Any password that is a word, is in the crackers dictionary, and all words of any length can be checked in pretty much the same amount of time when they use what is appropriately called a ‘Dictionary’ attack. This means that all those easy and interesting long words you know, can’t be safely used, at least on their own. By using a dictionary attack, you reduce the problem of guessing individual characters to guessing whole words. Since words are finite, and say you only use one word as your password. It essentially becomes a 1 letter password within a 25 thousand letter alphabet. This means there aren’t that many guesses.
“Wait a second, I’ve got a cunning plan! It’s so simple, I’ll just use TWO words. What about this ‘Fantasticclown’ you won’t find that in any dictionary I bet.”
-You maybe
Factor 3. Password complexity
You would be correct, the word Fantasticclown doesn’t appear in any dictionary in that form, however its components do. Crackers have been evolving their techniques over time, and it’s not difficult to program the cracking software in such a way that it combines all words with all other words in all arrangements. That 25 thousand words becomes 625 million composite words, but this is still very easy for computers to accommodate. It would take combining several words together to stand a chance of defeating such a technique. There are other ways around this, keeping the idea that it should be easy to remember, varied and long you might consider inventing your own words. Those probably wouldn’t be in any dictionary providing you avoid using obvious non-words like ‘flibble’ which could be considered predictable. Crackers like to put as many words as they can into their dictionaries, it increases the pool of potential guesses hugely since its multiplied by every other word and again for each and every combination of dictionaries. One might have a dictionary of important dates and years, another maybe popular brand names, anything that someone somewhere might predictably and inevitably pick as all or part of their password. Just now someone with the password “PepsiFrog1999” is spitting virtual feathers because they thought they were oh so clever, when in fact it was all predictable with some careful thought.
Crackers also employ what is known as a mask attack. A mask tells the software what sort of character to expect at any given place, such as ‘ULLANN’ as a mask would mean one uppercase then two lower case, any symbol followed by two numbers. The Pepsi password has numbers on the end and this is extremely common. Numbers are often dates, or even phone numbers. Since you can rely on this predictability you can set your cracking software to carefully choose its potential guesses and eliminate checking of the guesses that are less likely to reward being checked. In this example checking the last four characters but ignoring all non-number symbols is very rewarding given the human propensity to append numbers at the end of their passwords. Predictability weakens a password, letting the cracker strip away all the wasted time and focus elsewhere. When set up properly, an attack on a password hash will perhaps combine many different methods. Perhaps it would start with combining dictionaries of words, applying the substitution rules of leet speak and any other relatively predictable but small changes a human might make to a word. Afterwards a cracker might run a series of mask attacks, perhaps with a whole dictionary of masks created with common arrangements of letters in mind. When all else fails, they might try brute force. Trying all the possible combinations from start to finish assuming you have the time, or if the universe still has time and hasn’t since evaporated since you started your crack. I realise that sounds like quite an absurd claim, but go to the How Secure Is My Password page and type anything over twenty something letters. At twenty-two letters, it reports fourteen quadrillion years.
14,000,000,000,000,000
The previous F1sh1nG4 password we mentioned before besides being a little on the short side in terms of defence against brute force attacks, would also be picked out by a dictionary + rule attack.
Clearly ‘Fishing’ is a common word, swapping ‘i’ for ‘1’ is extremely common, the 4 on the end achieves very little since end numbers are assumed and what remains is merely a capital ‘G’ and in terms of being unpredictable, a computer will easily check every upper and lower case version of ‘Fishing’ while applying all possible obvious variations.
This is with current technology, algorithms and general understanding of maths as we know it, and don’t talk to me about quantum computers!
Ben
Ben is looking after our clients’ IT systems and backups, making sure their equipment and infrastructure are responsive and reliable.
If you would like to talk to Ben about anything mentioned in this article please let me know and I will ask him to contact you and answer your questions.
Kamila
General Manager
Octagon Technology Ltd
