2. composition
A password …
• Is a string of letters, numbers, and/or special characters
• Is THE primary authentication and authorization method
• Is passed through a mathematical function to obfuscate it
• SHOULD be stored encrypted
• Is only as strong as the time that it takes for an attacker to crack it
• With access to modern computing power, doesn’t take very long
• Rainbow table is every possible pre-computed hash
• Is no match for a massively parallel cluster (Hadoop, Google, etc.)
3. composition
Search Space
• Depth (alphabet)
• Length (number of characters)
• Exhaustive search (guess every possibility in the space)
• Dictionary (reduce the search space to good guesses)
Time to search (how long to guess the hash – real wall clock time)
• Online (generate guesses in real time)
• Offline (pre-computed rainbow tables)
• Massively parallel GPU array (nation states, hackers, google, etc.)
4. explanation
Encryption methods
• MD5 hash: pre-calculated rainbow tables
available, easily cracked
• SHA1/256/512 hashes: multiple attacks
demonstrated
• Phpass (PHP): basically blowfish – some
implementations are buggy
Cloud computing and parallel computing greatly
reduce time to crack (TTC)
Modern GPU video cards easily can perform
1,000,000 guesses/second
Using common dictionary words (or
permutations) makes it easy
What you want is called “entropy” or more
commonly “randomness”
5. examples
Password: brewer
Composition: all lower case (26 characters)
Length: 6 characters
Exhaustive search size: 321,272,406 possibilities (3.21 x 108)
• Online: 3.72 days
• Offline (rainbow tables): 0.00321 seconds
• Cluster: 0.00000321 seconds
Conclusion: not a strong password
6. examples
Password: Chase123
Composition: upper and lower case and numbers (26+26+10 = 62)
Length: 8 characters
Exhaustive search size: 221,919,451,578,090 possibilities (2.22 x 1014)
• Online: 70.56 centuries
• Offline (rainbow tables): 36.99 minutes
• Cluster: 2.22 seconds
Conclusion: not a strong password
7. examples
Password: SubuKrishnamurti
Composition: upper and lower case (26+26 = 52)
Length: 16 characters
Exhaustive search size: 2,913,980,664,356,126,978,428,175,620 possibilities (2.91 x 1027)
• Online: 9.27 hundred trillion centuries
• Offline (rainbow tables): 9.27 million centuries
• Cluster: 9.27 thousand centuries
Conclusion: a strong password
8. examples
Password: Ch4n…….. (eight periods)
Composition: upper and lower case (26+26+10+33 = 95)
Length: 12 characters
Exhaustive search size: 546,108,599,233,516,079,517,120 possibilities (5.46 x 1023)
• Online: 1.74 hundred billion centuries
• Offline (rainbow tables): 1.74 thousand centuries
• Cluster: 1.74 thousand centuries
Conclusion: a strong password doesn’t have to be hard to remember
9. observations
So, mister password smarty pants, how good are *your* passwords?
• Everything is ten (10) characters or more
• Everything is upper and lower with at least one special character
• Sounds pretty impressive, right? Guess what…
• They STILL suck!
Length: 10 characters, depth: 95 (26+26+10+33 = 95)
Exhaustive search size: 60,510,648,114,517,017,120 (6.05 x 1019)
Time to Crack (TTC): between 2.5 hours and 28 months (cluster)
Conclusion: I need to change some of my passwords
10. observations
Size matters - BUT content matters also
• 12345678901234567890 – space is 20 characters, but depth is only 10 digits
• Exhaustive search size: 111,111,111,111,111,111,110 (1.11 x 1020)
• Online: 35.33 million centuries
• Offline: 35.33 years
• Cluster: 1.84 weeks
Conclusion: NOT a strong password
11. observations
Content matters - BUT size matters also
• UR0wn3d! – depth is 95 (26+26+10+33), but space is only 8 characters
• Exhaustive search size: 6,704,780,954,517,120 (6.70 x 1015)
• Online: 2.13 thousand centuries
• Offline: 18.62 hours
• Cluster: 1.12 minutes
Conclusion: NOT a strong password
12. modifications
Reviewing my own commonly used passwords …
Almost all were weaker than I believed – I thought had strong passwords
A very simple modification fixes the problem – add 1 or 2 more characters
• Example: password cracking (cluster) was 1.83 years (still potentially vulnerable)
• Added one (+1) or two (+2) additional characters to each existing password
• Result: new password cracking time (cluster) becomes 1.74 CENTURIES
No more difficult to memorize or remember since I use a password vault
As long as password hashes are stored encrypted my credentials are safe
13. conclusions
• Need to use the largest available character space
• Need to use the longest password length possible
• Eight (8) characters DEFINITELY is NOT enough
L!v2H4K! – length: 8, depth: 95, TTC: 1.12 minutes (cluster) (18.62 hours offline)
IsThisLongEnuf – length: 14, depth: 52, TTC: 3.43 centuries (cluster)
@@TheMovies!! – length:13, depth: 85, TTC: 38.90 centuries (cluster)
@TheM0vies! – length: 11, depth: 95, TTC: 1.83 years (cluster)
• If forced to choose, length beats content
14. conclusions
• Most frequently used password in the recent Avid Media breach:
• 123456
• Password
• Eight (8) characters DEFINITELY is NOT enough
• Fourteen characters is the new BLACK
• Get creative – utilize the password strength policy to your advantage
• Password aging is NOT a good policy – users will pick weaker passwords
• Online password strength testers are available – test your new passwords