Go | New | Find | Notify | Tools | Reply |
W07VH5 |
I've always wondered something. By making password requirements so restrictive does it make cracking them easier? Isn't it making the entire list of possible passwords much, much smaller? | |||
|
quarter MOA visionary |
Aren't most intrusion based on social engineering rather than complexity of passwords? With the amount of horsepower to guess and the lock-out factor in attempts seems that this is more common. You know getting a password from a sticky note taped to your monitor or getting you to fill out some bullshit in an email seems to be more productive for the hacker? My IT security focus is limited as I mainly deal with smaller clients but I can tell you many of them have little or NO concern for security (until something bad happens). This includes password policy among other things. | |||
|
His diet consists of black coffee, and sarcasm. |
I need to use a word or phrase as a password or I won't remember it. Capitalization and numbers mixed in are OK if minimal, but random selection of characters, forget it. | |||
|
Member |
they don't try it at the system they're trying to hack. A super-simplified scenario is this: A hacker gains access (SQL injection, exploiting a web server vulnerability, whatever, it doesn't matter right now) to a system. They steal the password database which has all the usernames and passwords hashed (which is like encrypting them, except you can't decrypt it) The database might look something like this: Skins2881,A021B3AF3 Hawkins,8319BA13C Parabellum,38ACB3A03 DumbBob,8319BA13C etc. properly done, there won't be any actual passwords stored - the system takes the password you enter, does math to it, and stores a number, called a hash. In theory, you can't take that number and go backwards to get the password. (Just like if you take a brisket and make corned beef hash, you can't go backwards to get a brisket ;-)) Now that they've stolen this big list of usernames and hashed passwords, they can now take their time and billions of guesses. They write a program that guesses millions of times per second: "AAAAAAAA" -> 19ABEAD93 "AAAAAAAB" -> B34FD0A33 on and on until "password1234" ->8319BA13C. Oh shit, that hash matches Hawkins hash. Therefore his password must be "password1234". (Actually this weak password would probably be tried before it started going through random combinations, because its known to be common. An attacker can go a couple of different ways with this now, but here's an easy one. "Hmm, maybe this Hawkins guy uses the same password elsewhere. Lets try using that password with "hawkins@gmail.com" and "hawkins@yahoo.com". Maybe go to BigNationalBank.com and try username "hawkins" and password "password1234". It works. Hawkins is now broke and his privacy is gone because he used the same password everywhere. Even to access his work's corporate network! Oh my! (he might also notice that DumbBob has the same hash, and thus the same password. The hacker can now try to access DumbBob's stuff too! There are ways of stopping this so the same password doesn't hash to the same value, but I just wanted to point out that, poorly implemented, this is possible too.) In the meantime, the hacker's computer has kept on going, and it found out that when it hashes the password "BANHAMMER!!", it gets "38ACB3A03". so now the hacker knows para's password. The hacker can now control para's account here on sigforum. Fortunately, Para is smart, and doesn't use the same password everywhere. Taking advantage of a password manager, he uses unique passwords for email, bank accounts, etc. The hacker can do nothing else with this, try as he might. Amazingly, you picked a strong password, and the hacker's cracking computer keeps going for a day, a week, a year, but it never finds the password that hashes to A021B3AF3. It might take a year and a day, it might take a billion years. No idea. A few points: 1) Sysadmins have been known to try to run crackers against their own systems, just to see if any users are using bad passwords, so they can take corrective action. 2) Use a good password manager. I use Keepass. Have a unique password everywhere. Every single one of my passwords is unique, and as strong and random as the site allows. I don't know any of them. 3) In some scenarios, I see absolutely nothing wrong with writing your password down on a piece of paper, AS LONG AS YOU PROTECT THAT PAPER. Keeping it at your desk, even hidden, isn't protected. But what can you do to protect a valuable piece of paper? Keep it with other pieces of valuable paper that you're good at protecting- inside your wallet. Just make sure the paper doesn't explain what the password is. Maybe modify it or just write part of it down. The point is, writing it down isnt' necessarily the worst thing you can do. -------------- July NoVA Sigshoot: Shooter's Paradise; 0900 (9AM) 23July05 My Signature is almost a decade out of date! | |||
|
Nullus Anxietas |
Nope.
Is generally not very effective via the front door. Even if the sub-systems being attacked don't do lockouts or incrementally increasing retry delays, the sheer amount of time it takes such systems to process each guess takes an eternity in computer time. Dictionary attacks can be successful through the front door, but only if passwords are easily-guessable. Real dictionary attacks require the attacker have a copy of the hashed password(s). 220-9er is correct. "America is at that awkward stage. It's too late to work within the system,,,, but too early to shoot the bastards." -- Claire Wolfe "If we let things terrify us, life will not be worth living." -- Seneca the Younger, Roman Stoic philosopher | |||
|
Member |
That concept is called "restricting the key space" and yes it does. Hopefully someone who implements password standards does it right, so that there's a net win. You can figure this out with a concept called "password entropy", which, at is core, is how 'complex' a password is. There are different ways to calculate this, but one way is to just figure out how many combinations you can make. Current password cracking machines that an individual can easily build right now can do 25 billion hashes per second. An 8 character password, with just upper, lower and digits, can have (26+26+10)^8 =218,340,105,584,896 combinations. Seems like a lot! Except remember, a lone individual can crack 25 BILLION combinations per second. That computer will go through all those combinations in 8734 seconds, with time to spare. That's less than two and a half hours. Now, if the administrator says "Hey, no shitty passwords. You MUST use a symbol as well". I just counted on my keyboard, and i see 33 different characters (including a space): ` ~!@#$%^&*()_+-=[]\{}|;':",./<>? you now get (26+26+10+33)^8 - (26+26+10)^8 = 6,634,204,312,890,625 - 218,340,105,584,896 = 6,415,864,207,305,729 different passwords, even subtracting all the password that don't have special characters. By making that one requirement, your 25 billion passwords/sec cracker now needs 256635 seconds (71 hours) to go through all the possible passwords of 8 characters . The admin then says, "wait, i'm going to be a dick and make the minimum password length 12 characters, not 8." Well now! (26+26+10+33)^12 = 540,360,087,662,636,962,890,625 combinations. I'm not even going to bother subtracting bad passwords, because as we'll see, whats difference does 72 hours make? 540,360,087,662,636,962,890,625 / 25 billion = 21614403506505 seconds, or 6,004,000,974 hours, or 250166707 days, or 685,388 years. (if we subtracted all the bad passwords, we get 537133820900239063069569 combinations, saving us about 70,000 years of calculations) That's a lot. So now a sysadmin has a few choices, and some pro's and cons. Short or long passwords? Long, of course! That was the biggest difference. Alphanumberic, or all printable characters? All printable characters gave us 95 characters to play with, instead of just 62. Another big difference. Was *requiring* a symbol in the password worth it? Ultimately it didn't affect the cracking time significantly so you might say "no", but it does help keep stupid people from being stupid. Something i didn't mention: password dictionaries. Hackers have huge lists of common passwords, including every single word in the dictionary and variations thereof. They include common shortcuts, and different ways of writing dates. They'll take every word, and append a 1 or a ! to the end of it. 'qwerty1234!@#$' might meet the password complexity requirement, but its known as a "keyboard run", and hackers already know tons of lazy people do this, and I guarantee passwords like this will be in the first 50 billion passwords guessed; its in the hackers best interest to try the most likely combinations first. So weird rules are "intended" to avoid those most common passwords. They lessen the key space, but numerically, it's a net win. Usability: They reduce "shitty" passwords, but at the expense of not allowing otherwise perfectly valid passwords that meet the same disqualification criteria. Password length is key, and the more permissive of types of characters allowed, the better. Any rules beyond that (no more than 3 of the same type of characters in a row, you must use 2 of each type of character, etc) is probably a waste. tl;dr: Passwords should be as long as allowed (at least 12 characters) and be encouraged to use different numbers and symbols too. No need to go overboard though. -------------- July NoVA Sigshoot: Shooter's Paradise; 0900 (9AM) 23July05 My Signature is almost a decade out of date! | |||
|
Powered by Social Strata | Page 1 2 |
Please Wait. Your request is being processed... |