Brute Force Attacks and Why You Should Have a Complex Password

The standard brute force attack is fairly simple. An attacker, in an attempt to discern a password, simply guesses every possible password until they stumble upon the right one. Although this is considered a weak form of attack, it's still a plausible one in many situations.To really understand how it works, however, one has to have a grasp of the math of combinations and how passwords work in general. Additionally, because of some quirks of linguistics, a simple modification can make this attack far more effective.This bit is going to sound a bit "mathy," but pay attention because it will all make sense. For a given length and character set there are a finite number of possible orderings of characters in a string. Essentially, if you know that something has to be between three and four characters in length and is limited to using trinary (0,1,2), there are only so many possible combinations. For instance:

0000, 0001, 0002, 0003, 0010, 0020, 0030, 0011, 0012, 0013, 0021, 0022, 0031, 0032… 3333

AND

000, 001, 002, 010, 011, 012, 020, 021, 022, 100… 333

 If you have three characters  to use (0,1,2) and a restriction on length to three or four characters long, for each character position there are three possibilities. So, you would start with the lowest length restriction, in this case three, and determine that there are three possible characters in each position there are three times three times three possible combinations, or 3^3 combinations.You would do this again for four, three x three x three x three, or 4^3 combinations. You would then add those two possibilities together to determine the entire combination set ((3^3)+(4^3)) (Parenthesis added for those who do not remember PEMDAS).So, and I promise this is the worst of the mathy bit, for a given length n and a character set with c characters, the number of possible combinations of a string can be defined as c^n. Obviously, a three or four character long password limited to trinary is weak (there are, in fact, only 91 possible passwords) the same principle can be applied to longer and more complex restrictions.This is where things get a little tricky. In a perfect world, where only brute force attacks exist, this would mean that a 12 character string of lower case letters is more powerful than an 8 character string with an upper case letter and a number.We do not, in any way, live in such a world. We live in a world where users want convenience, people use language, and human nature is a thing. Human beings, and sit down because this might come as a shock, are not machines. We have to remember our passwords. So we do not simply make randomized strings of characters; we use words. We use dates. We use things that are easy to remember.This means that attacks can happen by ways more efficient than brute force, like dictionary attacks and combination attacks, but these are not what we are here to learn about. If we were limited to brute force attacks, how could we make these attacks more efficient?Linguistics. Cryptologists have used a quirk of linguistics for over a thousand years to make attacks like this more efficient: Letter Frequency. Different languages use different letters at different rates to make different words. (different, different, different).Analysis of these languages can yield letters that are more likely to be in certain positions in a word. Common letter frequencies include most often used letter, most often used letter at the start of a word, common multigrams (groupings of two or more letters next to each other), most often used letter at the end of a word, and more.Using these simple facts we could improve our brute force algorithm immeasurably. For instance, let us go back to our four character trinary password. But, suddenly we know that 2 is 75% likely to be the first character in the password. With that information, we can safely say that with 75% certainty the password is going to be one of 27 passwords (2000 – 2222 with limited to numbers 0,1,2). Thus, our attack should start with those possibilities and move on from there.A very small change, like knowing the frequency of a character and its position, can make a huge difference in making an attack like this work. These frequencies are readily available for most languages. (At the end of this article is a table of the 10 most common letters in the English language, chosen because it is the language this article is written in.) These kinds of frequency effects work because people are flawed. People choose words for passwords; these words are usually in their native language.We're not machines that can remember 20+ character passwords with combinations of letters, numbers, and symbols. But, we are people who can commit those things to memory for safety, and maybe we should start doing that. Keep in mind as you leave this article, this was describing the WEAKEST possible kind of password attack. They get much stronger and more effective. Go be safe, change your passwords to something complicated.