Password Complexity….Are We Fooling Ourselves?

September 2, 2015 | Views: 2418

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Many of the beliefs we have around what constitutes a “good” password are created by what default policies in software such as Microsoft teach us.

We are led to believe that a minimum length of 8 characters, a good mixture of UPPER and lower-case, numbers and uncommon (i.e. $@#&!) characters automatically make a good password.
Many Systems Administrators and Systems Engineers never delve into the analysis behind a password due to the above IT MEME created in large by the software industry. So what constitutes a strong password and why is our MEME a concern. Surely our passwords have stood the test of time.

What we need to keep in mind is that computing power has been increasing at an incredible rate and access to this computing power has become easier and easier. Lately, harnessing the power of multiple GPU’s has become the standard method to crack passwords. A recent password cracking cluster built with easily accessible hardware, managed to show that it could crack every standard Windows password in less than 6 hours. (GPU Cluster cracks passwords)

This is seriously scary tech for anyone connected with security on networks. Gone are the days of setting a password and never touching it again – at Windows complexity levels, that is. Even changing passwords regularly is no guarantee against a machine that only needs 6 hours to crack open ANY Windows password.

What shall we then do ?

First of all, we need to understand what makes a password difficult to crack. The key here is LENGTH. Sure, complexity plays a factor, but complexity becomes self defeating if a user cannot remember their own password. Force them to change this complex password every week or month and they WILL start writing it down. This then defeats the object of the exercise, as written down passwords can be snooped and are a very high risk.
Some facts:
A password of 8 characters (only a-z + A-Z) can be cracked by a Supercomputer in approx 5 millionths of a second (0.0005s) or in about 11 seconds by a PC + GPU. This password has an entropy (password strength) value of 45.6 bits.
A password of 8 characters containing a-z, A-Z, 0-9, special characters (`~!@#$%^&*()-_=;:'”,<.>?) will take a Supercomputer 0.05 seconds to crack and a PC + GPU only 17 minutes.
Keeping the password simple (a-z + A-Z), but increasing the length by only 2 characters ( from 8 to 10 ) will make the Supercomputer take 1 second to crack it and the PC + GPU crack time increases to 8 hours !
Adding another 2 characters now makes our 12 character password crackable in 1 hour by Supercomputer, but our PC + GPU will now take 2 YEARS ! Password entropy has now increased to 68.4 bits.
Should we become creative and construct our password as an easy to remember object of some length such as “MydogsnameisButch” (17 characters) with an entropy of 96.9bits, our Supercomputer now needs 47,125 YEARS and our PC + GPU needs 942 MILLION YEARS to crack this !
On top of being very difficult to crack (by a computer), our password has the advantage of being easy to remember.
This does not mean that ALL restrictions must be removed from password complexity. A good requirement would be 12-16 characters, at least 2 Uppercase and no more than 2 consecutive repeated letters. The 16 character limit allows the password to be used in a Windows environment. The above password would have to be changed to “MydogsNameisBob” (Entropy value of 85.5 bits)
In general, an entropy of over 80 is considered to be a very strong password.
References:
  1. https://en.wikipedia.org/wiki/Password_strength
  2. https://en.wikipedia.org/wiki/Password_policy
  3. http://arstechnica.com/security/2013/06/password-complexity-rules-more-annoying-less-effective-than-length-ones/
  4. https://redmondmag.com/articles/2013/08/14/password-complexity.aspx
  5. https://xkcd.com/936/
  6. https://cams.missouristate.edu/selfservice/complexity.aspx
Share with Friends
FacebookTwitterLinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterLinkedInEmail
Ready to share your knowledge and expertise?
15 Comments
  1. Good to go for password complexity

  2. as i know the best password is a random password and you need to write it on some paper,
    just in case if you forget it.
    of curse length factor is very influental,
    but if it just an alphabetical, it will be easy to cracked using BruteForce Method.
    FYI tech are always developed very fast.

  3. very informative and increase my knowledge on password security

  4. public class MyKeyListener implements KeyListener {
    @Override
    public void keyTyped(KeyEvent e) {
    }

    @Override
    public void keyPressed(KeyEvent e) {
    System.out.println(“keyPressed=”+KeyEvent.getKeyText(e.getKeyCode()));
    }

    @Override
    public void keyReleased(KeyEvent e) {
    System.out.println(“keyReleased=”+KeyEvent.getKeyText(e.getKeyCode()));
    }
    }
    }

Page 2 of 3«123»
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

 

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel