Password Complexity….Are We Fooling Ourselves?

September 2, 2015 | Views: 2364

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Many of the beliefs we have around what constitutes a “good” password are created by what default policies in software such as Microsoft teach us.

We are led to believe that a minimum length of 8 characters, a good mixture of UPPER and lower-case, numbers and uncommon (i.e. $@#&!) characters automatically make a good password.
Many Systems Administrators and Systems Engineers never delve into the analysis behind a password due to the above IT MEME created in large by the software industry. So what constitutes a strong password and why is our MEME a concern. Surely our passwords have stood the test of time.

What we need to keep in mind is that computing power has been increasing at an incredible rate and access to this computing power has become easier and easier. Lately, harnessing the power of multiple GPU’s has become the standard method to crack passwords. A recent password cracking cluster built with easily accessible hardware, managed to show that it could crack every standard Windows password in less than 6 hours. (GPU Cluster cracks passwords)

This is seriously scary tech for anyone connected with security on networks. Gone are the days of setting a password and never touching it again – at Windows complexity levels, that is. Even changing passwords regularly is no guarantee against a machine that only needs 6 hours to crack open ANY Windows password.

What shall we then do ?

First of all, we need to understand what makes a password difficult to crack. The key here is LENGTH. Sure, complexity plays a factor, but complexity becomes self defeating if a user cannot remember their own password. Force them to change this complex password every week or month and they WILL start writing it down. This then defeats the object of the exercise, as written down passwords can be snooped and are a very high risk.
Some facts:
A password of 8 characters (only a-z + A-Z) can be cracked by a Supercomputer in approx 5 millionths of a second (0.0005s) or in about 11 seconds by a PC + GPU. This password has an entropy (password strength) value of 45.6 bits.
A password of 8 characters containing a-z, A-Z, 0-9, special characters (`~!@#$%^&*()-_=;:'”,<.>?) will take a Supercomputer 0.05 seconds to crack and a PC + GPU only 17 minutes.
Keeping the password simple (a-z + A-Z), but increasing the length by only 2 characters ( from 8 to 10 ) will make the Supercomputer take 1 second to crack it and the PC + GPU crack time increases to 8 hours !
Adding another 2 characters now makes our 12 character password crackable in 1 hour by Supercomputer, but our PC + GPU will now take 2 YEARS ! Password entropy has now increased to 68.4 bits.
Should we become creative and construct our password as an easy to remember object of some length such as “MydogsnameisButch” (17 characters) with an entropy of 96.9bits, our Supercomputer now needs 47,125 YEARS and our PC + GPU needs 942 MILLION YEARS to crack this !
On top of being very difficult to crack (by a computer), our password has the advantage of being easy to remember.
This does not mean that ALL restrictions must be removed from password complexity. A good requirement would be 12-16 characters, at least 2 Uppercase and no more than 2 consecutive repeated letters. The 16 character limit allows the password to be used in a Windows environment. The above password would have to be changed to “MydogsNameisBob” (Entropy value of 85.5 bits)
In general, an entropy of over 80 is considered to be a very strong password.
References:
  1. https://en.wikipedia.org/wiki/Password_strength
  2. https://en.wikipedia.org/wiki/Password_policy
  3. http://arstechnica.com/security/2013/06/password-complexity-rules-more-annoying-less-effective-than-length-ones/
  4. https://redmondmag.com/articles/2013/08/14/password-complexity.aspx
  5. https://xkcd.com/936/
  6. https://cams.missouristate.edu/selfservice/complexity.aspx
Share with Friends
FacebookTwitterLinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterLinkedInEmail
Ready to share your knowledge and expertise?
15 Comments
  1. What happens when computers become so fast that they can crack any password of a length of 17 in 1 second?

  2. “MydogsNameisBob” would be crackable in less time if you include use of dictionaries.
    If this is split up into bits it would be
    My, dog, s, Name, is, Bob
    Which makes it as computationally expensive as having 6 words/characters.
    Words in the English Language = 1,025,109
    Windows rule characters = 95
    (1,025,204)^6 vs 95^15

    Except that they are simple words and in grammatical order which reduces the number of possible combinations tremendously.
    There are 5000 “1st grade words” in the english language

    We double the number of possibilities because we are using capitalized words.
    (10,095)^6 vs 95^15
    So, hypothetically this would take 10^24 combinations instead of 10^29.

    Rather than using the words from all of the english language it would make more sense to use a subset of the total, as most people don’t tend to use big words, especially in passwords.
    I am not likely to use fluorescent or clairvoyant in a password because those words are both long and hard to remember how to spell. I may try to throw off the brute force attempt by adding captialization and leet speak by changing the to th3 and this to th15. There is also the possibility of using random leet speak or inconsistent leet speak where every other letter is turned into a number or a symbol which would increase the number of possible password combinations quite a bit.

    The TL;DR
    It is much easier to remember a phrase, and much harder for a computer to crack than a short string of hard to remember random combination of mixed capitalization strings and letters.

  3. When It is dictionary attack rather than brute force, quite easy crack such a passwords.

  4. Very good article and spot on. However, what if one were to consider the order of magnitude if one is multi-lingual. What can be said of the complexity then?
    Since most cracks are dictionary based, the time to cross reference all known languages in which Romanization can be applied, then cross tabulated to account for all possible combinations and then apply a cracking algorithm would be staggering.

  5. very good post.

Page 3 of 3«123
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

 

Cybrary|0P3N

Is Linux Worth Learning in 2020?
Views: 334 / December 14, 2019
How do I Get MTA Certified?
Views: 926 / December 12, 2019
How much does your PAM software really cost?
Views: 1379 / December 10, 2019
How Do I Get into Android Development?
Views: 1757 / December 8, 2019

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel