This article turned out to be about three times longer than I expected, this is easily the longest article I've ever written. I've tried to format this as best I can but I understand this may be a bit hard to read so I apologize in advance. Take your time reading this, it is definitely worth it to know all this and I wonít be writing my next article for a while.
If you haven't already, I strongly suggest you read the series introduction before reading this.
Why Strong Passwords Help
When Strong Passwords Hurt
How Passwords are Cracked
1. Article Introduction
Passwords are often the only line of defense against unauthorized access and they are used almost everywhere, for this reason they are generally the most targeted part of a system. This article is about passwords and their security. This article will cover why you need strong passwords, when strong passwords will be bad and how passwords are cracked.
2. Why You Need Strong Passwords
The reason you need a strong password is obvious, without it someone will guess it and gain access. But what is a strong password? A strong password will contain as many of the following as possible:
8 or more characters (I use 11 or more)
Mixed case letters
No sequences (123456, 123123, abc123, ect)
Exclusivity (not using it on every site)
Changing every certain amount of time
It is not unrealistic to expect that all of these be fulfilled except the last. These passwords make it nearly impossible to guess, brute force or reverse.
Side Note: One main problem is remembering the password; I always have people tell me that they just canít remember strong passwords. While simple patters are bad, meaningless sequences are fine. What I mean by this is that the passwords PanViera720p_]h and ComPreCQ56Z=+l can be very easy to remember if your TV is a Panisonic Veira with that displays a 720p resolution or your computer is a Compaq Presario CQ56X. All that you have to remember is _]h and =+l, not hard at all. They both follow the pattern of the first three letters of a brand name, something about that item, two punctuations and a lower case letter. This sequence is meaningless; there is no widely known reason for it.
3. When strong passwords hurt
The bottom line is that people like doing things the easy way. Even with all the automated rules in place they will find ways to make it bad if it gets too hard. Generally if they get too hard the person will write the password down, once this happens all the measures you have in place go bye-bye. I once worked at a place where a large number of employees had their passwords on post-it notes on their monitors. I could literally have reached in and taken them all from the unmanned cubicles. This was a financial intuition so those passwords had confidential data behind them.
The balance here is difficult, you canít have weak passwords and you canít cause users to make matters worse. Itís your job to figure out where the best point is on your systems.
4. How passwords are cracked
Passwords can be cracked a number of ways: A. Guessing
This applies to simple passwords, before even doing anything complex an attacker will generally try basic passwords. Passwords that will be guessed generally include the word password or any 1337 variation of it and simple number and letter sequences. There are less than ten of these that come to memory but they compose a lot of the passwords out there.
Bruteforcing is when an attacker guesses every possible password. Unless countermeasures are installed passwords can be guessed literally millions of times per seconds. This will make absolutely any simple numerical or letter password ineffective. Bruteforcing can also be done attached to a dictionary so it iterates though every word. These attacks, called dictionary attacks, make it absolutely unsafe to use a word as your password. Attackers will generally try this first because it takes very little time. Furthermore there are hybrid attacks that take dictionary words and do things with them, while this takes thousands of times longer than a regular dictionary attack it still takes a lot less time than brute force attacks and it renders passwords like B1ker123 unsafe.
C. Reset abuse
Password resets that take place completely on the site are dangerous. Common questions are where you were born or what model of car you first had. Itís not like then-17-year-olds post about their car
or has their hometown listed publically on their facebook profile. Information can be gathered fairly easily though social engineering. Even if the information cannot be gathered it can be bruteforced like a password, except it may be easier. Assume you are asking what the model of your first car is. There are not that many models; this could be iterated though using a script in just a few seconds.
D. Email hacking
Many times users will have a weak password on their email because they arenít forced to have a good one. This can be problematic because many sites will just email the user everything needed to reset the password; or just email the password itself. So if a hacker gets on to the email account they can simply request a reset from the site and get in.
E. Packet sniffing
If the connection is unencrypted an attacker can place a packet sniffer on either the client or the server and intercept the password as it comes in. Most login forms are non-encrypted, it is also notable that FTP is unencrypted. This means that as soon as the client logs in the information is sent to the server and a copy is sent to the attacker. This allows the attacker to view the login information in plain text.
F. Rainbow tables
Passwords are generally stored in a database, hashed, generally via SHA1 or MD5. While the algorithms these functions use are non-reversible, the original passwords can still be discovered by guessing a lot of times. For this example I will use very easy passwords so that even people on not terribly high powered computers can follow along without any real delays. I typed three random keys on my keyboard, I did not know what this hash was prior to running the table:
Using rainbowcrack I figured the password out.
This can in theory be done with any length password, although the longer the password the longer it takes to generate the table. This is an exponential function so each difference in length results in more possibilities than the last. Iíll explain the math later.
Look into the tool rainbowcrack at http://project-rainbowcrack.com/, it is an interesting tool and works on Windows and Linux. Please note that Rainbowcrack is not a straight up bruteforcer, it uses advanced methods to make the process quicker. That is why you must first generate a rainbow table then compare stuff against it. Either way it is worth knowing how to use.
The math of cracking passwords:
The two ways of expressing the speed of brutedforcing are hashes per second and seconds per hash, they simple the inverse (1/x) of each other. This rate is fairly constant for each computer so it serves as an effective way to estimate how long it will take to get the password.
The primary issue with bruteforcing long passwords is that length expands things geometrically. This means that the difference between a 2 and a 3 letter password is very different than the difference between a 6 land a 7 letter password.
This graph shows the amount of possibilities for lowercase only passwords (click on graph for full size image):
This graph shows a strong password that uses both cases, numbers and 31 punctuation marks.
As you can see, every time a password gets longer the possibilities grow exponentially. Please note that the numbers before 10 are not small, they just donít show up on images this small when looking at a graph, for that reason I included the values for each point. Now letís get into computers cracking them.
Using Cain and Abel I am able to bruteforce SHA1 passwords at about 4.2 million per second. This means that to crack the 7 character secure password above I would spend as much as 74 days. If I wanted to do the 8 character one it would take me as much as 17 years. Finally if I want to go at the 10 char one I am looking at a little over 117,000 years.
G. GPU Password Cracking
So thatís the end of it, isnít it? If you use a 10 character strong password no one will get into it. Unfortunately it doesnít quite end there. While the fine details get into electrical engineering, the processors in your graphics card are orders of magnitude more efficient at calculating hashes than your CPU. As such if you can harness it you can brute force passwords much faster. With a GPU password cracker I am able to crack SHA1 passwords at an average of around 620 million passwords a seconds. This is with a single NVIDIA GTX 460, a higher end card at the time of this writing. This still means very little for my machine, it would still take tens of thousands of years to do a 10 character password.
However larger organizations (such as most major governments) have very expensive equipment designed to tackle this. The machines cascade dozens of high end cards and run very optimized custom software. While I have not seen these for myself I was told during a speech at Defcon that these computers can take down even good passwords in an amount of time that would make it a threat. These computers constantly improve so there is a good chance they are even faster than in August when I attended the speech.
In a post below when I initially started playing around with this I reported a speed of billions a second, this number turned out to be inaccurate as it was apparently not doing anything during the loop. Something was fundamentally wrong with the program and caused me to get a number that high.
H. Biocomputing This is a strange field that is still in its infancy, but if Biocomputing turns out to be everything we hope it will the gig is pretty much up, any hash will be vulnerable. In theory computers like our brain, if harnessed correctly, would leave any conventional circuit in the dust. So some scientists are trying to create computers out of biological material. I only include this because I find the idea really cool, it is of no real threat to us at this time nor will it be for many years.
I. Social Engineering
Most users are unbelievably gullible. Just call as the IT department and make up some lame excuse as to why they need your password and it will have a good chance of working. Even though IT has probably said many times that they will never need the password there is still a good chance that the user will decide to give it. The reason for this is that non-technical users donít understand how these attacks work and they in general want to leave computer related tasks to computer people. So all you have to do is call as someone who is going to do the computer stuff for them and they wonít ask questions.
The following are countermeasures to each of the ways that passwords are cracked: Guessing
Donít use sequential passwords or words that relate to you (any name in your family, ect), thatís really all this one takes
Donít use short passwords, bruteforce attacks are only effective against short and alphanumeric passwords. Add some punctuation in there and keep the length above 8. Also lock the user out for a period of time if he gets too many passwords wrong in a short period (5 in 15 minutes with a 10min lockout is reasonable). The final countermeasure is two-factor authentication. Once they enter their username and password take them to another page that asks them something else, even if easy it renders brute forcing impossible since the web requests take too long even if you know the answer to the question.
Reset abuse and email hacking
Make the user answer two secret questions and donít tell them which one they got wrong should they answer incorrectly. This makes it much harder to brute force since the attacker does not know if he gets a single one right. Then limit the number of guesses, if they get too many wrong in a 5 minute period lock them out for 15 min. This simple technique renders brute force attacks useless.
If the password reset is sent to an email, require the steps given above to send out the email. Doing this ensures that even if someone hacked the users email they still have to know that information to reset the password.
Use SSL. If the siteís security is crucial it is absolutely necessary to use an SSL connection. Basically what SSL does is it encrypts the data going though so even if the data is intercepted it is useless.
Salt every password differently, this means that a different set of characters is appended to each password as it is hashes. This forces the attacker to create a new rainbow table for every single password, decreasing his chances of finding anything useful. A bit more about salting
Salting is when you append a string, generally only a few characters in length, to a string before hashing it. So if you had a salt of ďabcĒ and a password of ď123456Ē the string to be hashed would be ďabc123456.Ē The advantage to this is that abc123456 has a different hash than 123456; a cracker would need to gain access to the salt before a rainbow table would be effective. If each user in your system has a different salt the cracker will be required to generate a new table for each and every password.
Humans are the link that can never be fully fixed; they are widely regarded as the only ever-present security risk. Unfortunately you can only mitigate this risk, there is no fix. Education is the way you mitigate this. Have someone from your company go down and pull everyone into the conference room and explain password security. Make sure it is more than clear that no one from the company will ever ask for their passwords. Actually taking their time for this solidifies the idea that this is a big deal, not just an email footer that can be ignored.