Password Complexity
This morning I got an email from someone about secure passwords. The email was a link to this article. Before even opening the link I had a good idea of what it was going to say…make your passwords use all four character sets and make them random, but base it on a phrase that you can easily remember. My guess (and I was correct) was that it was going to ignore/gloss over the issue of password length.
In years past I was a strong proponent of passwords that used all four character sets (UPPERCASE, lowercase, 12345, !@#$%^%). I’m really not anymore. Reason being that password length has a much greater effect on whether a password can be cracked than does complexity. One of the best articles I have seen on this issue was an InfoWorld article back in 2006. The author did a great job of mathematically showing how the two factors in password complexity (length and number of possible characters) work together.
In the times that I have done password audits for the ministry I work for, this has proven out every time. I have seen some very complex passwords that were shorter in length get cracked. I have never cracked a long password. That is the primary reason that my non-admin password is currently 20+ characters long. The password for my admin account? Somewhere north of 30 characters. Good luck cracking it while I am still alive.
A few paragraphs from the InfoWorld article above that I most enjoyed…:
For everyone using six- to nine-character passwords with “complexity,” I appreciate it. I get paid to break in to systems for a living, and you make my job easier.
Strength is provided by increasing the number of possible passwords the attacker has to guess (let’s call this the keyspace even though it really isn’t appropriate in this context). The keyspace is represented mathematically as X^L, where X is the number of possible characters that can be in the password and L is the length. If you do the basic analysis, you can see that changes in L are more significant, character for character, than changes in X.
~~~~
And because most users also use dictionary words as the root to their “complex” password, and follow other common conventions (capitalized letters are at the beginning, numbers are at the end), a simple hybrid attack will break most of them in less than a day. Trust me, I know — I do it for a living.
~~~~
So, when trying to increase the strength of your passwords, my advice is to consider length as much or more than you consider complexity. For my money, length is all the protection I need. Make your admin and root passwords 15 or more characters long and forget about complexity — at 15 characters-plus, they are all but uncrackable.
Cracking Passwords
When I arrived in Oklahoma on my trip to my cousin’s funeral, one of the big tasks was getting into my cousin’s computer. She had left it turned on and locked. She had changed the passwords for every administrator account on the computer to passwords that no one else knew. In particular, there were four programs running on her computer that my aunt was really wanting to be able to see what was on her computer screen. We figured one was probably a web browser, one was her instant messenger program, one was possibly her Bible program, and the fourth was an unknown.
Since I am the computer guy, they asked me to see if I could get into it. Because we didn’t know the password to any of the admin accounts, it wasn’t possible to simply change the password and log in. We also didn’t want to shut the computer down, because that would lose whatever was on her screen. That left us with guessing passwords. Over the course of two days, we probably entered three hundred potential passwords…everything we could think of related to Christianity, Lutheranism, her EMT studies, her boyfriend, other family members, birthdates, as well as some of the more common simple passwords (qwerty, 12345, asdfjkl, the word “password”, admin, a blank password, her username, etc). All to no avail. (BTW…side note…if your password is any of the common ones listed, don’t bother…anyone wanting to get into your computer will be in it within half an hour anyway. Change it to something that will actually be useful. Personally, my passwords are typically sentences…around 24-35 characters.)
I had let my aunt know that a Plan B…if we couldn’t guess the password…was to shut it down and I’d take the hard drive out, pull off the password files (SAM database and System registry hive), and crack the password offline. On Friday night we got to that point. I threw the drive into an external USB enclosure, and pulled those two files out of c:\windows\system32\config. I then downloaded and installed Cain on my computer and started the cracking process. The initial pass did not crack the password, so I loaded a dictionary file that I have used when doing password auditing for the organization I work for. That dictionary file has 1,425,824 “words”…essentially any combination of characters that you want to run through a password cracker. I don’t remember where I got the original version of that file, but it is an almost 16MB text file. Less than ten minutes later, we had her password…laryngoscope. Definitely not one that we would have guessed any time this year.
That leads me to another statement. If you don’t maintain physical security of your computer…you have no security. I couldn’t guess Carrie’s password, but once I took the hard drive out, I had all of her files within minutes. Now…if the files are encrypted…that’s a whole different ballgame. Without the encryption key, I’ll never read the files.
-
Recent Visitors
Subscribe
Recent Comments
-
The Realm of the Verbal Processor 