Brute Force Attacks: Beyond password basics

Brute Force Attacks: Beyond password basics

Summary: So you have a strong password. Is that enough? The psychology of password creation would suggest we are not necessarily safe from Brute Force Attacks.

SHARE:
21
term-bruteforce

So you have a strong password. Is that enough? The psychology of password creation would suggest we are not necessarily safe from Brute Force Attacks.

Heuristic brute forcing provides hackers with the ability to crack long and complicated passwords using brute force style password cracking, while not wasting eons trying unrealistic passwords”, according to Brandon Smith, writing as James Penguin for 2600.

Many of us know the basics, or what passes for common sense with regard to workstation security. You know…use anti-virus software, and make certain that the definitions file is up to date. Make certain that your OS is equally patched. Don’t download software from questionable sites.

With regard to passwords, it’s simple: don’t use passwords that may be found in a dictionary. For enterprise, and more security conscious web sites implement password policies that mandate the use of numbers, letters and, sometimes, special characters.

Is this enough?

With the recent publication of hundreds of thousands of usernames and associated passwords, it appears that common sense is in fact, not very common.

The recent Yahoo! Email hack revealed that ‘123456’ was used as the password for 1,666 users. Believe it or not ‘password’ was used by 780 users. Please!

Once hackers are able to infiltrate a site, they make their way to the list of usernames and passwords. A file that is typically encrypted or ‘hashed’ using MD5 (Message-Digest Algorithm is a widely used cryptographic hash function).

Hackers will then try to generate hashes through brute force, and compare the data from the stolen file to the newly created hash file. This is how, after a breach, they are able to post all of the passwords online.

A quick distinction: a Dictionary Attack is where a hacker will use a dictionary file to iterate through every possible word to produce a hash file which can then be used to compare to the target hash.

Dictionary files can be downloaded from a number of places such as the Pirate Bay, so it’s something that script kiddies can use. Dictionary attack works well on single word passwords, but fail on more complex passwords such as those required in most mature organizations.

Brute force attacks are different in that they will cycle through every possible combination of characters (e.g., aaaaaaa, aaaaaab, aaaaaac, aaaaaad, etc.), rather than employing a dictionary list. While very effective, given enough time, brute force attacks will typically waste a lot of cycles trying to crack a hash from nonsense letter combinations like:

     • ddddddd
     • jhakdsj
     • asdasda

If we calculate that we can move through 50 hashes per second, then a 7 letter password (the most common password length) has 56,222,671,232 possible word combinations (see table below), which would take almost 2,000 years to crack using brute force.

Number of Letters Possible Combinations
1 26
2 1,352
3 52,728
4 1,827,904
5 59,406,880
6 1,853,494,656
7 56,222,671,232

Passwords that resemble line noise are only generated by the most paranoid of users. Most people will generate words or phrases that they can easily remember. This means that they will follow some basic word construction rules in the creation of their password/passphrase.

For example, how many of you,
1. use English like words or word combinations?
2. use hyphens and underscores between words?
3. use ending punctuation, appropriately, at the end of a password or passphrase?
4. Replace vowels with numbers such as: 4 = A, 3= E, 0 = O, etc?

By understanding some basic morphology, hackers have the ability to move beyond basic brute force attacks and employ smarter algorithms. Considerations include the uses of an apostrophe, hyphens, underscores, suffixes, vowels, and character repetition patterns, according to Smith.

Apostrophe Use
Here we are expecting one apostrophe followed by an ‘s’, and positioned at the last or second to last character. For the algorithm we are not concerned with the apostrophe to show a contraction, only possession and plural possession.

Hyphens and Underscores
The rule here is that these are use independently for the separation of two unique constructions; then each word is tested separately.

Ending Punctuation
Ending punctuation (! ? . , ) is expected to be at the end of the password, and we would not expect to see more than one punctuation character. Any other ending punctuation is not accepted.

Suffixes
Accepted suffixes include –able, -ac, -acity, -age, etc. Here is a comprehensive Suffix Worksheet. The rule here is that the last letter before the suffix cannot be the same as the first letter of the suffix. The rule does not allow for repeating vowels.

Vowels
The word needs to contain at least one vowel.

Employing Character Position Analysis, analyzing a character’s position in relation to its neighbors, allows a hacker to know if the characters fit next to each other. There are three tests involved as well as methods for getting more accurate results, as well as how to deal with more complex characters. This heuristic appraoch allows hackers to crack long and complicated passwords quicker.

How do we defend against this approach? Well, if you really value your privacy, you best understand how hackers use brute force attacks to translate a hash into your password, and create passwords of sufficient complexity that will defeat their brute force attacks.

Is your organization practicing password common sense? Talk Back and let me know.  

Topics: Security, Data Centers

Gery Menegaz

About Gery Menegaz

Gery Menegaz is a Chief Architect for IBM with more than 20 years supporting technologies in the financial, medical, pharmaceutical, insurance, legal and education sectors. My Full-Time Employer is IBM. I write as a freelancer for ZDNet.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

21 comments
Log in or register to join the discussion
  • Just use huge passwords

    A phrase of several unrelated words is more secure than a 6 or 7 word password with lots of symbols and numbers in it, and easier to remember to boot.
    Aerowind
    • It seems like you might be referencing XKCD

      This link http://xkcd.com/936/ from xkcd
      Letophoro
      • XKCD

        Don't know how I could have missed this site. Very cool. Thanks for the reference.

        Gery Menegaz
        gery.menegaz
    • Then save them in a text file on your desktop

      So you can remember them all;-)
      Richard Flude
      • I use this one an d I feel secure very .... Loverock_Davidson_fud

        Now who would ever figure that one out and its easy to remember :-)
        Over and Out
  • i do not get it

    Passwords are not encrypted character by character - they are encrypted as a whole.

    By examining password's hashes one can not determine the structure of the password.
    Say, password abc may result in hash a0103b06 and password abd in f6d02398. Just by comparing them it is impossible to see that the first two letters are the same.

    Could you please explain how exactly knowledge of suffixes can be applied to decryption.
    ForeverSPb
    • POK

      I was also skeptical at this bit. This is a link to a working POK, further documentation, and screen shots: http://github.com/jamespenguin/gentle-brute.

      Gery Menegaz
      gery.menegaz
    • dictionary extension

      I guess, it's not a brute-force, it is a dictionary attack. So, the knowledge of the suf(pre)fixes is applied to extend the dictionary. Of course, this knowledge would only apply to an average user.
      eulampius
  • re:Brute force...

    Pick a passphrase that you can remember and use the first letter of each word, with a few special characters thrown in for good measure.
    KNPepper
  • strange Math

    >>7 letter password (the most common password length) has 56,222,671,232
    Where did you get this number, which characters are counted. If all printable ASCII characters , there are 94 of them, it would be 94^7=64,847,759,419,264 possible combinations (there are 94 possibilities for each char) The table is even more strange 26 for 1 letter, so it must be lower (capital) English letters only? Then it must be 26^7= 8,031,810,176 for 7 char-long passwords that use only one case English letters?

    Or is there an assumption that some chars (from those 94) are more frequently used than others? Still, the first rows of the table look a bit unnatural.
    eulampius
    • Formula

      Thanks for the comment.

      The assumptions are that (1) the most common password length is 7 letters, and (2) that most only use alpha characters. I realize that there are more options but wanted to show that even keeping it very simple the number of combinations is quite large.

      The formula used is:
      1(26^1)
      2(26^2)
      3(26^3)
      ...
      gery.menegaz
      • n*m^n?

        OK, Gery, so if w(m,n) is the total number of all possible n-character long words using m distinct char when repetition is allowed, then you think w(m,n)= n*m^n? It is not true for n>1.

        Here's how we can reason (by induction). Say when n=1, it is obvious, w(m,1)=m. Suppose we know w(m,n) it for the n-char long words, can we find w(m,n+1)? Yes, for every n-char long word there will be m distinct (n+1)-char long words, since you can vary the last (n+1)-s char m times:
        * * * * * * * * * *
        eulampius
        • cont'ed

          12..............n n+1
          Hence w(m,n+1)=w(m,n)*m, recall w(m,1)=m and get w(m,n)=m^n != n*m^n

          It's funny how the lame zdnet system cut my comment.
          Dear zdnet technologists, can you fix this ridicule? Thanks
          eulampius
          • Validating

            Thanks for your comment.

            I have asked a college buddy to validate. He has a BA in math, a masters in statistics, and Ph.D in engineering sciences, and has taught undergraduate and graduate courses in evolutionary computation, stochastic processes, and statistical process control.

            Waiting on a response...
            gery.menegaz
          • thanks

            Thank you too, Gery. As you could see, never did I mention my own Ph.D. in Mathematics and one wouldn't need one for this question. I taught a few undergrad courses too (however only 2 grad ones ) AMOF, a recent "Math. Reasoning" course tackled various questions including counting different things (like permutations, combinations, words etc). There was an interesting and easy yet fundamental http://en.wikipedia.org/wiki/Counting_principle to apply in many occasions.
            Hope to hear from your friend.. :)
            eulampius
          • Correction Needed

            So I heard back and my math was off...mea culpa!
            gery.menegaz
  • Hueristics can only go so far, though.

    Hueristics can only go so far, though. Checking for $ instead of S adds more time, even if it's smart about it. And regardless of the heuristics, a long password still means there's more combinations to try. All of the heuristics in the world will not fix the fact that long passwords are hard to crack.

    Yes, avoid the obvious stuff. Part of the problem IS that people still use passwords they know are weak.

    And if the website is using good security practices, then they have to guess the password EXACTLY. It's not like the movies where they guess one letter, then guess the next, etc. Either they know the password or they don't - and if the heuristics fail to guess your password exactly as you typed it, they're back to square one. The longer the password, the greater the chance that not even the heuristics will guess it.

    Even with heuristics, a really long password is looking for a needle in a haystack. Yes, you should still mix things up a bit, like adding special characters, but the longer the better.
    CobraA1
  • Yeah

    I have only one URL to this: http://xkcd.com/936/
    Fri13
  • This brute force logic depends on cpu hash power

    Most crackers have resorted to gpu based brute force cracking..

    Depends on the encryption type cpu may get upwords of 10k / second where GPU based would get up words of 100M or faster per seconds so going off the base of 6 char a gpu may crack in a weeks time..
    Anthony E
    • If you have a 6 char password, it's way too short . . .

      If you have a 6 char password, it's way too short, even for a CPU based attack. Your password should be more than double that length these days.
      CobraA1