Password strength

The old debate about password strength has resurfaced. Somebody asked me “how many passwords are really cracked?” It’s a good question, and one that I don’t have the answer to. Which doesn’t really help my cause when I’m pushing policies that enforce strong (i.e. a minimum of 7 characters consisting of upper/lower case letters, numbers and symbols) passwords and two-factor authentication. Is it really all necessary?

The fact is that passwords can be cracked and there are plenty of tools out there that will help the hacker do this. For instance, OphCrack uses rainbow tables to crack passwords across multiple platforms. There’s an excellent reference on the Coding Horror blog.

To understand how rainbow tables work, you first have to understand how passwords are stored on computers, whether on your own desktop, or on a remote web server somewhere.

Passwords are never stored in plaintext. At least they shouldn’t be, unless you’re building the world’s most insecure system using the world’s most naïve programmers. Instead, passwords are stored as the output of a hash function. Hashes are one-way operations. Even if an attacker gained access to the hashed version of your password, it’s not possible to reconstitute the password from the hash value alone.

But it is possible to attack the hashed value of your password using rainbow tables: enormous, pre-computed hash values for every possible combination of characters. An attacking PC could certainly calculate all these hashes on the fly, but taking advantage of a massive table of pre-computed hash values enables the attack to proceed several orders of magnitude faster– assuming the attacking machine has enough RAM to store the entire table (or at least most of it) in memory. It’s a classic time-memory tradeoff, exactly the sort of cheating shortcut you’d expect a black hat attacker to take.

There’s a black-hat view of password cracking presented on this blog here where the author discusses how to breach personal security:

You probably use the same password for lots of stuff right?

– Some sites you access such as your Bank or work VPN probably have pretty decent security, so I’m not going to attack them.

– However, other sites like the Hallmark e-mail greeting cards site, an online forum you frequent, or an e-commerce site you’ve shopped at might not be as well prepared. So those are the ones I’d work on.

– So, all we have to do now is unleash Brutus, wwwhack, or THC Hydra on their server with instructions to try say 10,000 (or 100,000 – whatever makes you happy) different usernames and passwords as fast as possible.

– Once we’ve got several login+password pairings we can then go back and test them on targeted sites.

– But wait… How do I know which bank you use and what your login ID is for the sites you frequent? All those cookies are simply stored, unencrypted and nicely named, in your Web browser’s cache.

It’s interesting to note the first point in the quote above: namely that if the security is known to be strong then the attacker will instead move onto a less secure target. It’s “return on attack” logic: if the investment in time and effort is not likely going to result in profit then there’s little point in the hacker trying too hard to break in. How easy might it be to guess passwords? Bruce Schneier references some sneaky MySpace account phishing that proved the point here

The top 20 passwords are (in order): password1, abc123, myspace1, password, blink182, qwerty1, , 123abc, baseball1, football1, 123456, soccer, monkey1, liverpool1, princess1, jordan23, slipknot1, superman1, iloveyou1 and monkey

Personally, my opinion is that the days of having fixed usernames and passwords should be over by now. The technology for generating one-time passwords is now cheap, easy to use and and widely available. Time we left this 20th century stuff behind.