What is a password
A password is a secret word or string of characters that is used for authentication, to prove identity or gain access to a resource (example: an access code is a type of password). The password should be kept secret from those not allowed access.
How password are Stored
Some computer systems store user passwords as cleartext, against which to compare user log on attempts. If an attacker gains access to such an internal password store, all passwords—and so all user accounts—will be compromised. If some users employ the same password for accounts on different systems, those will be compromised as well.
More secure systems store each password in a cryptographically protected form, so access to the actual password will still be difficult for a snooper who gains internal access to the system.
A common approach stores only a “hashed” form of the plaintext password. When a user types in a password on such a system, the password handling software runs through a cryptographic hash algorithm, and if the hash value generated from the user’s entry matches the hash stored in the password database, the user is permitted access. The hash value is created by applying a hash function (for maximum resistance to attack this should be a cryptographic hash function) to a string consisting of the submitted password and, usually, another value known as a salt. The salt prevents attackers from easily building a list of hash values for common passwords. MD5 and SHA1 are frequently used cryptographic hash functions.
Common password cracking Methods
Weak encryption
If a system uses a poorly designed password hashing scheme to protect stored passwords, an attacker can exploit any weaknesses to recover even ‘well-chosen’ passwords. One example is the LM hash that Microsoft Windows XP and previous versions use by default to store user passwords of less than 15 characters in length. LM hash converts the password into all uppercase letters then breaks the password into two 7-character fields which are hashed separately—which allows each half to be attacked individually.
Guessing
Passwords can sometimes be guessed by humans with knowledge of the user’s personal information. Examples of guessable passwords include:
- blank (none)
- the words “password”, “passcode”, “admin” and their derivatives
- a row of letters from the qwerty keyboard — qwerty itself, asdf, or qwertyuiop)
- the user’s name or login name
- the name of a significant other, a friend, relative or pet
- their birthplace or date of birth, or a friend’s, or a relative’s
- their automobile license plate number, or a friend’s, or a relative’s
- their office number, residence number or most commonly, their mobile number.
- a name of a celebrity they like
- a simple modification of one of the preceding, such as suffixing a digit, particularly 1, or reversing the order of the letters.
- a swear word
Dictionary attacks
Users often choose weak passwords. Examples of insecure choices include the above list, plus single words found in dictionaries, given and family names, any too short password (usually thought to be 6 or 7 characters or less), or any password meeting a too restrictive and so predictable, pattern (eg, alternating vowels and consonants). Repeated research over some 40 years has demonstrated that around 40% of user-chosen passwords are readily guessable by sophisticated cracking programs armed with dictionaries and, perhaps, the user’s personal information.
In one survey of MySpace passwords obtained by phishing, 3.8 percent of those passwords were a single word findable in a dictionary, and another 12 percent were a word plus a final digit; two-thirds of the time that digit was 1.
Brute force attack
A last resort is to try every possible password, known as a brute force attack. In theory, if there is no limit to the number of attempts, a brute force attack will always be successful since the rules for acceptable passwords must be publicly known; but as the length of the password increases, so does the number of possible passwords.
A common password length recommendation is eight or more randomly chosen characters combining letters, numbers, and special characters (punctuation, etc). This recommendation makes sense for systems using stronger password hashing mechanisms such as md5-crypt.
Password Recovery Speeds
How long will your password stand up
This document shows the approximate amount of time required for a computer or a cluster of computers to guess various passwords. The figures shown are approximate and are the maximum time required to guess each password using a simple brute force “key-search” attack, it may (and probably will) be possible to guess correctly without trying all the combinations shown using other methods of attack or by having a “lucky guess”.
See the bottom of the page for details about the classes of attack.
See the bottom of the page for details about the classes of attack.
Classes of Attack
These are just some example speeds, I’d be interested to hear from people with more information about the speed taken to crack various types of passwords with various hardware.
A. 10,000 Passwords/sec
Typical for recovery of Microsoft Office passwords on a Pentium 100
Typical for recovery of Microsoft Office passwords on a Pentium 100
B. 100,000 Passwords/sec
Typical for recovery of Windows Password Cache (.PWL Files) passwords on a Pentium 100
Typical for recovery of Windows Password Cache (.PWL Files) passwords on a Pentium 100
C. 1,000,000 Passwords/sec
Typical for recovery of ZIP or ARJ passwords on a Pentium 100
Typical for recovery of ZIP or ARJ passwords on a Pentium 100
D. 10,000,000 Passwords/sec
Fast PC, Dual Processor PC.
E. 100,000,000 Passwords/sec
Workstation, or multiple PC’s working together.
F. 1,000,000,000 Passwords/sec
Typical for medium to large scale distributed computing, Supercomputers.
Typical for medium to large scale distributed computing, Supercomputers.
10 Characters
Just numbers. As you can see choosing a password from such a small range of characters is a bad idea.
| Numerals | 0123456789 | ||||||
| Password | Class of Attack | ||||||
| Length | Combinations | Class A | Class B | Class C | Class D | Class E | Class F |
| 2 | 100 | Instant | Instant | Instant | Instant | Instant | Instant |
| 3 | 1000 | Instant | Instant | Instant | Instant | Instant | Instant |
| 4 | 10,000 | Instant | Instant | Instant | Instant | Instant | Instant |
| 5 | 100,000 | 10 Secs | Instant | Instant | Instant | Instant | Instant |
| 6 | 1 Million | 1½ Mins | 10 Seconds | Instant | Instant | Instant | Instant |
| 7 | 10 Million | 17 Mins | 1½ Mins | 1½ Mins | Instant | Instant | Instant |
| 8 | 100 Million | 2¾ Hours | 17 Mins | 1½ Mins | 10 Seconds | Instant | Instant |
| 9 | 1000 Million | 28 Hours | 2¾ Hours | 17 Mins | 1½ Mins | 10 Seconds | Instant |
26 Characters
The full alphabet, either upper or lower case (not both in this case).
| Upper Case Alpha | A to Z | |||||||
| Lower Case Alpha | a to z | |||||||
| Password | Class of Attack | |||||||
| Length | Combinations | Class A | Class B | Class C | Class D | Class E | Class F | |
| 2 | 676 | Instant | Instant | Instant | Instant | Instant | Instant | |
| 3 | 17,576 | < 2 Secs | Instant | Instant | Instant | Instant | Instant | |
| 4 | 456,976 | 46 Secs | 5 Secs | Instant | Instant | Instant | Instant | |
| 5 | 11.8 Million | 20 Mins | 2 Mins | 12 Secs | Instant | Instant | Instant | |
| 6 | 308.9 Million | 8½ Hours | 51½ Mins | 5 Mins | 30 Secs | 3 Secs | Instant | |
| 7 | 8 Billion | 9 Days | 22 Hours | 2¼ Hours | 13 Mins | 1¼ Mins | 8 Secs | |
| 8 | 200 Billion | 242 Days | 24 Days | 2½ Days | 348 Mins | 35 Mins | 3½ Mins | |
| 9 | 5.4 Trillion | 17 Years | 21 Months | 63 Days | 6¼ Days | 15 Hours | 1½ Hours | |
| 10 | 141 Trillion | 447 Years | 45 Years | 4½ Years | 163 Days | 16 Days | 39¼ Hours | |
| 12 | 95 Quadrillion | 302,603 Years | 30,260 Years | 3,026 Years | 302 Years | 30 Years | 3 Years | |
| 15 | 1.6 Sextillion | 53 Trillion years | 532 Million years | 53 Million years | 5 Million years | 531,855 Years | 53,185 Years | |
| 20 | 19.9 Octillion | 63 Quadrillion years | 6.3 Quadrillion years | 631 Trillion years | 63.1 Trillion years | 6.3 Trillion years | 631 Billion years | |
36 Characters
The full alphabet, either upper or lower case (not both in this case) plus numbers.
| Upper Case Alpha | A to Z | ||||||
| Lower Case Alpha | a to z | ||||||
| Numerals | 0 to 9 | ||||||
| Password | Class of Attack | ||||||
| Length | Combinations | Class A | Class B | Class C | Class D | Class E | Class F |
| 2 | 1,296 | Instant | Instant | Instant | Instant | Instant | Instant |
| 3 | 46,656 | 4 Secs | Instant | Instant | Instant | Instant | Instant |
| 4 | 1.6 million | 2½ Mins | 16 Seconds | 1½ Seconds | Instant | Instant | Instant |
| 5 | 60.4 million | 1½ Hours | 10 Mins | 1 Min | Instant | Instant | Instant |
52 Characters
This time we’re trying the full alphabet but using a mixture of upper and lower case letters, that effectively doubles the number of combinations when compared with just using a single case.
| Mixed Alpha | Eg:AaBb | ||||||
| Password | Class of Attack | ||||||
| Length | Combinations | Class A | Class B | Class C | Class D | Class E | Class F |
| 2 | 2,704 | Instant | Instant | Instant | Instant | Instant | Instant |
| 3 | 140,608 | 14 Secs | < 2 Secs | Instant | Instant | Instant | Instant |
| 4 | 7.3 Million | 12½ Mins | 1¼ Mins | 8 Secs | Instant | Instant | Instant |
| 5 | 380 Million | 10½ Hours | 1 Hour | 6 Minutes | 38 Secs | 4 Secs | Instant |
| 6 | 19 Billion | 23 Days | 2¼ Days | 5½ Hours | 33 Mins | 3¼ Mins | 19 Secs |
| 7 | 1 Trillion | 3¼ Years | 119 Days | 12 Days | 28½ Hours | 3 Hours | 17 Mins |
| 8 | 53 Trillion | 169½ Years | 17 Years | 1½ Years | 62 Days | 6 Days | 15 Hours |
| 9 | 2.7 Quadrillion | 8,815 Years | 881 Years | 88 Years | 9 Years | 322 Days | 32 Days |
62 Characters
Mixed upper and lower case alphabetic characters plus numbers.
| Mixed Alpha and Numerals | 0 to 9 & A to za to z | ||||||
| Password | Class of Attack | ||||||
| Length | Combinations | Class A | Class B | Class C | Class D | Class E | Class F |
| 2 | 3,844 | Instant | Instant | Instant | Instant | Instant | Instant |
| 3 | 238,328 | 23 Secs | < 3 Secs | Instant | Instant | Instant | Instant |
| 4 | 15 Million | 24½ Mins | 2½ Mins | 15 Secs | < 2 Secs | Instant | Instant |
| 5 | 916 Million | 1 Day | 2½ Hours | 15¼ Mins | 1½ Mins | 9 Secs | Instant |
| 6 | 57 Billion | 66 Days | 6½ Days | 16 Hours | 1½ Hours | 9½ Mins | 56 Secs |
| 7 | 3.5 Trillion | 11 Years | 1 Year | 41 Days | 4 Days | 10 Hours | 58 Mins |
| 8 | 218 Trillion | 692 Years | 69¼ Years | 7 Years | 253 Days | 25¼ Days | 60½ Hours |
86 Characters
Mixed upper and lower case alphabet and common symbols.
| Mixed Alpha & Symbols | A to Z,a to z,spl characters | ||||||
| Password | Class of Attack | ||||||
| Length | Combinations | Class A | Class B | Class C | Class D | Class E | Class F |
| 2 | 7,396 | Instant | Instant | Instant | Instant | Instant | Instant |
| 8 | 2.9 Quadrillion | 9,488 Years | 948 Years | 94 Years | 57 Years | 346 Days | 34 Days |
96 Characters
Mixed upper and lower case alphabet plus numbers and common symbols.
| Mixed Alpha, Numerals & Symbols | 0 to 9,A to Z,a to z,all spel charecters | ||||||
| Password | Class of Attack | ||||||
| Length | Combinations | Class A | Class B | Class C | Class D | Class E | Class F |
| 2 | 9,216 | Instant | Instant | Instant | Instant | Instant | Instant |
| 3 | 884,736 | 88½ Secs | 9 Secs | Instant | Instant | Instant | Instant |
| 4 | 85 Million | 2¼ Hours | 14 Mins | 1½ Mins | 8½ Secs | Instant | Instant |
| 5 | 8 Billion | 9½ Days | 22½ Hours | 2¼ Hours | 13½ Mins | 1¼ Mins | 8 Secs |
| 6 | 782 Billion | 2½ Years | 90 Days | 9 Days | 22 Hours | 2 Hours | 13 Mins |
| 7 | 75 Trillion | 238 Years | 24 Years | 2½ Years | 87 Days | 8½ Days | 20 Hours |
| 8 | 7.2 Quadrillion | 22,875 Years | 2,287 Years | 229 Years | 23 Years | 2¼ Years | 83½ Days |
Examples
These are just a couple of examples to show the resilience of certain types of password, using the information in the tables above you will be able to make your own examples.
| Sample Passwords | Class of Attack | ||||||
| Pwd | Combinations | Class A | Class B | Class C | Class D | Class E | Class F |
| darren | 308.9 Million | 8½ Hours | 51½ Mins | 5 Mins | 30 Secs | 3 Secs | Instant |
| Land3rz | 3.5 Trillion | 11 Years | 1 Year | 41 Days | 4 Days | 10 Hours | 58 Mins |
| B33r&Mug | 7.2 Quadrillion | 22,875 Years | 2,287 Years | 229 Years | 23 Years | 2¼ Years | 83½ Days |
Classes of Attack
These are just some example speeds, I’d be interested to hear from people with more information about the speed taken to crack various types of passwords with various hardware.
A. 10,000 Passwords/sec
Typical for recovery of Microsoft Office passwords on a Pentium 100
Typical for recovery of Microsoft Office passwords on a Pentium 100
B. 100,000 Passwords/sec
Typical for recovery of Windows Password Cache (.PWL Files) passwords on a Pentium 100
Typical for recovery of Windows Password Cache (.PWL Files) passwords on a Pentium 100
C. 1,000,000 Passwords/sec
Typical for recovery of ZIP or ARJ passwords on a Pentium 100
Typical for recovery of ZIP or ARJ passwords on a Pentium 100
D. 10,000,000 Passwords/sec
Fast PC, Dual Processor PC.
E. 100,000,000 Passwords/sec
Workstation, or multiple PC’s working together.
F. 1,000,000,000 Passwords/sec
Typical for medium to large scale distributed computing, Supercomputers.
Typical for medium to large scale distributed computing, Supercomputers.
Distributed.net‘s Project Bovine RC5-64 possibly the fastest computer on earth has recently reached a speed of 76.1 Billion passwords per second!
No comments:
Post a Comment