Tuesday, January 13, 2009

On Hacking and Passwords

Hello dudes and dudettes,

The past week wasn't really great, and I've got another big-time test coming up next week, so this might be one of the times I seldom come online. Here is a little blog about passwords and security. Well, I've collected much of this information from another source, a site..you can google later and find that out!
Security companies and IT people constantly tells us that we should use complex and difficult passwords. This is bad advice, because you can actually make usable, easy to remember and highly secure passwords. In fact, usable passwords are often far better than complex ones.

So let's dive into the world of passwords, and look at what makes a password secure in practical terms.

How to hack a password

The work involved in hacking passwords is very simple. There are 5 proven ways to do so:
  • Asking: Amazingly the most common way to gain access to someone's password is simply to ask for it (often in relation with something else). People often tell their passwords to colleagues, friends and family. Having a complex password policy isn't going to change this.
  • Guessing: This is the second most common method to access a person's account. It turns out that most people choose a password that is easy to remember, and the easiest ones are those that are related to you as a person. Passwords like: your last name, your wife's name, the name of your cat, the date of birth, your favorite flower etc. are all pretty common. This problem can only be solved by choosing a password with no relation to you as a person.
  • Brute force attack: Very simple to do. A hacker simply attempts to sign-in using different passwords one at the time. If you password is "sun", he will attempt to sign-in using "aaa, aab, aac, aad ... sul, sum, sun (MATCH)". The only thing that stops a brute force attack is higher complexity and longer passwords (which is why IT people want you to use just that).
  • Common word attacks: A simple form of brute-force attacks, where the hacker attempt to sign-in using a list of common words. Instead of trying different combination of letters, the hacker tries different words e.g. "sum, summer, summit, sump, sun (MATCH)".
  • Dictionary attacks: Same concept as common word attacks - the only difference is that the hacker now uses the full dictionary of words (there are about 500,000 words in the English language).
When is a password secure?

You cannot protect against "asking" and "guessing", but you can protect yourself from the other forms of attacks. A hacker will usually create an automated script or a program that does the work for him. He isn't going to sit around manually trying 500,000 different words to see if one of them is your password.

The measure of security must then be "how many password requests can the automated program make - e.g. per second". The actual number varies, but most web applications would not be capable of handling more than 100 sign-in requests per second.

This means it takes the following time to hack a simple password like "sun":

Brute-force: 3 minutes
Common Word: 3 minutes
Dictionary: 1 hour 20 minutes

Note: "sun" has 17,576 possible character combinations. 3 letters using the lowercase alphabet = 26^3

This is of course a highly insecure password, but how much time is enough for a password to be secure?
  • a password that can be hacked in 1 minute is far too riksy
  • 10 minutes - still far too risky
  • 1 hour - still not good enough
  • 1 day - now we are getting somewhere. The probability that a person will have a program running just to hack your account for an entire day is very little. Still, it is plausible.
  • 1 month - this is something that only a dedicated attacker would do.
  • 1 year - now we are moving from practical risk to theoretical risk. If you are NASA or CIA then it is unacceptable. For the rest of us, well - you do not have that kind of enemies, nor is your company data that interesting.
  • 10 years - Now we are talking purely theoretical.
  • A lifetime: 100 years - this is really the limit for most people. Who cares about their password being hacked after they have died? Still it is nice to know that you use a password that is "secure for life"
But let's take a full swing at this. Let's look at "100 year - secure for life". It has good ring to it and it makes us feel safe. There is still the chance that the hacker gets lucky. That he accidently finds the right password after only 15 years instead of 100. It happens.

Let's step that up too and go for the full high-end security level. I want a password that takes 1,000 years to crack- let's call this "secure forever". That ought to be good enough, right?

Making Usable and Secure passwords

Now that we have covered the basics, let's look at some real examples, and see just how usable we can make a password, while still being "secure forever".

Note: The examples below are based on 100 password request per second. The result is the approach that is the most effective way to hack that specific password - either being by the use of brute-force, common words or dictionary attacks.

First let's look at the common 6 character password - using different methods:



In this example complexity clearly wins. Using a password with mixed case characters, numbers and symbols is far more secure than anything else. Using a simple word as your password is clearly useless.

Does that mean that the IT-departments and security companies is right? Nope, it just means that a 6 character password isn't going to work. None can remember a password like "J4fS<2",>

To make usable passwords we need to look at them differently. First of all what you need is to use words you can remember, something simple and something you can type fast.

Like these:



Using more than one simple word as your password increases you security substantially (from 3 minutes to 2 months). But, by simply using 3 words instead of two, you suddenly got an extremely secure password.

It takes:

1,163,859 years using a brute-force method
2,537 years using a common word attack
39,637,240 years using a dictionary attack

It is 10 times more secure to use "this is fun" as your password, than "J4fS<2".

If you want to be insanely secure; simply choose uncommon words as your password - like:



A usable and secure password is then not a complex one. It is one that you can remember - a simple password using 3+ words.

It is not just about passwords

One thing is to choose a secure and usable password. Another thing is to prevent the hacker from hacking password in the first place.  This is a very simple thing to do.

All you need to do is to prevent automatic hacking scripts from working effectively. What you need to do is this:

Add a time-delay between sign-in attempts. Instead of allowing people to sign-in again and again and again. Add a 5 second delay between each attempt. It is short enough to not be noticeable (it takes longer than 5 seconds to realize that you have tried a wrong password, and to type in a new one). And, it forces the hacker to only be able make sign-in requests 1 every 5 seconds (instead of 100 times per second).
Add a penalty period if a person has typed a wrong password more than - say - 10 times - of something like 1 hour. Again, this seriously disrupts the hacking script from working effectively.
A hacker can hack the password "alpine fun" in only 2 months if he is able to attack your server 100 times per second. But, with the penalty period and the 5 second delay, the same password can suddenly sustain an attack for 1,889 years.



Remember this the next time you are making web applications or discussing password policies. Passwords can be made both highly secure and user-friendly.

Alright then, It's time for me to go.
Keep your comments pouting in.

Cya,
Templar AKA Sumanth

17 comments:

Klaus said...

Hey,

That was an exceptionally interesting and enlightening blog. It made me understand a lot about password security and thanks for that. ;)

Keep up the good blogging

Sumanth said...

@Klaus - Oh, well!
The thing is that, we ought to start using the ephithet 'pass-phrase' rather than password...but it could give away some security...but it does make sense!

Insomniac said...

Hey!

Really nice article Sumanth. Rare piece of info for most of em ;).
BTW, Putting a space in ur password makes it real tough. I agree.

At the same time, there are brute-force techniques using ASCII characters. Space has an ASCII value of 32 or something(not sure). But yes! using the "hiphen" makes it practically impossible to crack a password. Informative stuff dude!

Keep up the good work.

Sumanth said...

@insomniac - yeah, ASCII value of space is 32. A better idea would be using spl characters, as 'hiphen', one you mentioned. Other useful ones are < or >...good one would be to write a quote or something. I know a friend who writes his fav line from a book as his password. Now, its not easy to crack, and not easy to forget either....its one's favourite :-)

Sumanth said...

Here, you two above, and also those further commenting, don't thank me, for Its not my hardwork on this topic. Its merely a comilation of people from others, a major source is another online blogger Mr.Thomas. I appologize in case this deed has offended him, but this was just a way to pass on the information, and nothing on the grounds of personal credit.

Ragav said...

hii.. great blog yaar. check out mine at..
http://ragav-world.blogspot.com/

Reeteshifier said...

That was one thorough post!

But I guess, the biggest danger for online place's password is social engg..

My mom's account was possibly taken that way.. and stupid yahoo people, arent getting social engg'ed when I try to do it to get my passowrd back :|

Sumanth said...

@ Reetesh - Oh, dude that's sad.

Yeah, social engg is indeed annoying. Anyway, I never really fancied yahoo much because of its somehwat messy homepage. Google has been my all time favorite, and I believe it will be in future too :-)

Reeteshifier said...

The thing is that the yahoo account is older than Gmail service :P It had many important things coming to it too :(

Well.. my mom got really used to the Yahoo interface, so created another account there.. teaching her everything in Gmail.. most of the things whose advantages are not exactly necessary for mom would be a waste of time :P

Sumanth said...

@reetesh - true, Google has a lot of geeky stuff like API converter...and other techinical products which are hardly useful to common people. It's for guys like us ;)

Yahoo is more like a commercial and first place, already indianized website that caters to most of the indian needs in an interface we would easily comprehend, this development will take sometime with google.

StandfordDude236 said...

dude>>wats the link of the page of the page from wer u got the info?

Sumanth said...

its not just one link..
I'll give it to you..ll comment it for one of your posts in your blog...

Reeteshifier said...

Now now, why post the links elsewhere? Its only ethical and right to post the links that you referred to while writing a post at the end of the post.

I mean.. edit your post and insert those links at the end, so that all your readers can appreciate both yours and the source's work :)

technext said...

i like this post., keep it up dude.

Sumanth said...

@reetesh - probably you're right, I'll do that. The thing is that I need to sit and look through my history tab. Just as you said, my big main prob is *procastination* :P

@technext - thanks:)

bharath said...

saftey abt password is awsome man good piece of info u bought in fr us!!... but.... tell us the real technique fr hackin da!!!!..

Sumanth said...

@bharath - well, now, hacking is not a piece of cake...Im not much of a hacker...but this piece of information can give you an idea of how a user would think before setting his/her password. So hacking or not hacking, this is indeed important. As far as hacking is concerned, it has many levels, and different criteria...and importantly, it can land you in danger...so beware.