What is Cracking a password?
Well Brute Force, Rainbow Attacks, Dictionary Attacks, these are names for it, but simply put, Guessing your combination.
In the real world, this isn’t like lock picking, that is something I can do with your account that we cover later, this is more like a combination lock
So, you have a padlock or bike lock, it has a 3 digit combination of numbers only.
How many guesses to crack your lock? 999 + 1 (000 counts)
Brute Forcing a 3 digit combination lock
This would going through every combination, irrespective of how silly that combination is.
Starting at 000, then 001, then 002 etc.
Dictionary Attack on a 3 digit combination lock
I don’t attempt combinations that are unlikely to occur, whilst going for combinations that are likely to be used
666, 999, 696, 777, 123 etc.
I don’t have an analogy for Rainbow attack, but it is irrelevant.
The point is, on your 3 digit combination lock, how much of my time do I have to invest in opening it and is there any way I can reduce that time?
This is pretty much the randomness of things, but in the way we need to view it as a consumer, how many combinations there are.
So, a 3 digit combination lock with numbers only has 1000 possible combinations
4 digit combination lock has 10000 possible combinations
Otherwise known as “Password Length”, that is why we say use longer passwords, it results in more combinations.
Now what if we had a combination lock with 3 alphanumeric options, so each dial has 26 letters and 10 numbers (0-9), this would mean that there is 46 thousand combinations. If we add one more dial to this combination lock, so 4 alphanumeric dials, then it goes up to 1.6 million combinations.
Now entropy relies on things being random, so if you had a lock described like the above is there a way that I can reduce the combinations I need to try?
Or in other words, is a human being random.
So, having a fancy combination lock means nothing when you have a password of ABCD, or a password or THEM or even TH3M or MOST or M05T, these are not random passwords, so while there is 1.6 million combinations on this example bike lock, there are patterns that you may use, which I would also think to use.
That is what we look at in this article, how I crack your password.
So in this article we look at
- How the Crime is Committed
- What a Consumer can do to prevent it
- What the industry has to do to prevent it
How the Crime is Committed
What we won’t cover in this article is the technical methods, what we will cover is how I build out a list of likely passwords to try, how I measure my performance and how I reduce time needed to crack a password for your account.
All we need to understand from a technical perspective is
A computer can make lots of guesses a second, from thousands to billions dependent on the scenario and hardware available.
- An online attack means there is a low volume of guesses per second
- An offline attack means there is a large volume of guesses per second
As a consumer, we don’t need to know anything else.
What we do need to know the technicalities of, as a consumer, is how I define my attack and how a dictionary attack is built (this is not the concise oxford dictionary or even a dictionary that contains only real words from any language, that is not what a computer dictionary is)
This way you learn that it isn’t password content or even length that is the highest priority when picking a password, but it is the structure of the password that is most important.
Analyses and Research
Like anything else, I will start my attack by looking up consumer advice
- Passwords should be at least X characters long (10 seems to be the common advice)
- Adding numbers and special characters to passwords increases the password strength
- 1 upper case, 1 lower case, 1 special and 1 number is generic advice
- Then we often find using a word and replacing with special characters
Number 4 is the killer here for password entropy, the encouragement of using words. This is to help with remembering a password, but it destroys password strength.
So, let’s give you some examples
Serendipitous!3569 (length of 18)
S3r3nd1p!t0us (length of 13)
A#8N7n*bd (length of 9)
Which password is stronger?
An entropy calculation would tell you that the one with a length of 18 is the strongest, however, it is weaker than the one with a length of 13 and both of them are weaker than the one that has a length of 9
This is because the word based structure makes it weak.
The reality is that Serendipitous!3569 is just as weak as Donkey!1001, it is just as weak as Zulu!1001 and just as weak as Inn!1001, this is because it is not comprised of 18 characters, but rather 3 words
Word 1 = Serendipitous
Word 2 = !
Word 3 = 3569
Both the Zulu and Donkey example are still comprised of 3 words, this is what a dictionary attack is. It is finding common structures to follow to remove the need of trying every combination
So I as an attacker have a choice
- Cycle through all combinations possible (a ridiculous amount of time)
- Build an algorithm to reduce that using word structure
S3r3nd1p!t0us can be included in that algorithm, along with any other form that this word could be written in $3r3nd1p!t0us or S£r£nd1p!t0us etc. There are not as many combinations as you would think, because Leet speak as it is known has a trend and a structure.
The link below will download a spreadsheet with some detail and some instructions, you can see varying different structures being built.
password writer v3 (3.5 MB)
This will also give you an idea of time to run based on volume of attacks per second
There are no macros on this sheet, just formulas, that should give you an idea of how easy it is to build a data dictionary for attack (I wouldn’t do this in excel in the real world, but should make it easier to understand what is going on)
I haven’t included the word based attack or the Leet speak attack, it is possible to build this in Excel, it is just that it would take longer than necessary (I need the spreadsheet to be trusted for downloads, so cannot use Macros)
So assuming you have had a look at that spreadsheet, what you should see is it is not so much the length or the content of the password, but rather the structure of the password that makes it secure.
This relates back to entropy and our bike lock example.
So when you define a password and the password checker says “Strong”, it isn’t really strong, it is an assumption of strength based on the types of characters included.
Now when you consider the attackers perspective, you can start to see how they guess your password, you can then appreciate their approach for effort much like the way a business would operate
- Do I spend several thousand years on a task?
- Or do I spend several days on a task and give up if it takes too long
Time is money, this applies to the criminal enterprise as much as the business enterprise.
So in that spreadsheet we had tables which showed the time in hours to run the batch, I basically go from quickest to longest until I hit a point where it is too much time to bother with.
Now, we have a much longer article around this called “Can you hack my brain” where we delve into this in a lot more depth, how we reduce time on hacking randomly generated passwords, how we define entropy for consumers, but for the purpose of this article, we should have seen enough to know, our passwords are not secure, and likely the length has done nothing to help us to date.
On the next pages we look at this, where we come up with methods to reverse engineer a data dictionary attack into a strong password i.e. how do you stop me from cracking your password?