SlideShare une entreprise Scribd logo

Passwords presentation

Télécharger en tant que PPTX, PDF
Greg MacPherson
Greg MacPherson
1  sur  15
Passwords Gregory W. MacPherson CCNA, CISSP, Security+, ITIL, etc. greg@constellationsecurity.com
composition A password … • Is a string of letters, numbers, and/or special characters • Is THE primary authentication and authorization method • Is passed through a mathematical function to obfuscate it • SHOULD be stored encrypted • Is only as strong as the time that it takes for an attacker to crack it • With access to modern computing power, doesn’t take very long • Rainbow table is every possible pre-computed hash • Is no match for a massively parallel cluster (Hadoop, Google, etc.)
composition Search Space • Depth (alphabet) • Length (number of characters) • Exhaustive search (guess every possibility in the space) • Dictionary (reduce the search space to good guesses) Time to search (how long to guess the hash – real wall clock time) • Online (generate guesses in real time) • Offline (pre-computed rainbow tables) • Massively parallel GPU array (nation states, hackers, google, etc.)
explanation Encryption methods • MD5 hash: pre-calculated rainbow tables available, easily cracked • SHA1/256/512 hashes: multiple attacks demonstrated • Phpass (PHP): basically blowfish – some implementations are buggy Cloud computing and parallel computing greatly reduce time to crack (TTC) Modern GPU video cards easily can perform 1,000,000 guesses/second Using common dictionary words (or permutations) makes it easy What you want is called “entropy” or more commonly “randomness”
examples Password: brewer Composition: all lower case (26 characters) Length: 6 characters Exhaustive search size: 321,272,406 possibilities (3.21 x 108) • Online: 3.72 days • Offline (rainbow tables): 0.00321 seconds • Cluster: 0.00000321 seconds Conclusion: not a strong password 
examples Password: Chase123 Composition: upper and lower case and numbers (26+26+10 = 62) Length: 8 characters Exhaustive search size: 221,919,451,578,090 possibilities (2.22 x 1014) • Online: 70.56 centuries • Offline (rainbow tables): 36.99 minutes • Cluster: 2.22 seconds Conclusion: not a strong password 
examples Password: SubuKrishnamurti Composition: upper and lower case (26+26 = 52) Length: 16 characters Exhaustive search size: 2,913,980,664,356,126,978,428,175,620 possibilities (2.91 x 1027) • Online: 9.27 hundred trillion centuries • Offline (rainbow tables): 9.27 million centuries • Cluster: 9.27 thousand centuries Conclusion: a strong password 
examples Password: Ch4n…….. (eight periods) Composition: upper and lower case (26+26+10+33 = 95) Length: 12 characters Exhaustive search size: 546,108,599,233,516,079,517,120 possibilities (5.46 x 1023) • Online: 1.74 hundred billion centuries • Offline (rainbow tables): 1.74 thousand centuries • Cluster: 1.74 thousand centuries Conclusion: a strong password doesn’t have to be hard to remember 
observations So, mister password smarty pants, how good are *your* passwords? • Everything is ten (10) characters or more • Everything is upper and lower with at least one special character • Sounds pretty impressive, right? Guess what… • They STILL suck! Length: 10 characters, depth: 95 (26+26+10+33 = 95) Exhaustive search size: 60,510,648,114,517,017,120 (6.05 x 1019) Time to Crack (TTC): between 2.5 hours and 28 months (cluster) Conclusion: I need to change some of my passwords 
observations Size matters - BUT content matters also • 12345678901234567890 – space is 20 characters, but depth is only 10 digits • Exhaustive search size: 111,111,111,111,111,111,110 (1.11 x 1020) • Online: 35.33 million centuries • Offline: 35.33 years • Cluster: 1.84 weeks Conclusion: NOT a strong password 
observations Content matters - BUT size matters also • UR0wn3d! – depth is 95 (26+26+10+33), but space is only 8 characters • Exhaustive search size: 6,704,780,954,517,120 (6.70 x 1015) • Online: 2.13 thousand centuries • Offline: 18.62 hours • Cluster: 1.12 minutes Conclusion: NOT a strong password 
modifications Reviewing my own commonly used passwords … Almost all were weaker than I believed – I thought had strong passwords A very simple modification fixes the problem – add 1 or 2 more characters • Example: password cracking (cluster) was 1.83 years (still potentially vulnerable) • Added one (+1) or two (+2) additional characters to each existing password • Result: new password cracking time (cluster) becomes 1.74 CENTURIES No more difficult to memorize or remember since I use a password vault As long as password hashes are stored encrypted my credentials are safe
conclusions • Need to use the largest available character space • Need to use the longest password length possible • Eight (8) characters DEFINITELY is NOT enough L!v2H4K! – length: 8, depth: 95, TTC: 1.12 minutes (cluster) (18.62 hours offline) IsThisLongEnuf – length: 14, depth: 52, TTC: 3.43 centuries (cluster) @@TheMovies!! – length:13, depth: 85, TTC: 38.90 centuries (cluster) @TheM0vies! – length: 11, depth: 95, TTC: 1.83 years (cluster) • If forced to choose, length beats content
conclusions • Most frequently used password in the recent Avid Media breach: • 123456 • Password • Eight (8) characters DEFINITELY is NOT enough • Fourteen characters is the new BLACK • Get creative – utilize the password strength policy to your advantage • Password aging is NOT a good policy – users will pick weaker passwords • Online password strength testers are available – test your new passwords
Fin Gregory W. MacPherson CCNA, CISSP, Security+, ITIL, etc. greg@constellationsecurity.com

Recommandé

Brute force-attack presentation
Brute force-attack presentationBrute force-attack presentation
Brute force-attack presentationMahmoud Ibra
 
Brute force attack
Brute force attackBrute force attack
Brute force attackjoycruiser
 
User Authentication: Passwords and Beyond
User Authentication: Passwords and BeyondUser Authentication: Passwords and Beyond
User Authentication: Passwords and BeyondJim Fenton
 
Brute force-attack presentation
Brute force-attack presentationBrute force-attack presentation
Brute force-attack presentationMahmoud Ibra
 
Secure password - CYBER SECURITY
Secure password - CYBER SECURITYSecure password - CYBER SECURITY
Secure password - CYBER SECURITYSupanShah2
 
Password cracking and brute force
Password cracking and brute forcePassword cracking and brute force
Password cracking and brute forcevishalgohel12195
 
Password (in)security
Password (in)securityPassword (in)security
Password (in)securityEnrico Zimuel
 
Security Attacks.ppt
Security Attacks.pptSecurity Attacks.ppt
Security Attacks.pptZaheer720515
 

Recommandé

Brute force-attack presentation
Brute force-attack presentationBrute force-attack presentation
Brute force-attack presentationMahmoud Ibra
 
Brute force attack
Brute force attackBrute force attack
Brute force attackjoycruiser
 
User Authentication: Passwords and Beyond
User Authentication: Passwords and BeyondUser Authentication: Passwords and Beyond
User Authentication: Passwords and BeyondJim Fenton
 
Brute force-attack presentation
Brute force-attack presentationBrute force-attack presentation
Brute force-attack presentationMahmoud Ibra
 
Secure password - CYBER SECURITY
Secure password - CYBER SECURITYSecure password - CYBER SECURITY
Secure password - CYBER SECURITYSupanShah2
 
Password cracking and brute force
Password cracking and brute forcePassword cracking and brute force
Password cracking and brute forcevishalgohel12195
 
Password (in)security
Password (in)securityPassword (in)security
Password (in)securityEnrico Zimuel
 
Security Attacks.ppt
Security Attacks.pptSecurity Attacks.ppt
Security Attacks.pptZaheer720515
 
Brute force attack
Brute force attackBrute force attack
Brute force attackJamil Ali Ahmed
 
Password Attack
Password Attack Password Attack
Password Attack Sina Manavi
 
Brute Forcing
Brute ForcingBrute Forcing
Brute Forcingn|u - The Open Security Community
 
Basics of Denial of Service Attacks
Basics of Denial of Service AttacksBasics of Denial of Service Attacks
Basics of Denial of Service AttacksHansa Nidushan
 
Introduction to Windows Dictionary Attacks
Introduction to Windows Dictionary AttacksIntroduction to Windows Dictionary Attacks
Introduction to Windows Dictionary AttacksScott Sutherland
 
Password Cracking
Password CrackingPassword Cracking
Password CrackingHajer alriyami
 
How to Create (use use) Strong & Unique Passwords
How to Create (use use) Strong & Unique PasswordsHow to Create (use use) Strong & Unique Passwords
How to Create (use use) Strong & Unique PasswordsConnectSafely
 
Password Cracking
Password CrackingPassword Cracking
Password CrackingSagar Verma
 
Password Management
Password ManagementPassword Management
Password ManagementRick Chin
 
Different types of attacks in internet
Different types of attacks in internetDifferent types of attacks in internet
Different types of attacks in internetRohan Bharadwaj
 
Web security
Web securityWeb security
Web securityPadam Banthia
 
Chapter 1 Introduction of Cryptography and Network security
Chapter 1 Introduction of Cryptography and Network security Chapter 1 Introduction of Cryptography and Network security
Chapter 1 Introduction of Cryptography and Network security Dr. Kapil Gupta
 
Program security
Program securityProgram security
Program securityG Prachi
 
Web Security
Web SecurityWeb Security
Web SecurityBharath Manoharan
 
User authentication
User authenticationUser authentication
User authenticationCAS
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTIONAnoop T
 
Authentication
AuthenticationAuthentication
Authenticationprimeteacher32
 
password.ppt
password.pptpassword.ppt
password.pptKaxa5
 
DoS or DDoS attack
DoS or DDoS attackDoS or DDoS attack
DoS or DDoS attackstollen_fusion
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Password craking techniques
Password craking techniques Password craking techniques
Password craking techniques أحلام انصارى
 
Computer Privacy:Passwords-Mike B.
Computer Privacy:Passwords-Mike B.Computer Privacy:Passwords-Mike B.
Computer Privacy:Passwords-Mike B.Mike Barker
 

Contenu connexe

Tendances

Password Attack
Password Attack Password Attack
Password Attack Sina Manavi
 
Basics of Denial of Service Attacks
Basics of Denial of Service AttacksBasics of Denial of Service Attacks
Basics of Denial of Service AttacksHansa Nidushan
 
Introduction to Windows Dictionary Attacks
Introduction to Windows Dictionary AttacksIntroduction to Windows Dictionary Attacks
Introduction to Windows Dictionary AttacksScott Sutherland
 
How to Create (use use) Strong & Unique Passwords
How to Create (use use) Strong & Unique PasswordsHow to Create (use use) Strong & Unique Passwords
How to Create (use use) Strong & Unique PasswordsConnectSafely
 
Password Cracking
Password CrackingPassword Cracking
Password CrackingSagar Verma
 
Password Management
Password ManagementPassword Management
Password ManagementRick Chin
 
Different types of attacks in internet
Different types of attacks in internetDifferent types of attacks in internet
Different types of attacks in internetRohan Bharadwaj
 
Chapter 1 Introduction of Cryptography and Network security
Chapter 1 Introduction of Cryptography and Network security Chapter 1 Introduction of Cryptography and Network security
Chapter 1 Introduction of Cryptography and Network security Dr. Kapil Gupta
 
Program security
Program securityProgram security
Program securityG Prachi
 
User authentication
User authenticationUser authentication
User authenticationCAS
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTIONAnoop T
 
password.ppt
password.pptpassword.ppt
password.pptKaxa5
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 

Tendances (20)

Brute force attack
Brute force attackBrute force attack
Brute force attack
 
Password Attack
Password Attack Password Attack
Password Attack
 
Brute Forcing
Brute ForcingBrute Forcing
Brute Forcing
 
Basics of Denial of Service Attacks
Basics of Denial of Service AttacksBasics of Denial of Service Attacks
Basics of Denial of Service Attacks
 
Introduction to Windows Dictionary Attacks
Introduction to Windows Dictionary AttacksIntroduction to Windows Dictionary Attacks
Introduction to Windows Dictionary Attacks
 
Password Cracking
Password CrackingPassword Cracking
Password Cracking
 
How to Create (use use) Strong & Unique Passwords
How to Create (use use) Strong & Unique PasswordsHow to Create (use use) Strong & Unique Passwords
How to Create (use use) Strong & Unique Passwords
 
Password Cracking
Password CrackingPassword Cracking
Password Cracking
 
Password Management
Password ManagementPassword Management
Password Management
 
Different types of attacks in internet
Different types of attacks in internetDifferent types of attacks in internet
Different types of attacks in internet
 
Web security
Web securityWeb security
Web security
 
Chapter 1 Introduction of Cryptography and Network security
Chapter 1 Introduction of Cryptography and Network security Chapter 1 Introduction of Cryptography and Network security
Chapter 1 Introduction of Cryptography and Network security
 
Program security
Program securityProgram security
Program security
 
Web Security
Web SecurityWeb Security
Web Security
 
User authentication
User authenticationUser authentication
User authentication
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
 
Authentication
AuthenticationAuthentication
Authentication
 
password.ppt
password.pptpassword.ppt
password.ppt
 
DoS or DDoS attack
DoS or DDoS attackDoS or DDoS attack
DoS or DDoS attack
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 

En vedette

Computer Privacy:Passwords-Mike B.
Computer Privacy:Passwords-Mike B.Computer Privacy:Passwords-Mike B.
Computer Privacy:Passwords-Mike B.Mike Barker
 
Ethical hacking Chapter 3 - Network and Computer Attacks - Eric Vanderburg
Ethical hacking Chapter 3 - Network and Computer Attacks - Eric VanderburgEthical hacking Chapter 3 - Network and Computer Attacks - Eric Vanderburg
Ethical hacking Chapter 3 - Network and Computer Attacks - Eric VanderburgEric Vanderburg
 
Ceh v5 module 13 web based password cracking techniques
Ceh v5 module 13 web based password cracking techniquesCeh v5 module 13 web based password cracking techniques
Ceh v5 module 13 web based password cracking techniquesVi Tính Hoàng Nam
 
password cracking and Key logger
password cracking and Key loggerpassword cracking and Key logger
password cracking and Key loggerPatel Mit
 
Password hacking
Password hackingPassword hacking
Password hackingAbhay pal
 
Password Cracking
Password Cracking Password Cracking
Password Cracking Sina Manavi
 
Search Engines Presentation
Search Engines PresentationSearch Engines Presentation
Search Engines PresentationJSCHO9
 
Cyber security and ethical hacking 3
Cyber security and ethical hacking 3Cyber security and ethical hacking 3
Cyber security and ethical hacking 3Mehedi Hasan
 
Cyber security and ethical hacking 9
Cyber security and ethical hacking 9Cyber security and ethical hacking 9
Cyber security and ethical hacking 9Mehedi Hasan
 
Cyber security & ethical hacking 10
Cyber security & ethical hacking 10Cyber security & ethical hacking 10
Cyber security & ethical hacking 10Mehedi Hasan
 

En vedette (13)

Password craking techniques
Password craking techniques Password craking techniques
Password craking techniques
 
Computer Privacy:Passwords-Mike B.
Computer Privacy:Passwords-Mike B.Computer Privacy:Passwords-Mike B.
Computer Privacy:Passwords-Mike B.
 
Hackers Cracker Network Intruder
Hackers Cracker Network IntruderHackers Cracker Network Intruder
Hackers Cracker Network Intruder
 
Ethical hacking Chapter 3 - Network and Computer Attacks - Eric Vanderburg
Ethical hacking Chapter 3 - Network and Computer Attacks - Eric VanderburgEthical hacking Chapter 3 - Network and Computer Attacks - Eric Vanderburg
Ethical hacking Chapter 3 - Network and Computer Attacks - Eric Vanderburg
 
Ceh v5 module 13 web based password cracking techniques
Ceh v5 module 13 web based password cracking techniquesCeh v5 module 13 web based password cracking techniques
Ceh v5 module 13 web based password cracking techniques
 
password cracking and Key logger
password cracking and Key loggerpassword cracking and Key logger
password cracking and Key logger
 
Password hacking
Password hackingPassword hacking
Password hacking
 
Password Cracking
Password Cracking Password Cracking
Password Cracking
 
Search Engines Presentation
Search Engines PresentationSearch Engines Presentation
Search Engines Presentation
 
3d password ppt
3d password ppt3d password ppt
3d password ppt
 
Cyber security and ethical hacking 3
Cyber security and ethical hacking 3Cyber security and ethical hacking 3
Cyber security and ethical hacking 3
 
Cyber security and ethical hacking 9
Cyber security and ethical hacking 9Cyber security and ethical hacking 9
Cyber security and ethical hacking 9
 
Cyber security & ethical hacking 10
Cyber security & ethical hacking 10Cyber security & ethical hacking 10
Cyber security & ethical hacking 10
 

Similaire à Passwords presentation

Share winter 2016 encryption
Share winter 2016 encryptionShare winter 2016 encryption
Share winter 2016 encryptionbigendiansmalls
 
Fast Single-pass K-means Clusterting at Oxford
Fast Single-pass K-means Clusterting at Oxford Fast Single-pass K-means Clusterting at Oxford
Fast Single-pass K-means Clusterting at Oxford MapR Technologies
 
Hadoop Summit 2012 | Bayesian Counters AKA In Memory Data Mining for Large Da...
Hadoop Summit 2012 | Bayesian Counters AKA In Memory Data Mining for Large Da...Hadoop Summit 2012 | Bayesian Counters AKA In Memory Data Mining for Large Da...
Hadoop Summit 2012 | Bayesian Counters AKA In Memory Data Mining for Large Da...Cloudera, Inc.
 
The Cassandra Distributed Database
The Cassandra Distributed DatabaseThe Cassandra Distributed Database
The Cassandra Distributed DatabaseEric Evans
 
Password Storage Sucks!
Password Storage Sucks!Password Storage Sucks!
Password Storage Sucks!nerdybeardo
 
3. Cryptographic Security
3. Cryptographic Security3. Cryptographic Security
3. Cryptographic SecuritySam Bowne
 
prace_days_ml_2019.pptx
prace_days_ml_2019.pptxprace_days_ml_2019.pptx
prace_days_ml_2019.pptxssuserf583ac
 
prace_days_ml_2019.pptx
prace_days_ml_2019.pptxprace_days_ml_2019.pptx
prace_days_ml_2019.pptxRohanBorgalli
 
prace_days_ml_2019.pptx
prace_days_ml_2019.pptxprace_days_ml_2019.pptx
prace_days_ml_2019.pptxSreeVani74
 
CNIT 141: 3. Cryptographic Security
CNIT 141: 3. Cryptographic SecurityCNIT 141: 3. Cryptographic Security
CNIT 141: 3. Cryptographic SecuritySam Bowne
 
10 - IDNOG04 - Enrico Hugo (Indonesia Honeynet Project) - The Rise of DGA Mal...
10 - IDNOG04 - Enrico Hugo (Indonesia Honeynet Project) - The Rise of DGA Mal...10 - IDNOG04 - Enrico Hugo (Indonesia Honeynet Project) - The Rise of DGA Mal...
10 - IDNOG04 - Enrico Hugo (Indonesia Honeynet Project) - The Rise of DGA Mal...Indonesia Network Operators Group
 
Lecture3a symmetric encryption
Lecture3a symmetric encryptionLecture3a symmetric encryption
Lecture3a symmetric encryptionrajakhurram
 
COMPUTER INTRODUCTION
COMPUTER INTRODUCTIONCOMPUTER INTRODUCTION
COMPUTER INTRODUCTIONAmit Sharma
 
Chapter# 3 modified.pptx
Chapter# 3 modified.pptxChapter# 3 modified.pptx
Chapter# 3 modified.pptxMaryam522887
 

Similaire à Passwords presentation (20)

Share winter 2016 encryption
Share winter 2016 encryptionShare winter 2016 encryption
Share winter 2016 encryption
 
Fast Single-pass K-means Clusterting at Oxford
Fast Single-pass K-means Clusterting at Oxford Fast Single-pass K-means Clusterting at Oxford
Fast Single-pass K-means Clusterting at Oxford
 
Clustering - ACM 2013 02-25
Clustering - ACM 2013 02-25Clustering - ACM 2013 02-25
Clustering - ACM 2013 02-25
 
Hadoop Summit 2012 | Bayesian Counters AKA In Memory Data Mining for Large Da...
Hadoop Summit 2012 | Bayesian Counters AKA In Memory Data Mining for Large Da...Hadoop Summit 2012 | Bayesian Counters AKA In Memory Data Mining for Large Da...
Hadoop Summit 2012 | Bayesian Counters AKA In Memory Data Mining for Large Da...
 
The Cassandra Distributed Database
The Cassandra Distributed DatabaseThe Cassandra Distributed Database
The Cassandra Distributed Database
 
Class 17
Class 17Class 17
Class 17
 
Password Storage Sucks!
Password Storage Sucks!Password Storage Sucks!
Password Storage Sucks!
 
Dmk shmoo2007
Dmk shmoo2007Dmk shmoo2007
Dmk shmoo2007
 
3. Cryptographic Security
3. Cryptographic Security3. Cryptographic Security
3. Cryptographic Security
 
Bayesian Counters
Bayesian CountersBayesian Counters
Bayesian Counters
 
prace_days_ml_2019.pptx
prace_days_ml_2019.pptxprace_days_ml_2019.pptx
prace_days_ml_2019.pptx
 
prace_days_ml_2019.pptx
prace_days_ml_2019.pptxprace_days_ml_2019.pptx
prace_days_ml_2019.pptx
 
prace_days_ml_2019.pptx
prace_days_ml_2019.pptxprace_days_ml_2019.pptx
prace_days_ml_2019.pptx
 
cryptography.ppt
cryptography.pptcryptography.ppt
cryptography.ppt
 
CNIT 141: 3. Cryptographic Security
CNIT 141: 3. Cryptographic SecurityCNIT 141: 3. Cryptographic Security
CNIT 141: 3. Cryptographic Security
 
10 - IDNOG04 - Enrico Hugo (Indonesia Honeynet Project) - The Rise of DGA Mal...
10 - IDNOG04 - Enrico Hugo (Indonesia Honeynet Project) - The Rise of DGA Mal...10 - IDNOG04 - Enrico Hugo (Indonesia Honeynet Project) - The Rise of DGA Mal...
10 - IDNOG04 - Enrico Hugo (Indonesia Honeynet Project) - The Rise of DGA Mal...
 
Deep Learning Summit (DLS01-4)
Deep Learning Summit (DLS01-4)Deep Learning Summit (DLS01-4)
Deep Learning Summit (DLS01-4)
 
Lecture3a symmetric encryption
Lecture3a symmetric encryptionLecture3a symmetric encryption
Lecture3a symmetric encryption
 
COMPUTER INTRODUCTION
COMPUTER INTRODUCTIONCOMPUTER INTRODUCTION
COMPUTER INTRODUCTION
 
Chapter# 3 modified.pptx
Chapter# 3 modified.pptxChapter# 3 modified.pptx
Chapter# 3 modified.pptx
 

Passwords presentation

  • 1. Passwords Gregory W. MacPherson CCNA, CISSP, Security+, ITIL, etc. greg@constellationsecurity.com
  • 2. composition A password … • Is a string of letters, numbers, and/or special characters • Is THE primary authentication and authorization method • Is passed through a mathematical function to obfuscate it • SHOULD be stored encrypted • Is only as strong as the time that it takes for an attacker to crack it • With access to modern computing power, doesn’t take very long • Rainbow table is every possible pre-computed hash • Is no match for a massively parallel cluster (Hadoop, Google, etc.)
  • 3. composition Search Space • Depth (alphabet) • Length (number of characters) • Exhaustive search (guess every possibility in the space) • Dictionary (reduce the search space to good guesses) Time to search (how long to guess the hash – real wall clock time) • Online (generate guesses in real time) • Offline (pre-computed rainbow tables) • Massively parallel GPU array (nation states, hackers, google, etc.)
  • 4. explanation Encryption methods • MD5 hash: pre-calculated rainbow tables available, easily cracked • SHA1/256/512 hashes: multiple attacks demonstrated • Phpass (PHP): basically blowfish – some implementations are buggy Cloud computing and parallel computing greatly reduce time to crack (TTC) Modern GPU video cards easily can perform 1,000,000 guesses/second Using common dictionary words (or permutations) makes it easy What you want is called “entropy” or more commonly “randomness”
  • 5. examples Password: brewer Composition: all lower case (26 characters) Length: 6 characters Exhaustive search size: 321,272,406 possibilities (3.21 x 108) • Online: 3.72 days • Offline (rainbow tables): 0.00321 seconds • Cluster: 0.00000321 seconds Conclusion: not a strong password 
  • 6. examples Password: Chase123 Composition: upper and lower case and numbers (26+26+10 = 62) Length: 8 characters Exhaustive search size: 221,919,451,578,090 possibilities (2.22 x 1014) • Online: 70.56 centuries • Offline (rainbow tables): 36.99 minutes • Cluster: 2.22 seconds Conclusion: not a strong password 
  • 7. examples Password: SubuKrishnamurti Composition: upper and lower case (26+26 = 52) Length: 16 characters Exhaustive search size: 2,913,980,664,356,126,978,428,175,620 possibilities (2.91 x 1027) • Online: 9.27 hundred trillion centuries • Offline (rainbow tables): 9.27 million centuries • Cluster: 9.27 thousand centuries Conclusion: a strong password 
  • 8. examples Password: Ch4n…….. (eight periods) Composition: upper and lower case (26+26+10+33 = 95) Length: 12 characters Exhaustive search size: 546,108,599,233,516,079,517,120 possibilities (5.46 x 1023) • Online: 1.74 hundred billion centuries • Offline (rainbow tables): 1.74 thousand centuries • Cluster: 1.74 thousand centuries Conclusion: a strong password doesn’t have to be hard to remember 
  • 9. observations So, mister password smarty pants, how good are *your* passwords? • Everything is ten (10) characters or more • Everything is upper and lower with at least one special character • Sounds pretty impressive, right? Guess what… • They STILL suck! Length: 10 characters, depth: 95 (26+26+10+33 = 95) Exhaustive search size: 60,510,648,114,517,017,120 (6.05 x 1019) Time to Crack (TTC): between 2.5 hours and 28 months (cluster) Conclusion: I need to change some of my passwords 
  • 10. observations Size matters - BUT content matters also • 12345678901234567890 – space is 20 characters, but depth is only 10 digits • Exhaustive search size: 111,111,111,111,111,111,110 (1.11 x 1020) • Online: 35.33 million centuries • Offline: 35.33 years • Cluster: 1.84 weeks Conclusion: NOT a strong password 
  • 11. observations Content matters - BUT size matters also • UR0wn3d! – depth is 95 (26+26+10+33), but space is only 8 characters • Exhaustive search size: 6,704,780,954,517,120 (6.70 x 1015) • Online: 2.13 thousand centuries • Offline: 18.62 hours • Cluster: 1.12 minutes Conclusion: NOT a strong password 
  • 12. modifications Reviewing my own commonly used passwords … Almost all were weaker than I believed – I thought had strong passwords A very simple modification fixes the problem – add 1 or 2 more characters • Example: password cracking (cluster) was 1.83 years (still potentially vulnerable) • Added one (+1) or two (+2) additional characters to each existing password • Result: new password cracking time (cluster) becomes 1.74 CENTURIES No more difficult to memorize or remember since I use a password vault As long as password hashes are stored encrypted my credentials are safe
  • 13. conclusions • Need to use the largest available character space • Need to use the longest password length possible • Eight (8) characters DEFINITELY is NOT enough L!v2H4K! – length: 8, depth: 95, TTC: 1.12 minutes (cluster) (18.62 hours offline) IsThisLongEnuf – length: 14, depth: 52, TTC: 3.43 centuries (cluster) @@TheMovies!! – length:13, depth: 85, TTC: 38.90 centuries (cluster) @TheM0vies! – length: 11, depth: 95, TTC: 1.83 years (cluster) • If forced to choose, length beats content
  • 14. conclusions • Most frequently used password in the recent Avid Media breach: • 123456 • Password • Eight (8) characters DEFINITELY is NOT enough • Fourteen characters is the new BLACK • Get creative – utilize the password strength policy to your advantage • Password aging is NOT a good policy – users will pick weaker passwords • Online password strength testers are available – test your new passwords
  • 15. Fin Gregory W. MacPherson CCNA, CISSP, Security+, ITIL, etc. greg@constellationsecurity.com