashing, but you don't need to remember the password, just remember the phone number used.


The entered password may look familiar if you know the algorithm used, but to a password cracking tool these passwords look all very different (all MD5 hash examples):
0123456789 > 84D89877F0D4041EFB6BF91A16F0248F2FD573E6AF05C19F96BEDB9F882F7882
NE2D4vzZ8n > 4DB3EA7E7894603A00091C8AABA25556B0366CF4C7045CF5B862477B44357040
zOt3f5sse9 > 4A384192BB6933877D9B7E29993DE7AF1EBC191DE6C30289F13F084EFD332B1B

Compare that with:
password > 5E884898DA28047151D0E56F8DC6292773603D0D6AABBDD62A11EF721D1542D8

If a cracker can get at your hashed password, the cracker has no way of knowing how you defined your password. Make it as easy as you can.

We don't need complex passwords. And in a future post I will expand on this some more.

Geen opmerkingen: