why "good passwords" are irrelevant
Okay y'all, I just have to say something on the topic of choosing "good" passwords. I've seen a lot of tips regarding password security lately, and it really annoys me, because having a good password is nearly irrelevant for anything that actually matters, because it only protects against brute force attacks. There are a lot of accounts getting hacked and I always, always see the 'pick a good password' thing thrown out as somehow being protective against hacking, and it isn't.
Yeah, sure, don't be stupid and use "password" as the password or something like that. But a *lot* of people put a lot of effort into creating extremely convoluted passwords (which they usually promptly forget), when not that much thought really needs to go into it. That's because hackers almost never rely on brute force for gaining passwords anymore. That's so 1993.
First of all, a random internet hacker is not going to sit there typing in passwords by hand if he's just trying to guess them. But never fear, brute force password cracking programs are exceptionally easy to write, and also very easy for the victim (which is not the person whose account is being hacked, but rather the server/database storing password hashes) to detect.
All the places where passwords matter - your Amazon account, your online banking, even your World of Warcraft account - those places all know what brute force attacks look like. Brute force attacks look like their servers being pinged for the same username several billion times an hour. That's why they have failed login caps, usually at 5-10 failed attempts in a short period of time.
The vast majority of hacking happens in a few specific ways:
-Keylogging. Here, the complexity and strength of the password is irrelevant, because they're just copy and pasting it. You could have the best password in the world and it doesn't matter. By far the easiest method, but users' computers have to be targeted somehow (usually through clicking bad links online).
-Email phishing - basically the same thing, they get you type to in your info and then they use it.
-DNS cache poisoning. Essentially the same as keylogging; they redirect users to a fact, identical-looking website where they type in their info
-Man-in-the-Middle. Also essentially the same as keylogging; the application is replaced with a fake application that sends information typed in to the hacker. Particularly common with desktop applications that use the internet (i.e. video games). The user has to be targeted specifically as being a user of whatever application it's posing as. More expensive and complex for the hackers.
-The server/database storing the hashed passwords is compromised. This is a little more complicated, but yields much more impressive results to the hackers. Passwords (especially for a large corporation) are not stored as strings (text), but rather put through a hashing algorithm. This jumbles it into a random mix of characters that has no resemblance to the original password. So, if your password is 'fluffybunny', the hashed version might look like '1skjdai24skd'. Only running the same key into the same algorithm will produce the same result. So what the hacker ends up with is a big list of useless characters keyed to usernames; if they go to the bank's website, for example, and tried to use '1skjdai24skd' in the password field, instead of interpreting it like 'fluffybunny', the server is going to run that through the hashing algorithm again, so it's going to get hashed into something else, like 'wieqoiuwekjqwe', and authentication will fail because it doesn't match the hash attached to the username key. So they have to find out how to un-hash '1skjdai24skd'. In this case, the hacker cracks the algorithm, not the password; once they figure out the hashing algorithm, they literally have a big list of user info to pick from and can log in as normal without ever failing.
So there's a pattern. Brute force is messy and ridiculously inefficient and rarely effective. But I still see advice for "password strength" being passed around like it's actually useful. And usually it says: use upper and lower case letters, lots of numbers and underscores. That results in a fabulously difficult to remember password, and no human would ever guess that.
Here's an example of a "good" password: B_lon_it6g42
Good luck remembering that. But websites like this one give it a nearly 100% strength rating. Anyone using that website to decide what password to use is gonna pat themselves on the back and gleefully attach it to their high-security accounts without a second thought. No human would ever guess that. But we're not dealing with humans, and that is not that difficult to guess for a computer.
Basically, think of it this way: the hacker knows that there are X number of possible characters. If it's a normal website, that means lowercase a-z, uppercase A-Z, digits 0-9, and 32 standard special characters and symbols. So that's 94 standard characters. Let's assume the website requires the password be at least 5 characters long, so we start out with 94*94*94*94*94 or 94^5 possible combinations, since repetitions are allowed (in other words, aaaaa is a possible password). So right off the bat, we know we have 1,073,741,824 possible combinations. We might get lucky and stumble upon it within the first few hundred thousand attempts, but we might not be so lucky. But that's a relatively short time investment, less than ten minutes for the average home PC (the average home PC could generate more than 15 billion tries per hour).
But, of course, it can be longer than 5 characters. The example above is 12 characters! 12 characters would generate over 8 quadrillion combinations, which would take a single PC over 200,000 hours to crack. That's over 9,000 days. Pretty good, right? Even using a large distributed system of 100 computers, it would take over 2,000 hours or over 90 days to crack.
But let's look at a password that the password strength meter site I listed before classifies as "very weak": happybunniesinameadow
Based on the advice I hear all the time, that's an awful password. All lowercase, no numbers, no special characters or underscores. A hacker's dream, right?
Except it generates 518 octillion possible combinations, and would take around 628,317,588,992,946,000 days for a single computer to crack it. On a 100-computer distributed system, it would still take 6,283,175,889,929,458 days to crack, which is 17,214,180,520,354 years, give or take.
When brute forcing random combinations like this, it doesn't matter what it is, only what it could be. Now, if we know that it can only be lowercase letters a-z, we can reduce the time to calculate drastically. But we have to test every possible combination, which means every key space can be any one of 94 potential characters.
So in this case, the 'very weak' password is exponentially more secure against a brute-force attack than the 'very strong' password.
By the way, this is all assuming the server is using a standard hashing algorithm. More and more companies are moving towards very specialized hashing algorithms that take thousands of times longer to process the request; the difference in this is imperceptible to a human user, but would make the number of possible tries per hour plummet to the point where even the first example would take hundreds of years to crack by brute force.
The spreadsheet I used to get these figures can be found on this page. I was way too lazy to actually bust out my TI-89 and go to town on this.
At any rate, nobody's gonna sit around for 6 quadrillion days (or even 90 days) waiting to get their greedy little paws on your password, not when they can keylog it with <20 hours of work.
One piece of advice that I see that actually is very good is to use different passwords for different things. They can be easy for you to remember, for example:
Bank: happybunnieswithlotsofmoney
Email: happybunnieshavemail
World of Warcraft: happybunniesslayingdragons
Forums: happybunniesexpressopinions
All of which are even more secure than the original password. At any rate, they're all easier to remember and way cuter than 'B_lon_it6g42'.
Sincerely,
Your Friendly Neighborhood Disgruntled CS Major
P.S. relevant XKCD comic
Yeah, sure, don't be stupid and use "password" as the password or something like that. But a *lot* of people put a lot of effort into creating extremely convoluted passwords (which they usually promptly forget), when not that much thought really needs to go into it. That's because hackers almost never rely on brute force for gaining passwords anymore. That's so 1993.
First of all, a random internet hacker is not going to sit there typing in passwords by hand if he's just trying to guess them. But never fear, brute force password cracking programs are exceptionally easy to write, and also very easy for the victim (which is not the person whose account is being hacked, but rather the server/database storing password hashes) to detect.
All the places where passwords matter - your Amazon account, your online banking, even your World of Warcraft account - those places all know what brute force attacks look like. Brute force attacks look like their servers being pinged for the same username several billion times an hour. That's why they have failed login caps, usually at 5-10 failed attempts in a short period of time.
The vast majority of hacking happens in a few specific ways:
-Keylogging. Here, the complexity and strength of the password is irrelevant, because they're just copy and pasting it. You could have the best password in the world and it doesn't matter. By far the easiest method, but users' computers have to be targeted somehow (usually through clicking bad links online).
-Email phishing - basically the same thing, they get you type to in your info and then they use it.
-DNS cache poisoning. Essentially the same as keylogging; they redirect users to a fact, identical-looking website where they type in their info
-Man-in-the-Middle. Also essentially the same as keylogging; the application is replaced with a fake application that sends information typed in to the hacker. Particularly common with desktop applications that use the internet (i.e. video games). The user has to be targeted specifically as being a user of whatever application it's posing as. More expensive and complex for the hackers.
-The server/database storing the hashed passwords is compromised. This is a little more complicated, but yields much more impressive results to the hackers. Passwords (especially for a large corporation) are not stored as strings (text), but rather put through a hashing algorithm. This jumbles it into a random mix of characters that has no resemblance to the original password. So, if your password is 'fluffybunny', the hashed version might look like '1skjdai24skd'. Only running the same key into the same algorithm will produce the same result. So what the hacker ends up with is a big list of useless characters keyed to usernames; if they go to the bank's website, for example, and tried to use '1skjdai24skd' in the password field, instead of interpreting it like 'fluffybunny', the server is going to run that through the hashing algorithm again, so it's going to get hashed into something else, like 'wieqoiuwekjqwe', and authentication will fail because it doesn't match the hash attached to the username key. So they have to find out how to un-hash '1skjdai24skd'. In this case, the hacker cracks the algorithm, not the password; once they figure out the hashing algorithm, they literally have a big list of user info to pick from and can log in as normal without ever failing.
So there's a pattern. Brute force is messy and ridiculously inefficient and rarely effective. But I still see advice for "password strength" being passed around like it's actually useful. And usually it says: use upper and lower case letters, lots of numbers and underscores. That results in a fabulously difficult to remember password, and no human would ever guess that.
Here's an example of a "good" password: B_lon_it6g42
Good luck remembering that. But websites like this one give it a nearly 100% strength rating. Anyone using that website to decide what password to use is gonna pat themselves on the back and gleefully attach it to their high-security accounts without a second thought. No human would ever guess that. But we're not dealing with humans, and that is not that difficult to guess for a computer.
Basically, think of it this way: the hacker knows that there are X number of possible characters. If it's a normal website, that means lowercase a-z, uppercase A-Z, digits 0-9, and 32 standard special characters and symbols. So that's 94 standard characters. Let's assume the website requires the password be at least 5 characters long, so we start out with 94*94*94*94*94 or 94^5 possible combinations, since repetitions are allowed (in other words, aaaaa is a possible password). So right off the bat, we know we have 1,073,741,824 possible combinations. We might get lucky and stumble upon it within the first few hundred thousand attempts, but we might not be so lucky. But that's a relatively short time investment, less than ten minutes for the average home PC (the average home PC could generate more than 15 billion tries per hour).
But, of course, it can be longer than 5 characters. The example above is 12 characters! 12 characters would generate over 8 quadrillion combinations, which would take a single PC over 200,000 hours to crack. That's over 9,000 days. Pretty good, right? Even using a large distributed system of 100 computers, it would take over 2,000 hours or over 90 days to crack.
But let's look at a password that the password strength meter site I listed before classifies as "very weak": happybunniesinameadow
Based on the advice I hear all the time, that's an awful password. All lowercase, no numbers, no special characters or underscores. A hacker's dream, right?
Except it generates 518 octillion possible combinations, and would take around 628,317,588,992,946,000 days for a single computer to crack it. On a 100-computer distributed system, it would still take 6,283,175,889,929,458 days to crack, which is 17,214,180,520,354 years, give or take.
When brute forcing random combinations like this, it doesn't matter what it is, only what it could be. Now, if we know that it can only be lowercase letters a-z, we can reduce the time to calculate drastically. But we have to test every possible combination, which means every key space can be any one of 94 potential characters.
So in this case, the 'very weak' password is exponentially more secure against a brute-force attack than the 'very strong' password.
By the way, this is all assuming the server is using a standard hashing algorithm. More and more companies are moving towards very specialized hashing algorithms that take thousands of times longer to process the request; the difference in this is imperceptible to a human user, but would make the number of possible tries per hour plummet to the point where even the first example would take hundreds of years to crack by brute force.
The spreadsheet I used to get these figures can be found on this page. I was way too lazy to actually bust out my TI-89 and go to town on this.
At any rate, nobody's gonna sit around for 6 quadrillion days (or even 90 days) waiting to get their greedy little paws on your password, not when they can keylog it with <20 hours of work.
One piece of advice that I see that actually is very good is to use different passwords for different things. They can be easy for you to remember, for example:
Bank: happybunnieswithlotsofmoney
Email: happybunnieshavemail
World of Warcraft: happybunniesslayingdragons
Forums: happybunniesexpressopinions
All of which are even more secure than the original password. At any rate, they're all easier to remember and way cuter than 'B_lon_it6g42'.
Sincerely,
Your Friendly Neighborhood Disgruntled CS Major
P.S. relevant XKCD comic