|
|
03-11-2014, 08:59 PM | #1 |
Life, Liberty, Happiness
Join Date: Feb 2010
First Name: Marc
Location: Splitting time between Dayton, NJ and Needmore, PA
Posts: 360
Trading: (0)
|
Great password
During a recent company audit, it was found an employee was using the following password:
MickeyMinniePlutoHueyLouieDeweyDonaldGoofySacramen to When asked for the reason for such a long password, she rolled her eyes and said, "Hello! It asked for at least eight characters and include one capital." - - - <groan> Although the IT VP in me has to comment that 52 alpha characters set up like that is quite strong.
__________________
Marc Fear is the dark room in which negatives are developed. - Anon. |
03-11-2014, 09:14 PM | #4 | |
YNWA
|
Re: Great password
Quote:
from another IT professional.
__________________
Be more concerned with your character than your reputation, because your character is what you really are, while your reputation is merely what others think you are. -John Wooden |
|
03-11-2014, 09:39 PM | #5 |
Mřřse bites can be nasty
|
Re: Great password
I wonder how long a brute force crack would take?
__________________
My neighbor came by my house this morning at 2AM, pounding on the door. Good thing I was still up playing the drums. |
03-11-2014, 10:00 PM | #6 | |
Life, Liberty, Happiness
Join Date: Feb 2010
First Name: Marc
Location: Splitting time between Dayton, NJ and Needmore, PA
Posts: 360
Trading: (0)
|
Re: Great password
Quote:
It would be interesting to try it.
__________________
Marc Fear is the dark room in which negatives are developed. - Anon. |
|
03-11-2014, 10:46 PM | #7 |
Bunion
|
Re: Great password
The equation you want is called "Anderson's Formula". Here is an example from an Illinois University exam.
4. (30pts) Given an alphabet size of 400, and an opponent capable of checking 24000 passwords a second. a. [10 pts] What formula would you use to decide on the required size of the password, to achieve an upper bound p on the probability of a brute force attack being successful within a given time period, and a given password cracking processing rate? Anderson’s Formula P>=TG/N P – Probability of guessing a password T – Time G – No. of guesses in a time period N – No. of possible passwords b. [10 pts] Find out the minimum size of the password for an user, if you want probability of discovery within a year to be less than 20% 400**x = (24000*60*60*24*365)/0.2 Solving for x we get x = 4.83385 Therefore password has to be at least 5 characters long c. [10pts] What limitations, if any, can you identify for the formula used in part a? Anderson’s Formula is based on the assumption that passwords are uniformly distributed. In practice passwords are not randomly picked and so not uniformly distributed. Therefore an attacker may first go through most common or weak passwords and crack passwords much faster than estimated by Anderson’s formula. ------------------------------------------ Now, for our purposes, we are only using 52 characters (26 upper and 26 lower case letters) and a password length of (about) 50 characters. So P is the probability of cracking the password. T is the amount of time, so let's say 1 year. T=60*60*24*365 = 3.1536 * 10**7. G is the number of guesses per second. A reasonable number is G=50000. N is the password space size, which for us is 52**50. So for P>=TG/N, we have: P >= (3.1536*10**7)*50000)/(52**50) P >= (1.5768*10**12) /(52**50) P >= 2.0*10**(-74) is the probability of cracking this password in 1 year or less. this means that with a 52 character alphabet and a 50 character password that the probability of cracking the password in a year or less is very close to 0. ------------------------------------------------------- If we want to know how many days it will take to crack the password using brute force, then the formula gives: 1.0 = ((60*60*24*Y)*(50000))/(52**50) 52**50 = Y*(60*60*24*50000) Y = (52**50) / (4.32*10**9) Y = 1.46*10**76 days ~= 4*10**73 years Mind you, this is a statistical average and not a hard floor. It is possible to guess the right password on the first stab, so the minimum is 1 and the average over many passwords (not one specific one) is as above. This is counter-intuitive but the password length really makes all the difference (since it used as an exponent). PS: in practice, most systems that allow the use of a very long (64-128 character) password really only use a maximum of 8 characters internally for historical reasons. If this is the case, well, then the password will be broken quite fast. PPS: I'm on Benadryl, so your math may vary and, in fact, be more accurate. PPPS: As a modern Intel 6 core processor will be able to guess several more orders of magnitude per second and even more if the code is properly threaded, it would be interesting to see how many guesses per second one would need to crack that password on average. This is left as an exercise for the student. and finally PPPPS: a network of computers can bring this down even more since breaking up the password space is pretty simple to do, so you could ask how many Intel 6 core computers will it take. Quite possibly not as many as you may think. from a former computer science instructor whose information security program was a top 25 in the nation as ranked by several TLA (three letter acronym) US government agencies.
__________________
I refuse to belong to any organization that would have me as a member. ~ Groucho Marx Last edited by markem; 03-11-2014 at 10:59 PM. Reason: one more thing... and then one more thing ... |
03-12-2014, 10:04 AM | #8 |
Will herf for food
|
Re: Great password
Mark's answer is very thorough but proper names and whole words making up the password often shortens the time the algorithm requires quite a bit. As stated, the 24,000/second might be way off too. Most average PCs now have 2-4 cores and entry level servers have 2 sockets with 8-10 cores (16-20 CPUs). All of this significantly shortens the time required.
My
__________________
“Eating and sleeping are the only activities that should be allowed to interrupt a man's enjoyment of his cigar;” Mark Twain |
03-11-2014, 10:01 PM | #9 |
Ephesians 2:8
|
Re: Great password
Yeah, put a comma between the names, and an exclamation point at the end and you have a very strong PW!
__________________
God loves you so much, that he made you read this, just to let you know. |
03-12-2014, 12:36 AM | #11 |
Yes I am a Pirate
Join Date: Oct 2008
Location: 33°46′08″N 86°28′16″W / 33.76895°N 86.471037°W
Posts: 2,776
Trading: (52)
|
Re: Great password
Now my head hurts!!
__________________
Ceilin' fan it stirs the air, Cigar smoke does swirl. The fragrance on the pillow case, and he thinks about the girl. Thanks, JB, 1975. |
03-12-2014, 12:50 AM | #13 |
Admiral Douchebag
|
Re: Great password
Mr. Mark, can you repeat that middle part again?
__________________
Thanks Dave, Julian, James, Kelly, Peter, Gerry, Dave, Mo, Frank, Týr and Mr. Mark! |
03-12-2014, 09:46 AM | #14 |
F*ck Cancer!
|
Re: Great password
How is it that you have employee passwords -- which should be one-way encrypted -- in clear text?
__________________
Need Beads? Need Five Finger Bags? 2 of 3 Requirements for use of the CA Rolodex: 100 posts/ 60 day membership/ participation in trade (trader rating). New members can be added at any time. |
03-12-2014, 09:50 AM | #15 |
Bunion
|
Re: Great password
You 'crack' them by encoding them (MD5 or SHA-1 these days) and comparing the resulting ciphertext with the stored one. This is the same way that the logon process verifies that you entered the correct password.
__________________
I refuse to belong to any organization that would have me as a member. ~ Groucho Marx |
03-12-2014, 09:52 AM | #16 |
F*ck Cancer!
|
Re: Great password
My guess is that he did not crack this one...
__________________
Need Beads? Need Five Finger Bags? 2 of 3 Requirements for use of the CA Rolodex: 100 posts/ 60 day membership/ participation in trade (trader rating). New members can be added at any time. |
03-12-2014, 10:01 AM | #17 |
Life, Liberty, Happiness
Join Date: Feb 2010
First Name: Marc
Location: Splitting time between Dayton, NJ and Needmore, PA
Posts: 360
Trading: (0)
|
Re: Great password
So true. Great job markem!
__________________
Marc Fear is the dark room in which negatives are developed. - Anon. |
03-12-2014, 10:01 AM | #18 |
What's this button do?
|
Re: Great password
It's just a joke.
Hey Mark, that formula doesn't seem to take into account that after each guess the pool of guesses gets smaller, thereby increasing your chance of a lucky guess each time. Not that it would matter on a 52 character password.
__________________
|
03-12-2014, 10:11 AM | #19 | |
Bunion
|
Re: Great password
Quote:
The value of (50**52) is the list of all passwords within that space (technically one could argue that it is 50**53 but that's not as important in this case). This value represents the 'closure' or fully enumerated list of possible combinations within the space from 1 character up to 50 character passwords including all possible combinations. Once again, the crypto math is a little bit more than this, but this approximation is close enough for hand grenades and atom bombs.
__________________
I refuse to belong to any organization that would have me as a member. ~ Groucho Marx |
|
03-12-2014, 10:04 AM | #20 |
Bunion
|
Re: Great password
Okay, students, we've looked at the brute force method, not let's look at a slight improvement on that approach.
The English language has 1,025,110 words, more or less. This means that for Anderson's formula, the value of 'N' just got really small. Anderson’s Formula P>=TG/N P – Probability of guessing a password T – Time G – No. of guesses in a time period N – No. of possible passwords So going back to our example of the likelihood of cracking a password in less that a year, we have: P >= (3.1536*10**7)*50000)/(52**50) // old calculation with very large denominator P >= (3.1536*10**7)*50000)/(1025110**9) // new calculation with very small denominator P>= 1.54*10**(-3) which is 1.54% This looks ominous because by making a very small change to the search algorithm, the chances of cracking the password with no other information than that the password consists of English language words leaves us with a dramatic increase in the probability to break the password. If we know that the password is a list of names (people and place) then it comes down far faster. We can easily approach 100% chance of success just by learning a bit more about the person we wish to crack. One trivial modification is to only check words with the first letter capitalized, which changes (1025110**9) to ~(505022**9). For example, here is a list of towns that I have lived in since I was 21 as a password: ButteSaltLakeCityRedmondKentBellevueBeaverton Heck, I could also toss in a zip code or two. However, a local sysadmin, who may have access to my resume in the HR database, would know to make these place names a priority (along with names of references, relatives, etc).
__________________
I refuse to belong to any organization that would have me as a member. ~ Groucho Marx |
Thread Tools | |
Display Modes | |
|
|