, 2 min read

On Password Security and Cracking

Original post is here eklausmeier.goip.de/blog/2014/09-14-on-password-security-and-cracking.


Six months ago Bruce Schneier posted an article on "Choosing Secure Passwords". Some of the key points are (mostly copied verbatim from mentioned post):

  1. The best way to explain how to choose a good password is to explain how they are broken.
  2. Password crackers do not brute force all 8 character combinations, but rather they brute force all 6 character passwords, then they check for common passwords.
  3. A typical password consists of a root plus an appendage. The root isn't necessarily a dictionary word, but it's usually something pronounceable. An appendage is either a suffix (90% of the time) or a prefix (10% of the time). One cracking program I saw started with a dictionary of about 1,000 common passwords.
  4. Crackers use different dictionaries: English words, names, foreign words, phonetic patterns and so on for roots; two digits, dates, single symbols and so on for appendages. They run the dictionaries with various capitalizations and common substitutions: "$" for "s", "@" for "a," "1" for "l" and so on. This guessing strategy quickly breaks about two-thirds of all passwords.
  5. Last year, Ars Technica gave three experts a 16,000-entry encrypted password file, and asked them to break as many as possible. The winner got 90% of them, the loser 62% -- in a few hours.

Bruce Schneier cites the following:

  1. Ars technica article: Anatomy of a hack: How crackers ransack passwords like “qeadzcwrsfxv1331”
  2. hashcat: advanced password recovery

To give an idea of the performance of brute force attacks on all 6 character passwords, assuming, lowercase letters plus 10 digits. There are $36^6 = 2,176,782,336 \approx 2\cdot 10^9$ combinations. Use a program like Very simple SHA1 test program written in C and wrap a loop around it. With this I can test all SHA1 hashes in less than 45 seconds using 8 cores, see this post for my CPU description.