Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cracking Passwords With Statistics

Posted by Soulskill on from the statistics-is-the-most-powerful-tool-nobody-uses-correctly dept.

New submitter pjauregui writes: When users are asked to create a "secure" password, most sites simply demand things like "must contain 1 uppercase letter and one punctuation character." But those requirements often lead to users picking exactly 1 uppercase letter, and using it to begin their password. What was intended to increase randomness is instead creating structure that statistical analysis can exploit. This article starts by asking the reader, "Think like a hacker and ask yourself how fast your passwords might be able to be cracked based on their structure." The author then describes his method for cracking passwords at scale, efficiently, stating that many attackers approach this concept headfirst: They try any arbitrary password attack they feel like trying with little reasoning. His post is a discussion that demonstrates effective methodologies for password cracking and how statistical analysis of passwords can be used in conjunction with tools to create a time boxed approach to efficient and successful cracking.

6 of 136 comments (clear)

  1. For work I use really bad passwords by Anonymous Coward · · Score: 5, Insightful

    They have this draconian douchebag policy that you can't ever reuse one for like 20 tries, you have to have a capital, number and punctuation.... so I just keep adding numbers to the end of it. Fark them if we get hacked.

    Give me a reasonable password requirement with a reasonable expiry (NOT 30 days) and we'll talk.

    1. Re: For work I use really bad passwords by khasim · · Score: 4, Insightful

      It doesn't matter. If someone is cracking your (end-user) password at work then they probably have some other means of attempting it.

      1. keylogger
      2. some reduction attack
      3. pass the hash
      4. fake authentication request & server
      5. etc

      By the time the attacker has copies of the hashes and is trying to use any of the techniques in TFA on them it's too late for you as an end-user.

      For non-work websites just remember 2 things:
      a. DO NOT USE THE SAME PASSWORD
      b. If it is financial, don't use the same username/email-address as other sites.

    2. Re:For work I use really bad passwords by tlhIngan · · Score: 4, Insightful

      They have this draconian douchebag policy that you can't ever reuse one for like 20 tries, you have to have a capital, number and punctuation.... so I just keep adding numbers to the end of it. Fark them if we get hacked.

      Give me a reasonable password requirement with a reasonable expiry (NOT 30 days) and we'll talk.

      Here's some...

      2015January!
      2015February@
      2015March#
      2015April$
      2015May%
      2015June^
      2015July&
      2015August*
      2015September(
      2015October)
      2015November-
      2015December=

      If it's too long, shorten to 3-letter months.

      And for next year, you'll have another set of "unique" passwords so it doesn't matter if they demand it doesn't match the last 100 passwords.

      Numbers, capital, punctuation it's got it all.

      With a few modifications, you can come up with similar passwords that will obey any other rules you need.

    3. Re: For work I use really bad passwords by khasim · · Score: 1, Insightful

      Read to the end for a secret revelation.

      One for all the various forums, social sites and other crap that is of absolutely no importance to me and if it gets leaked and you use it to log in as me on one of them, you can post comments in my name - omg, the sky is falling.

      The problem there is that all it takes is one crap site and an attacker can check all of your "reset answers" (pet's name / mom's name / etc) to see if they can be used for an attack.

      One is for sites that I have some stakes in, like accounts in online games and such, where you could do some damage in the sense of destroying something that took me time to create (delete my GW2 characters, I'd hate you for it, but no real damage has been done).

      A different password but does it still have the same "reset answers" that the other category does?

      And you are depending upon the admins of those sites to correctly secure them and keep them sites secure for THEIR ENTIRE EXISTENCE.

      And one I use for sites where you could do some damage that I could probably reverse, but it would take effort and might cause me real-world inconveniences, such as shopping sites where you could order something in my name and I'd have to go and cancel the order or send it back or whatever.

      Just about all of the damage can be reversed. It's just a matter of how much time and how much money is lost doing so.

      This is about preventing the damage before it costs you time and money.

      Your Amazon account should NOT have the same password that your eBay account has. No matter how much you trust either of them.

      My PayPal and banking accounts have their own passwords, ...

      And they should have their own email accounts tied to them. If someone cracks your GameYouUsedToPlay.com account that should NOT give them the email address you use at your bank.

      Now, for the secret revelation!

      Passwords WERE once used for security.

      NOW they are mostly (99.9%+) used for MARKETING. That is why almost all the sites out there require a unique login. And those sites are very lax with their MARKETING data (your username/password/answers).

      Once you understand that (and what information you are leaking when you give it to them) you can make better decisions on how much RE-USABLE information you want to give them.

      Think about what the minimum information an attacker would need to access your bank account (either login or social engineering) and then look at how many sites have that information.

  2. The assumption is wrong. by orlanz · · Score: 5, Insightful

    The point of password complexity requirements has nothing to do with security. It's about the check box some auditor or lawyer needs to check. People assume it leads to security, but only because they see it in a vacuum.

    Complexity introduces incremental passwords, common passwords, safes, post its, support costs, complacency, single point of failures, easier social engineering, and easy passwords. All of which work against security. They don't have check boxes for these because they are hard to understand and measure.

    So is complexity checked? Yes, OK move along sir. I SAID MOVE ALONG. GOOD DAY!

  3. math by Tom · · Score: 5, Insightful

    Been there, done the math, and I can confirm that the guy is 100% spot on. According to the slides of my last keynote on the subject, it basically goes like this:

    We think the complexity of a password made in accordance to a typical password policy (at least 8 letters, at least 2 of them special characters or numbers, mixed upper and lower case) is on the order of 10^16.

    What users actually read is more along the lines of "take a word, maybe abbreviate it, add one number and one of the easy-to-type special characters", giving us a complexity in the order of 10^7.

    That's not a small difference. That's 9 orders of magnitude. That's like thinking the population of the USA is around 3000 people. That's how far off we are when we think about complexity of passwords in purely cryptoanalysis terms, without taking user preferences into account.

    What this guy did is really great, I wish I had time to do such a proof-of-concept instead of just speaking about it every time I get an opportunity.

    --
    Assorted stuff I do sometimes: Lemuria.org