Posts in Category: Passwords/Keys

Fatal Flawed Assumptions 

Tuesday, October 13, 2009 4:31:00 AM Categories: Basics Passwords/Keys

Passwords can be stored safely

Passwords are far easier to find if they are stored somewhere. Let’s say a thief is in a room with hundreds of safes, each marked with what it contains. One of the safes says “All safe combinations”. Even if this is the hardest safe in the room to crack, it’s going to be the target. Just storing the passwords in one location leaves a user at much higher chance of loosing everything in one go. This practice also opens up the door to the “oops” factor. For instance, assume that a user stores all on-line passwords in some type of browser of browser add-in that automatically enters login details. All the user has to do is step away from their computer without locking it for someone (anyone) to quickly jump on and do what they want (change passwords to something they know, move money around, etc.)

All combinations must be tested in order to find a valid password

This is not the case, and should be obvious if you think about the problem. If you have lost your keys, how long does it take for you to find them? You start thinking of locations you might find the key and only search those locations until you find the key. There are likely to be many places you don’t bother looking because you already found the keys. The same is true for passwords.
How many passwords do you need to test to find a valid password? Only as many as it takes to find the password.
Assuming that the password has been generated randomly we start entering the realm of probability statistics. On average, a hacker only has to test HALF the password combinations. However, 25% of the time the hacker finds the password in the first 25% of passwords. 1 in every 100 attacks will find the password in the first 1% of passwords tested. This logic follows on so that just like lotto, there is a chance that the hacker will locate the password on the VERY FIRST TRY. Also just like the lotto, it wouldn’t happen often, but it can happen. 
This fact is quite scary to put faith in those large number of combinations. I like to assume that the password will be found in the first 0.1% for company data (assumes that 1 in every 1000 attacks finds the password in the first 1% of passwords tested), but this could be increased or decreased depending on how valuable the data is.

Randomly Generated Passwords are always stronger

Since brute force attacks normally start at one number and proceeds through a all combinations in order, then the random nature of password generation leads to a potentially weaker password. 50% of randomly generated passwords will be closer to the beginning of a “brute force” attack check. 10% of passwords will be in the first 10% of passwords to be checked. So for an organisation with 10,000 passwords, all generated randomly, it’s likely that at least 1 will be in the first 0.01% of passwords to be checked. But random is as random does, so even one password generated by a random password generator COULD be the very first password to be checked by brute force means. The likelihood of this is low, but it is still possible. Therefore randomly generated passwords CAN be stronger, but they can also be weaker.
The best way to counter this is to increase the total combinations that the password COULD be to a level which means that even a password located in the first 0.01% of passwords tested would still take a tremendous amount of time to get to.

Hackers Test Possible Password Combinations in a specific order

The brute force method is most easily done by iterating through combinations in order, much like an odometer scrolls through the distance in a car. By 999,999 the car’s odometer has at one time or another shown every combination of values between 0 and 999,999 (but it takes a while to get through all of them). Unlike a car, several computers can be used, each one testing a different range of combinations. The more computers attempting to crack the password, the smaller the range of passwords each one has to test and therefore the faster the time to crack the password. This means that a password of any specific characters may be located very quickly.
The best way to counter this is to increase the total combinations that the password COULD be to a level that even thousands of computers will take a tremendous amount of time to get through.

An Encryption with More Bits is Stronger

See Estimating the time to crack a password
The strength of an encryption is in the amount of time taken to crack an unknown password. The factors that affect this amount of time are:
  1. The password – an encryption is only as secure as the password. Once the password is compromised, so is the encryption.
  2. The number of “Bits” which translates to the number of possible options of passwords. Note though, the Bit rate is only as long as the password used. A very short password on a very large bit encryption effectively reduced the bit rate of the encryption.
  3. The time required to test each password. This is a combination of both the time taken to transform the cipher into a de-ciphered text AND the time taken to check if the de-ciphered text is accurate. If the hacker knows what a portion of the encrypted message is, they are going to find it much faster to check than if they have no idea what the de-ciphered text looks like.
Unfortunately many IT professionals take as given that the possible combinations (key bit size) is the greatest security factor, and after that (assuming the same bit size is achieved), then faster algorithms are better.
But this is simply incorrect. Given the SAME key length (in bits), a faster algorithm is less secure. The security of encryptions comes by the number of possible iterations of "keys" multiplied by the time taken to try each iteration. For instance, an encryption that takes 10 mins to try when there are 1,000 possible keys is more secure than an encryption taking 10 milliseconds to run with 100,000 possible keys.
It’s more secure because the first encryption method is going to take longer to decrypt if the cracker doesn’t know the password.

A Single Hacker only has Limited Resources

The problem with Hackers is that they normally aren’t some kid sitting in their bedroom trying to work out how to get your data. The chances are they have access to a company’s computer system (i.e. an IT Department worker), have access to university computers, or have access to hundreds to thousands of computers that have been “hacked” previously.
How many computers should you assume are poised to attack your system? As a rule of thumb I would say 100 for a very small company, 10,000 for a small company and 100,000 for a large company.


Password and Key Cracking 

Tuesday, October 13, 2009 4:26:00 AM Categories: Cracking Passwords/Keys
Passwords and keys are different things.  Passwords are normally used to confirm/validate that a user for access or communication. A Key is the code that will encrypt or decrypt data. Sometimes passwords are used as keys, or more commonly keys are generated from passwords. Although they have separate purposes, and are usually very different in length, the methods used to crack them are normally fairly similar. On this page I will use the term “Password”, as this is normally the weaker of the two, but the same attacks can be performed on Keys.
The most common are:

Dumpster Diving

This is used by identity thieves too. Many people print codes and keys, especially for things like wireless networks so that staff can configure codes correctly. If these are just “thrown” then they can be found and used.

Social Engineering

This is where social and cultural tricks are used to gain access to secure areas. For example: someone rings you stating they are from your IT Department and need your password in order to test something. Or a man dressed in the right uniform just strolls into the server room, loads hardware onto a trolley and leaves.

Brute Force

Every combination of values is tested until one works. This is the single slowest way of cracking.
Normally a process like this iterates through every combination of every character, a-z then A-Z then 0-9 and then all the funny extra characters like quotation marks and other such symbols. If a password was only 1 character long, that’s not many options. However, every extra character exponentially increases the number of combinations.
Let’s assume only characters can be used – just lower case.
a-z = 26
Number of Characters
Number of Combinations
Let’s assume only characters can be used, upper and lower case.
a-z = 26
A-Z = 26
Total = 52
Therefore, a total of 52 different combinations with only 1 character. But if you include 2 you can have aa, ab, ac, ad, etc. all the way through to ZZ. Therefore the combinations multiply and come to 2,704 combinations.
Number of Characters
Number of Combinations
You should be able to see that the number of combination changes greatly depending on the length of the password and the number of characters in the password.
This is why some web sites mandate a minimum length and a inclusion of numbers.
The more combinations there are, the more possible passwords that AREN’T yours there are likely to be, so your password gets lost in the crowd. So the strength comes from the “maximum” number of combinations.
In computer terms the “character” is the bits. 1 bit has two options, on or off. Two bits have 4 combinations.00, 01, 10, 11. Every additional bit doubles the number of combinations so that 8 bits can form 256 unique combinations. This is what is meant by the bit length of encryption.

Dictionary Attack

Similar to Brute Force, except instead of trying every possible character the attack is “loaded” with likely passwords and keys. For instance, most passwords are words, or based in part on words. The Dictionary Attack still provides for variation, but the variation is based on likely combinations.
For example, the following is just a small example as to variations that might be created from the dictionary word “password”


Copyright 2006 Blog Author