So you have a strong password. Is that enough? The psychology of password creation would suggest we are not necessarily safe from Brute Force Attacks.
“Heuristic brute forcing provides hackers with the ability to crack long and complicated passwords using brute force style password cracking, while not wasting eons trying unrealistic passwords”, according to Brandon Smith, writing as James Penguin for 2600.
Many of us know the basics, or what passes for common sense with regard to workstation security. You know…use anti-virus software, and make certain that the definitions file is up to date. Make certain that your OS is equally patched. Don’t download software from questionable sites.
With regard to passwords, it’s simple: don’t use passwords that may be found in a dictionary. For enterprise, and more security conscious web sites implement password policies that mandate the use of numbers, letters and, sometimes, special characters.
Is this enough?
With the recent publication of hundreds of thousands of usernames and associated passwords, it appears that common sense is in fact, not very common.
The recent Yahoo! Email hack revealed that ‘123456’ was used as the password for 1,666 users. Believe it or not ‘password’ was used by 780 users. Please!
Once hackers are able to infiltrate a site, they make their way to the list of usernames and passwords. A file that is typically encrypted or ‘hashed’ using MD5 (Message-Digest Algorithm is a widely used cryptographic hash function).
Hackers will then try to generate hashes through brute force, and compare the data from the stolen file to the newly created hash file. This is how, after a breach, they are able to post all of the passwords online.
A quick distinction: a Dictionary Attack is where a hacker will use a dictionary file to iterate through every possible word to produce a hash file which can then be used to compare to the target hash.
Dictionary files can be downloaded from a number of places such as the Pirate Bay, so it’s something that script kiddies can use. Dictionary attack works well on single word passwords, but fail on more complex passwords such as those required in most mature organizations.
Brute force attacks are different in that they will cycle through every possible combination of characters (e.g., aaaaaaa, aaaaaab, aaaaaac, aaaaaad, etc.), rather than employing a dictionary list. While very effective, given enough time, brute force attacks will typically waste a lot of cycles trying to crack a hash from nonsense letter combinations like:
If we calculate that we can move through 50 hashes per second, then a 7 letter password (the most common password length) has 56,222,671,232 possible word combinations (see table below), which would take almost 2,000 years to crack using brute force.
|Number of Letters||Possible Combinations|
Passwords that resemble line noise are only generated by the most paranoid of users. Most people will generate words or phrases that they can easily remember. This means that they will follow some basic word construction rules in the creation of their password/passphrase.
For example, how many of you,
1. use English like words or word combinations?
2. use hyphens and underscores between words?
3. use ending punctuation, appropriately, at the end of a password or passphrase?
4. Replace vowels with numbers such as: 4 = A, 3= E, 0 = O, etc?
By understanding some basic morphology, hackers have the ability to move beyond basic brute force attacks and employ smarter algorithms. Considerations include the uses of an apostrophe, hyphens, underscores, suffixes, vowels, and character repetition patterns, according to Smith.
Here we are expecting one apostrophe followed by an ‘s’, and positioned at the last or second to last character. For the algorithm we are not concerned with the apostrophe to show a contraction, only possession and plural possession.
Hyphens and Underscores
The rule here is that these are use independently for the separation of two unique constructions; then each word is tested separately.
Ending punctuation (! ? . , ) is expected to be at the end of the password, and we would not expect to see more than one punctuation character. Any other ending punctuation is not accepted.
Accepted suffixes include –able, -ac, -acity, -age, etc. Here is a comprehensive Suffix Worksheet. The rule here is that the last letter before the suffix cannot be the same as the first letter of the suffix. The rule does not allow for repeating vowels.
The word needs to contain at least one vowel.
Employing Character Position Analysis, analyzing a character’s position in relation to its neighbors, allows a hacker to know if the characters fit next to each other. There are three tests involved as well as methods for getting more accurate results, as well as how to deal with more complex characters. This heuristic appraoch allows hackers to crack long and complicated passwords quicker.
How do we defend against this approach? Well, if you really value your privacy, you best understand how hackers use brute force attacks to translate a hash into your password, and create passwords of sufficient complexity that will defeat their brute force attacks.
Is your organization practicing password common sense? Talk Back and let me know.