FastWords and Password Strength

After seeing a great xkcd cartoon on password strengths and the how usable the password is for the user to remember and recall, I thought I’d look more into the idea of FastWords.

Generating a Password

Given the opportunity, I’ve always tried to help people generate stronger passwords from a sentence or quote they might remember and use capital letters, common substitutions and symbols for punctuation. Everybody should come up with an algorithm they are happy with and can use to generate new passwords easily. I have about five passwords at any one time, that I change regularly and I sometimes have to remember if I have forgotten to update an account somewhere.

To generate a password, I suggest that people take a phrase ‘This is one small step for man, one giant leap for mankind’, and use the first letter of each word and captialise where and when it makes sense; Tiossfmoglfm
Use common substitution to swap simple words to numbers, e.g one(once) =1, to(gether)=2, the=3, for(got) =4; Ti1ss4m1gl4m
Including symbols becomes tricky, unless you are happy with your own rule and stick to it. Only when you are confident in generating common substitution passwords (and recalling them) should you move on to including symbols. Common rules could include substituting a symbol for a space. You could use ‘_‘ or ‘|‘ for every space or work your way across the symbols on your keyboard for each space; 1! 2″ 3£ 4$ 5% 6^ 7& 8* 9( 0). This would make the final common substitution for the phrase; T!i”1£s$s%4^m&1*g(l)4!m

All I have to remember is the phrase ‘This is one small step for man, one giant leap for mankind’, substitute numbers where I can and insert symbols in sequence as I try and type it in (trying not to make a mistake). Using T!i”1£s$s%4^m&1*g(l)4!m as my password I can use GRC’s Interactive Brute Force Password “Search Space” Calculator to work out how long it would take a brute force attack to crack it;

Time Required to Exhaustively Search this Password’s Space:

That’s strong! At first glance most will find it hard to understand that ‘correct battery horse staple‘ could be a stronger password. Against a brute force attack that has to cycle through the same space the extra five characters would clearly make it stronger due to length.

Using  GRC’s Interactive Brute Force Password “Search Space” Calculator again for the xkcd password ‘correct battery horse staple‘;

Comparing the two passwords during an online attack scenario;

T!i”1£s$s%4^m&1*g(l)4!m takes 9.88 hundred million trillion trillion centuries

correct battery horse staple takes 12.41 trillion trillion trillion centuries

Imperva notes that even though hacking techniques have become better, users of today are no wiser than those 20 years ago. The company’s report says that a study of Unix password security in 1990 and hacked Hotmail passwords from 10 years ago showed little change. Read the full report from Imperva here.

Security systems now regularly ask users to generate new passwords, every 3-6 months that are at least 8-9 characters long and contain upper and lowercase letters and contain at least one number. For techies, this isn’t much trouble, but for the average user this is a demanding task. Fastwords will improve the security of user accounts and the usability of the system.

FastWords

How to hack a password

The work involved in hacking passwords is very simple. There are 5 proven ways to do so:

Asking: Amazingly the most common way to gain access to someone’s password is simply to ask for it (often in relation with something else). People often tell their passwords to colleagues, friends and family. Having a complex password policy isn’t going to change this.
Guessing: This is the second most common method to access a person’s account. It turns out that most people choose a password that is easy to remember, and the easiest ones are those that are related to you as a person. Passwords like: your last name, your wife’s name, the name of your cat, the date of birth, your favorite flower etc. are all pretty common. This problem can only be solved by choosing a password with no relation to you as a person.
Brute force attack: Very simple to do. A hacker simply attempts to sign-in using different passwords one at the time. If you password is “sun”, he will attempt to sign-in using “aaa, aab, aac, aad … sul, sum, sun (MATCH)”. The only thing that stops a brute force attack is higher complexity and longer passwords (which is why IT people want you to use just that).
Common word attacks: A simple form of brute-force attacks, where the hacker attempt to sign-in using a list of common words. Instead of trying different combination of letters, the hacker tries different words e.g. “sum, summer, summit, sump, sun (MATCH)”.
Dictionary attacks: Same concept as common word attacks – the only difference is that the hacker now uses the full dictionary of words (there are about 500,000 words in the English language)

By: admin

0 Comments

Monday, 12th 12 Dec 2011

Filed under Technology