Cracking Passwords With Statistics

New submitter pjauregui writes: When users are asked to create a "secure" password, most sites simply demand things like "must contain 1 uppercase letter and one punctuation character." But those requirements often lead to users picking exactly 1 uppercase letter, and using it to begin their password. What was intended to increase randomness is instead creating structure that statistical analysis can exploit. This article starts by asking the reader, "Think like a hacker and ask yourself how fast your passwords might be able to be cracked based on their structure." The author then describes his method for cracking passwords at scale, efficiently, stating that many attackers approach this concept headfirst: They try any arbitrary password attack they feel like trying with little reasoning. His post is a discussion that demonstrates effective methodologies for password cracking and how statistical analysis of passwords can be used in conjunction with tools to create a time boxed approach to efficient and successful cracking.

Re: For work I use really bad passwords

I have 5 levels of passwords, as follows:

Level 1: Garbage sites that force me to register to read content, places that don't have AC that I want to comment, etc. - My password is monkeys103. Idgaf if you hack these sites. If they force punctuation I add a comma to the end of it. Who cares. Username could be anything because most likely I'm not coming back.

Level 2 - Sites where I have a reputation, but it's not attached to my real world persona. Like ArsTechnica, CNN, Ubuntu Forums, etc. I use a moderately complex password, 8 characters, no dictionary words. If it gets hacked, it sucks, but it's not the end of the world. Username is often similar among the sites because there's no real world connection.

Level 3 - Sites where they have personal information connected to the real world. Think Facebook, instant messaging, etc. I use a 10 digit password here, and if it gets hacked, I immediately change all of these sites so that none have the old password. Also all of them have different usernames.

Level 4 - Banking or any sites connected to my money (PayPal, for example). I have a very long and complex password for these (unique to each site, randomly generated), as well as any other security they offer (two factor authentication).

Level 5 - Email, because it's the master key. I use a unique password here, but I have somehow memorised it. My two email passwords are the same, which I know is a weakness, but its safer than using two weak passwords. The password is the first letter from each word in a phrase, with added numbers and punctuation. Example (I like apples and pears - ilaap)

Also note that I use a password manager, which requires me to enter in a password (same as my computer logon) to autofill the form. So all in all I really only have to memorize five passwords, and typically only the password manager one.

Re:For work I use really bad passwords

[AK+Marc]

I've had my first day include complaining to the head of HR that the HR documents on passwords were wrong. The rules were at least one upper, at least one lower, at least one number, and no shorter than 8. However, the password policy described by my peers was "pick a 6-letter word, start with a cap, and put 00 at the end. When you increment it for the 30 day expiration, you can last past the 1-year no reuse policy." The funny thing was, I followed the policy and came up with one that used special characters. Not accepted. And one that used an 8-character word. Not accepted (the password must be exactly 8 chars, and can't include special characters, despite the rules not directing such). The head of HR gave me the same rules as everyone else. So nobody in the company uses a secure password, and the rules on the password are mis-documented. Chairs00. Shh, don't tell anyone.

Re:The assumption is wrong.

[Tom]

The point of password complexity requirements has nothing to do with security. It's about the check box some auditor or lawyer needs to check. People assume it leads to security, but only because they see it in a vacuum.

That's consultant bullshit. The legal requirements are nowhere near this specific. It's only consultants that turn them into this nightmare of nonsense. I've worked in IT Compliance (SOX) for years. As long as you can describe why your password policy is good, it doesn't matter what it actually is. The problem is too many people don't invest the time to think a bit and simply take a so-called "best practice" and apply it. In way too many cases without reading to the end and realizing that this "best practice" was published in 1998 and may be a little outdated.