other:xkcd_passwords
Differences
This shows you the differences between two versions of the page.
Next revision | Previous revision | ||
other:xkcd_passwords [2022/11/07 01:19] – created rodolico | other:xkcd_passwords [2022/11/07 01:41] (current) – rodolico | ||
---|---|---|---|
Line 1: | Line 1: | ||
- | Password security is very much on everyones mind. Either you are a user, who gets irritated because of the funky passwords | + | ====== Generating good passwords |
- | == Summary | + | Password security is very much on everyone' |
- | If you don't want all the ins and outs, just do one of the following. For the reasons why you should do one of them, read the rest of the article. | + | ===== Summary ===== |
- | -- Generate a totally random, 20 character password | + | If you don't want all the ins and outs, just do one of the following. For the reasons why you should do one of them, read the rest of the article. If you want to jump straight to the complex explanation, |
+ | |||
+ | ==== Generate a totally random, 20 character password | ||
This is the hardest to guess, and the hardest to remember. You have to write it down, and, more importantly, | This is the hardest to guess, and the hardest to remember. You have to write it down, and, more importantly, | ||
- | -- Use five, randomly chosen dictionary words, separated by a special character | + | ==== Use five, randomly chosen dictionary words, separated by a special character |
This sounds completely counter-intuitive, | This sounds completely counter-intuitive, | ||
- | -- Pad your existing password | + | ==== Pad your existing password |
This is not as good as either of the above, and stands a much better chance of compromise if there is any social engineering going on, but simply adding characters to an existing password to make it longer will make it more secure. Let's say I have a password I have used forever, and I have it memorized, and I am madly in love with it. It used to be a good password, 20 years ago, but this obscure dictionary word is totally useless now. I'll make up one, based on the name ' | This is not as good as either of the above, and stands a much better chance of compromise if there is any social engineering going on, but simply adding characters to an existing password to make it longer will make it more secure. Let's say I have a password I have used forever, and I have it memorized, and I am madly in love with it. It used to be a good password, 20 years ago, but this obscure dictionary word is totally useless now. I'll make up one, based on the name ' | ||
Line 19: | Line 21: | ||
What I do is add one or two single characters repeatedly in front and back to make it 20 characters long. I'm going to go crazy here and put 86 in front and back, continuously, | What I do is add one or two single characters repeatedly in front and back to make it 20 characters long. I'm going to go crazy here and put 86 in front and back, continuously, | ||
- | == Do you want to know more. | + | ===== I want to know more ===== |
Ok that is it. If you're willing to just take my word for it, and don't care about why, end of the article. However, for the curious amongst you, the rest of the this document explains why. | Ok that is it. If you're willing to just take my word for it, and don't care about why, end of the article. However, for the curious amongst you, the rest of the this document explains why. | ||
Line 25: | Line 27: | ||
There are three basic ways the Black Hats (someone who is trying to " | There are three basic ways the Black Hats (someone who is trying to " | ||
- | == Compromise a server | + | ==== Compromise a server |
The Black Hat's crack a server and steal the encrypted passwords stored on it. This is one of the main targets of penetration attempts (attempts to "get into" someone' | The Black Hat's crack a server and steal the encrypted passwords stored on it. This is one of the main targets of penetration attempts (attempts to "get into" someone' | ||
Line 33: | Line 35: | ||
Most people use the same passwords, or slight variations of them, everyplace they go. So, once Black Hats know one of your passwords, say from your Utility Company, they have a good chance of knowing your bank, social media and e-mail passwords. | Most people use the same passwords, or slight variations of them, everyplace they go. So, once Black Hats know one of your passwords, say from your Utility Company, they have a good chance of knowing your bank, social media and e-mail passwords. | ||
- | == Social Engineering | + | ==== Social Engineering |
They learn about you. What does Facebook say about you. Do you like dogs? What is your birthday. What is your spouse/ | They learn about you. What does Facebook say about you. Do you like dogs? What is your birthday. What is your spouse/ | ||
Line 39: | Line 41: | ||
Combined with a compromised server, this can give them access to your other accounts with minimal effort. They now know what kind of passwords you use, so if you've only used a variation of it some place else, it is easier to figure out more difficult passwords. | Combined with a compromised server, this can give them access to your other accounts with minimal effort. They now know what kind of passwords you use, so if you've only used a variation of it some place else, it is easier to figure out more difficult passwords. | ||
- | == Brute Force | + | ==== Brute Force ==== |
This is the least profitable, but the easiest to do. They simply have a bunch of computers try to continuously log into your e-mail account, or your blog. However, if they compromise a server, then do social engineering to learn more about you, they can then use Brute Force to try several variations on your other sites. On our mail servers, we see continuous attempts at this kind of attack, even though we have automated systems that detect, then block them. When we block the server it is being tried from, a few hours (or minutes) later, it resumes from a new machine. | This is the least profitable, but the easiest to do. They simply have a bunch of computers try to continuously log into your e-mail account, or your blog. However, if they compromise a server, then do social engineering to learn more about you, they can then use Brute Force to try several variations on your other sites. On our mail servers, we see continuous attempts at this kind of attack, even though we have automated systems that detect, then block them. When we block the server it is being tried from, a few hours (or minutes) later, it resumes from a new machine. | ||
- | == What do you do? | + | ==== What do you do ==== |
First, use different passwords as much as possible. You've heard " | First, use different passwords as much as possible. You've heard " | ||
Line 49: | Line 51: | ||
Security expert Bruce Schneier, one of the most respected names in in the field, recommends this approach. See https:// | Security expert Bruce Schneier, one of the most respected names in in the field, recommends this approach. See https:// | ||
- | However, since Mr. Schneier wrote this article, several applications for computers and cell phones have been created that can store your passwords securely. That is better than a piece of paper, but I still like the paper copy (stored in a safe), in addition to these apps. | + | However, since Dr. Schneier wrote this article, several applications for computers and cell phones have been created that can store your passwords securely. That is better than a piece of paper, but I still like the paper copy (stored in a safe), in addition to these apps. |
- | == How to choose a password | + | ==== How to choose a password |
Good passwords have the following characteristics: | Good passwords have the following characteristics: | ||
- | 1. They are in no way associated with you, the person. | + | * They are in no way associated with you, the person. |
- | 2. They are of sufficient length | + | |
- | 3. They can possibly use as many characters as possible | + | |
- | -- Randomness | + | ==== Randomness |
First, as we mentioned in Social Engineering, | First, as we mentioned in Social Engineering, | ||
Don't use your kitty cat's name as part of the password, or your spouse, or your parents, or your offspring. No dates. Better to open a dictionary and randomly choose several words (more on that later). | Don't use your kitty cat's name as part of the password, or your spouse, or your parents, or your offspring. No dates. Better to open a dictionary and randomly choose several words (more on that later). | ||
- | -- Length | + | ==== Length |
Longer is better. For every character you add, your strength grow exponentially. An 8 character, randomly generated password using all of the characters on a keyboard can be guessed in about a minute with a botnet. Adding just one character changes that to 2 hours. Making it 12 characters long increases to 2,000 years. The following table shows the differences. | Longer is better. For every character you add, your strength grow exponentially. An 8 character, randomly generated password using all of the characters on a keyboard can be guessed in about a minute with a botnet. Adding just one character changes that to 2 hours. Making it 12 characters long increases to 2,000 years. The following table shows the differences. | ||
- | Length | + | ^Length |
- | 8 1 minute | + | |8 |
- | 9 2 hours | + | |9 |
- | 10 6 days | + | |10 |6 days | |
- | 11 2 years | + | |11 |2 years | |
- | 12 2000 years | + | |12 |2000 years | |
- | 20 11 quintillion years | + | |20 |11 quintillion years | |
That last number is large. An 11, followed by 18 zeros. Why would we ever think to do that? Mainly, for the future. In 1999, it would have taken almost 3 years to crack the password ' | That last number is large. An 11, followed by 18 zeros. Why would we ever think to do that? Mainly, for the future. In 1999, it would have taken almost 3 years to crack the password ' | ||
- | -- Name Space | + | ==== Name Space ==== |
- | Finally, it should use as many different possible " | + | Finally, it should use as many different possible " |
- | 35 minutes | + | ^Time to Crack ^ Namespace ^ |
- | 8 hours - all lower case and numeric digits | + | |35 minutes |
- | 6 days - Lower and Upper case | + | |8 hours |
- | 25 days - Lower, Upper, numeric digits | + | |6 days | Lower and Upper case | |
- | 2 years - lower, upper, numeric, special characters (period, comma, colon, hash mark) | + | |25 days |
+ | |2 years | ||
I used the Desktop Computer to show the increase in difficulty. Most Black Hats are using special equipment, called GPU's, or clusters of computers (called botnets) to do the cracking. An 8 character password with lower, upper, numeric and special characters can be cracked on a medium sized botnet in about a minute, instead of 2 years. | I used the Desktop Computer to show the increase in difficulty. Most Black Hats are using special equipment, called GPU's, or clusters of computers (called botnets) to do the cracking. An 8 character password with lower, upper, numeric and special characters can be cracked on a medium sized botnet in about a minute, instead of 2 years. | ||
- | == Other tricks, and how to avoid them | + | ===== Other tricks, and how to avoid them ===== |
- | -- Password duplication | + | ==== Password duplication |
If one of your accounts is successfully compromised, | If one of your accounts is successfully compromised, | ||
- | -- Dictionary Attacks | + | ==== Dictionary Attacks |
Passwords are not stored "in the clear" (ie, the original password in text form) on reputable sites. Instead, they use a mathematical function called a hash to turn your password into a big number. The good thing about the hash is, it is very easy to calculate the hash of a password, but very difficult to calculate the password when given the hash. In other words, it is not easily reversable. When you log into a web site and provide your password, the web site calculates the hash of what you entered, then compares it the the result they have stored, and if they match, you're allowed access. When the Black Hats "steal your password", | Passwords are not stored "in the clear" (ie, the original password in text form) on reputable sites. Instead, they use a mathematical function called a hash to turn your password into a big number. The good thing about the hash is, it is very easy to calculate the hash of a password, but very difficult to calculate the password when given the hash. In other words, it is not easily reversable. When you log into a web site and provide your password, the web site calculates the hash of what you entered, then compares it the the result they have stored, and if they match, you're allowed access. When the Black Hats "steal your password", | ||
Line 102: | Line 105: | ||
Instead of trying the very time consuming process of reversing the process for every hash they steal, they have calculated list of hashes for known or suspected passwords. Then, all they have to do is look to see if that hash has already been pre-calculated and, if so, they know your password. It took a long time, but there are lists available that have the hashes for every word in the dictionary (in almost all languages). In addition, there are lists of hashes for passwords that have been stolen before, and passwords that have been created by modifying the other lists slightly. To see if a password is in any of the known lists (with emphasis on the word ' | Instead of trying the very time consuming process of reversing the process for every hash they steal, they have calculated list of hashes for known or suspected passwords. Then, all they have to do is look to see if that hash has already been pre-calculated and, if so, they know your password. It took a long time, but there are lists available that have the hashes for every word in the dictionary (in almost all languages). In addition, there are lists of hashes for passwords that have been stolen before, and passwords that have been created by modifying the other lists slightly. To see if a password is in any of the known lists (with emphasis on the word ' | ||
- | -- Brute Force | + | ==== Brute Force ==== |
If the hash is not in one of the pre-calculated lists, it is more difficult to figure out. Previously, we mentioned that it would take 2 years using a standard desktop computer to reverse calculate a password that was 8 characters long. However, realize, the Black Hats are not using Standard Desktop Computers! | If the hash is not in one of the pre-calculated lists, it is more difficult to figure out. Previously, we mentioned that it would take 2 years using a standard desktop computer to reverse calculate a password that was 8 characters long. However, realize, the Black Hats are not using Standard Desktop Computers! | ||
Line 110: | Line 113: | ||
All of these options shorten the time it takes to crack a hash and figure out a password. Let's take a simple example. The password ' | All of these options shorten the time it takes to crack a hash and figure out a password. Let's take a simple example. The password ' | ||
- | 2,000 years - Standard Desktop PC | + | ^Time ^ Equipment ^ |
- | 46 years - Fast Desktop Workstation | + | |2,000 years | Standard Desktop PC | |
- | 18 years - Workstation with a single GPU | + | | 46 years | Fast Desktop Workstation |
- | 9 years - Workstation with a single, fast GPU | + | | 18 years | Workstation with a single GPU | |
- | 11 month - Workstation with parallel GPU' | + | | 9 years | Workstation with a single, fast GPU | |
- | 2 hours - medium size botnet | + | | 11 month | Workstation with parallel GPU' |
+ | | 2 hours | medium size botnet | ||
So, as you can see, 2 hours after someone running a botnet puts it to work on your password, they will know it. And, store the hash, and the known password, into the lists freely available on the Internet. | So, as you can see, 2 hours after someone running a botnet puts it to work on your password, they will know it. And, store the hash, and the known password, into the lists freely available on the Internet. | ||
- | == Password Theory | + | ===== Password Theory |
There are two things that affect how long it takes to crack well formed (randomly generated) passwords; the speed with which the hardware/ | There are two things that affect how long it takes to crack well formed (randomly generated) passwords; the speed with which the hardware/ | ||
Line 125: | Line 129: | ||
Password cracking via brute force is determined by the number of possible combinations you could have. This is calculated as namespace raised to the length power, or namespace^length. Namespace is the number of possible elements in the key. If you only use lower case letters, it is 26 for English. If you use lower and upper case, it is 52. Add in numbers and it is 62. All ASCII printable characters (what you can enter from the keyboard) is 95. | Password cracking via brute force is determined by the number of possible combinations you could have. This is calculated as namespace raised to the length power, or namespace^length. Namespace is the number of possible elements in the key. If you only use lower case letters, it is 26 for English. If you use lower and upper case, it is 52. Add in numbers and it is 62. All ASCII printable characters (what you can enter from the keyboard) is 95. | ||
- | Namespace | + | ^Namespace |
- | 26 8 26 ^ 8, or 208, | + | |26 | 8 | 26 ^ 8, or 208, |
- | 52 8 52 ^ 8, or a 9 followed by 13 zeros | + | |52 | 8 | 52 ^ 8, or a 9 followed by 13 zeros |
- | 62 8 62 ^ 8, or a 2 followed by 14 zeros | + | |62 | 8 | 62 ^ 8, or a 2 followed by 14 zeros |
- | 95 8 95 ^ 8, or a 6 followed by 15 zeros | + | |95 | 8 | 95 ^ 8, or a 6 followed by 15 zeros |
Those numbers are very large, so we take the log2 (log base 2) of them and call that the entropy of the password. In the above case, the entry would be 37.60, 45.60, 47.63 and 52.56 respectively, | Those numbers are very large, so we take the log2 (log base 2) of them and call that the entropy of the password. In the above case, the entry would be 37.60, 45.60, 47.63 and 52.56 respectively, | ||
Line 136: | Line 140: | ||
On average, you will guess the correct password when you are half way through the list of possibles. If you have 1000 things to check, you should, on average, be done after checking 500 of them. Some will take longer, some will be shorter. To divide by the possible combinations by 2, using entropy above, simply subtract 1 from the entropy (it is a log). Therefor, the number of guesses to crack a password, on average, will be | On average, you will guess the correct password when you are half way through the list of possibles. If you have 1000 things to check, you should, on average, be done after checking 500 of them. Some will take longer, some will be shorter. To divide by the possible combinations by 2, using entropy above, simply subtract 1 from the entropy (it is a log). Therefor, the number of guesses to crack a password, on average, will be | ||
+ | <code perl> | ||
number_of_guesses = 2^(entropy-1) | number_of_guesses = 2^(entropy-1) | ||
+ | </ | ||
And the average time to guess a password, in seconds, would be | And the average time to guess a password, in seconds, would be | ||
+ | <code perl> | ||
time_to_guess = 2^(entropy-1) / guesses_per_second | time_to_guess = 2^(entropy-1) / guesses_per_second | ||
+ | </ | ||
- | == Secure, Memorable Passwords | + | ===== Secure, Memorable Passwords |
Let's look at two variants to measure the strength of a password: If the attacker does or does not know how you created it. If the password is totally random, using all printable characters, the entropy is the same for both scenarios. | Let's look at two variants to measure the strength of a password: If the attacker does or does not know how you created it. If the password is totally random, using all printable characters, the entropy is the same for both scenarios. | ||
Line 151: | Line 158: | ||
With passwords created in either of the following two ways, the entropy will vary widely with knowledge. Note: I have read older documentation where it is suggested to keep your entropy above 52 bits. However, I think we can hit a trillion (1E12) guesses per second over the next 10 years, which would reduce 52 bits to cracking in about a half hour (38 minutes). | With passwords created in either of the following two ways, the entropy will vary widely with knowledge. Note: I have read older documentation where it is suggested to keep your entropy above 52 bits. However, I think we can hit a trillion (1E12) guesses per second over the next 10 years, which would reduce 52 bits to cracking in about a half hour (38 minutes). | ||
- | == Haystack (aka Padding) | + | ==== Haystack (aka Padding) |
I found a very interesting article about " | I found a very interesting article about " | ||
Line 159: | Line 166: | ||
However, I'd be leery of doing this with anything like my bank or something if there is a chance that some knowledge may be available to the attacker. If they know you have an old password that you liked, and you were using haystacking, | However, I'd be leery of doing this with anything like my bank or something if there is a chance that some knowledge may be available to the attacker. If they know you have an old password that you liked, and you were using haystacking, | ||
- | == Diceware (random word list) | + | ==== Diceware (random word list) ==== |
This is a weird one, but definitely proven. It creates a passphrase composed of randomly selected words, separated by a special character. https:// | This is a weird one, but definitely proven. It creates a passphrase composed of randomly selected words, separated by a special character. https:// | ||
This is an example Diceware. The procedure is fairly simple, though tedious, and can be done by hand. | This is an example Diceware. The procedure is fairly simple, though tedious, and can be done by hand. | ||
- | 1. Create a list of 7,776 words from the dictionary | + | - Create a list of 7,776 words from the dictionary |
- | 2. Roll 5 die, using the result to look up a single word in the list | + | |
- | 3. Repeat until you have found 5 words | + | |
- | 4. Put the words, in order, into a phrase, separating them by a special character | + | |
This will result in something like ' | This will result in something like ' | ||
Line 173: | Line 180: | ||
The site above uses a known dictionary (the Black Hats know it), and even with that, the entropy on this is 102 bits, even if they know how you did it. You can enhance it even more by generating your own word list, in which case it becomes even more difficult. | The site above uses a known dictionary (the Black Hats know it), and even with that, the entropy on this is 102 bits, even if they know how you did it. You can enhance it even more by generating your own word list, in which case it becomes even more difficult. | ||
- | -- Theory | + | ==== Theory |
The wikipedia article at https:// | The wikipedia article at https:// | ||
Line 181: | Line 188: | ||
All this in an easy to remember, easy to write down, easy to type in, passphrase. | All this in an easy to remember, easy to write down, easy to type in, passphrase. | ||
- | == Links | + | ===== Links ===== |
- | http:// | + | * http:// |
- | https:// | + | |
- | https:// | + | |
- | https:// | + | |
- | https:// | + | |
- | https:// | + | |
- | https:// | + | |
- | https:// | + | |
- | https:// | + | |
other/xkcd_passwords.1667805587.txt.gz · Last modified: 2022/11/07 01:19 by rodolico