## Fatal Flawed Assumptions

Tuesday, October 13, 2009 4:31:00 AM

### Passwords can be stored safely

Passwords are far easier to find if they are stored somewhere. Let’s say a thief is in a room with hundreds of safes, each marked with what it contains. One of the safes says “All safe combinations”. Even if this is the hardest safe in the room to crack, it’s going to be the target. Just storing the passwords in one location leaves a user at much higher chance of loosing everything in one go. This practice also opens up the door to the “oops” factor. For instance, assume that a user stores all on-line passwords in some type of browser of browser add-in that automatically enters login details. All the user has to do is step away from their computer without locking it for someone (anyone) to quickly jump on and do what they want (change passwords to something they know, move money around, etc.)

### All combinations must be tested in order to find a valid password

This is not the case, and should be obvious if you think about the problem. If you have lost your keys, how long does it take for you to find them? You start thinking of locations you might find the key and only search those locations until you find the key. There are likely to be many places you don’t bother looking because you already found the keys. The same is true for passwords.

How many passwords do you need to test to find a valid password? Only as many as it takes to find the password.

Assuming that the password has been generated randomly we start entering the realm of probability statistics. On average, a hacker only has to test HALF the password combinations. However, 25% of the time the hacker finds the password in the first 25% of passwords. 1 in every 100 attacks will find the password in the first 1% of passwords tested. This logic follows on so that just like lotto, there is a chance that the hacker will locate the password on the VERY FIRST TRY. Also just like the lotto, it wouldn’t happen often, but it can happen.

This fact is quite scary to put faith in those large number of combinations. I like to assume that the password will be found in the first 0.1% for company data (assumes that 1 in every 1000 attacks finds the password in the first 1% of passwords tested), but this could be increased or decreased depending on how valuable the data is.

### Randomly Generated Passwords are always stronger

Since brute force attacks normally start at one number and proceeds through a all combinations in order, then the random nature of password generation leads to a potentially weaker password. 50% of randomly generated passwords will be closer to the beginning of a “brute force” attack check. 10% of passwords will be in the first 10% of passwords to be checked. So for an organisation with 10,000 passwords, all generated randomly, it’s likely that at least 1 will be in the first 0.01% of passwords to be checked. But random is as random does, so even one password generated by a random password generator COULD be the very first password to be checked by brute force means. The likelihood of this is low, but it is still possible. Therefore randomly generated passwords CAN be stronger, but they can also be weaker.

The best way to counter this is to increase the total combinations that the password COULD be to a level which means that even a password located in the first 0.01% of passwords tested would still take a tremendous amount of time to get to.

### Hackers Test Possible Password Combinations in a specific order

The brute force method is most easily done by iterating through combinations in order, much like an odometer scrolls through the distance in a car. By 999,999 the car’s odometer has at one time or another shown every combination of values between 0 and 999,999 (but it takes a while to get through all of them). Unlike a car, several computers can be used, each one testing a different range of combinations. The more computers attempting to crack the password, the smaller the range of passwords each one has to test and therefore the faster the time to crack the password. This means that a password of any specific characters may be located very quickly.

The best way to counter this is to increase the total combinations that the password COULD be to a level that even thousands of computers will take a tremendous amount of time to get through.

### An Encryption with More Bits is Stronger

See Estimating the time to crack a password

The strength of an encryption is in the amount of time taken to crack an unknown password. The factors that affect this amount of time are:

- The password – an encryption is only as secure as the password. Once the password is compromised, so is the encryption.
- The number of “Bits” which translates to the number of possible options of passwords. Note though, the Bit rate is only as long as the password used. A very short password on a very large bit encryption effectively reduced the bit rate of the encryption.
- The time required to test each password. This is a combination of both the time taken to transform the cipher into a de-ciphered text AND the time taken to check if the de-ciphered text is accurate. If the hacker knows what a portion of the encrypted message is, they are going to find it much faster to check than if they have no idea what the de-ciphered text looks like.

Unfortunately many IT professionals take as given that the possible combinations (key bit size) is the greatest security factor, and after that (assuming the same bit size is achieved), then faster algorithms are better.

But this is simply incorrect. Given the SAME key length (in bits), a faster algorithm is less secure. The security of encryptions comes by the number of possible iterations of "keys" multiplied by the time taken to try each iteration. For instance, an encryption that takes 10 mins to try when there are 1,000 possible keys is more secure than an encryption taking 10 milliseconds to run with 100,000 possible keys.

It’s more secure because the first encryption method is going to take longer to decrypt if the cracker doesn’t know the password.

### A Single Hacker only has Limited Resources

The problem with Hackers is that they normally aren’t some kid sitting in their bedroom trying to work out how to get your data. The chances are they have access to a company’s computer system (i.e. an IT Department worker), have access to university computers, or have access to hundreds to thousands of computers that have been “hacked” previously.

How many computers should you assume are poised to attack your system? As a rule of thumb I would say 100 for a very small company, 10,000 for a small company and 100,000 for a large company.

Copyright 2006 Blog Author