Differences

This shows you the differences between two versions of the page.

--- other:xkcd_passwords [2022/11/07 01:26] – rodolico
+++ other:xkcd_passwords [2022/11/07 01:41] (current) – rodolico
@@ Line 1: / Line 1: @@
 ====== Generating good passwords ======
-Password security is very much on everyones mind. Either you are a user, who gets irritated because of the funky passwords some web sites make you use, or you are a systems administrator, frustrated that your users want something simple, putting the systems you manage at risk of being compromised.
+Password security is very much on everyone's mind. Either you are a user, who gets irritated because of the funky passwords some web sites make you use, or you are a systems administrator, frustrated that your users want something simple, putting the systems you manage at risk of being compromised.
 ===== Summary =====
-If you don't want all the ins and outs, just do one of the following. For the reasons why you should do one of them, read the rest of the article.
+If you don't want all the ins and outs, just do one of the following. For the reasons why you should do one of them, read the rest of the article. If you want to jump straight to the complex explanation, read [[#password_theory|]] and [[#secure_memorable_passwords]]
 ==== Generate a totally random, 20 character password ====
@@ Line 80: / Line 80: @@
--- Name Space
+==== Name Space ====
-Finally, it should use as many different possible "entities" (think characters on the keyboard) as possible. An 8 character password composed strictly of lower case letters is 16 times easier to crack than if you simply add a numeric digit or two. The following list shows the amount of time it takes a standard computer to crack an 8 character password (they do not use standard computers).
+Finally, it should use as many different possible "entities" (think characters on the keyboard) as possible. An 8 character password composed strictly of lower case letters is 16 times easier to crack than if you simply add a numeric digit or two. The following list shows the amount of time it takes a standard desktop computer to crack an 8 character password (they do not use standard computers).
-minutes - all lower case
+^Time to Crack ^ Namespace ^
-hours - all lower case and numeric digits
+|35 minutes | all lower case                                                              |
-days - Lower and Upper case
+|8 hours    | all lower case and numeric digits                                           |
-days - Lower, Upper, numeric digits
+|6 days     | Lower and Upper case                                                        |
-years - lower, upper, numeric, special characters (period, comma, colon, hash mark)
+|25 days    | Lower, Upper, numeric digits                                                |
+|2 years    | lower, upper, numeric, special characters (period, comma, colon, hash mark) |
 I used the Desktop Computer to show the increase in difficulty. Most Black Hats are using special equipment, called GPU's, or clusters of computers (called botnets) to do the cracking. An 8 character password with  lower, upper, numeric and special characters can be cracked on a medium sized botnet in about a minute, instead of 2 years.
-== Other tricks, and how to avoid them
+===== Other tricks, and how to avoid them =====
--- Password duplication
+==== Password duplication ====
 If one of your accounts is successfully compromised, it is assumed you will use the same, or similar passwords on other sites. The average user maintains 25 separate online accounts, but just uses 6.5 passwords on average (https://www.microsoft.com/en-us/research/publication/a-large-scale-study-of-web-password-habits/?from=https%3A%2F%2Fresearch.microsoft.com%2Fpubs%2F74164%2Fwww2007.pdf)
--- Dictionary Attacks
+==== Dictionary Attacks ====
 Passwords are not stored "in the clear" (ie, the original password in text form) on reputable sites. Instead, they use a mathematical function called a hash to turn your password into a big number. The good thing about the hash is, it is very easy to calculate the hash of a password, but very difficult to calculate the password when given the hash. In other words, it is not easily reversable. When you log into a web site and provide your password, the web site calculates the hash of what you entered, then compares it the the result they have stored, and if they match, you're allowed access. When the Black Hats "steal your password", the are actually stealing the hash of your password in most cases. They then have to go through the long process of trying to reverse it, which can take years (in some cases, millions of years).
@@ Line 104: / Line 105: @@
 Instead of trying the very time consuming process of reversing the process for every hash they steal, they have calculated list of hashes for known or suspected passwords. Then, all they have to do is look to see if that hash has already been pre-calculated and, if so, they know your password. It took a long time, but there are lists available that have the hashes for every word in the dictionary (in almost all languages). In addition, there are lists of hashes for passwords that have been stolen before, and passwords that have been created by modifying the other lists slightly. To see if a password is in any of the known lists (with emphasis on the word 'known' as there may be more that are hidden), visit https://haveibeenpwned.com/Passwords or http://unixservertech.com/pwned/pwned.html. This is a simple script that checks for known passwords without (I repeat, without) sending the password. We just send part of the hash (see explaination at http://unixservertech.com/pwned/pwned.html, or details by the author at https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/#cloudflareprivacyandkanonymity). If one of those sites (and they use the same back end, so no reason to check both) tells you your password is known, it is trivial for someone to learn your password if they find the hash in someplace they have attacked.
--- Brute Force
+==== Brute Force ====
 If the hash is not in one of the pre-calculated lists, it is more difficult to figure out. Previously, we mentioned that it would take 2 years using a standard desktop computer to reverse calculate a password that was 8 characters long. However, realize, the Black Hats are not using Standard Desktop Computers!
@@ Line 112: / Line 113: @@
 All of these options shorten the time it takes to crack a hash and figure out a password. Let's take a simple example. The password 'af2r@bcG!' is 9 characters long and uses all of the keyboard. It would take about 2000 years to crack on a standard desktop PC. But, what happens when more advanced hardware, or networks, gets into the act and uses brute force to crack it. This information was found by putting the password into the checker at http://password-checker.online-domain-tools.com/
-,000 years - Standard Desktop PC
+^Time       ^ Equipment ^
-years - Fast Desktop Workstation
+|2,000 years | Standard Desktop PC  |
-years - Workstation with a single GPU
+|   46 years | Fast Desktop Workstation |
-years - Workstation with a single, fast GPU
+|   18 years | Workstation with a single GPU |
-month - Workstation with parallel GPU's
+|    9 years | Workstation with a single, fast GPU |
-hours - medium size botnet
+|   11 month | Workstation with parallel GPU's |
+|    2 hours | medium size botnet |
 So, as you can see, 2 hours after someone running a botnet puts it to work on your password, they will know it. And, store the hash, and the known password, into the lists freely available on the Internet.
-== Password Theory
+===== Password Theory =====
 There are two things that affect how long it takes to crack well formed (randomly generated) passwords; the speed with which the hardware/software can attack it, and the average number of tries it will take to do so. Speed of processing is increasing exponentially over time, and we have no control over that. The complexity, however, we can control.
@@ Line 127: / Line 129: @@
 Password cracking via brute force is determined by the number of possible combinations you could have. This is calculated as namespace raised to the length power, or namespace^length. Namespace is the number of possible elements in the key. If you only use lower case letters, it is 26 for English. If you use lower and upper case, it is 52. Add in numbers and it is 62. All ASCII printable characters (what you can enter from the keyboard) is 95.
-Namespace     Length   Combinations
+^Namespace    ^ Length  ^ Combinations
-            8        26 ^ 8, or 208,827,064,576            lower case alphabetics
+|26           | 8       | 26 ^ 8, or 208,827,064,576           | lower case alphabetics |
-            8        52 ^ 8, or a 9 followed by 13 zeros   Add upper case letters
+|52           | 8       | 52 ^ 8, or a 9 followed by 13 zeros  | Add upper case letters |
-            8        62 ^ 8, or a 2 followed by 14 zeros   Add numbers
+|62           | 8       | 62 ^ 8, or a 2 followed by 14 zeros  | Add numbers            |
-            8        95 ^ 8, or a 6 followed by 15 zeros   Everything on the keyboard
+|95           | 8       | 95 ^ 8, or a 6 followed by 15 zeros  | Everything on the keyboard |
 Those numbers are very large, so we take the log2 (log base 2) of them and call that the entropy of the password. In the above case, the entry would be 37.60, 45.60, 47.63 and 52.56 respectively, Much easier to write down and remember. The formula for calculating the entropy
@@ Line 138: / Line 140: @@
 On average, you will guess the correct password when you are half way through the list of possibles. If you have 1000 things to check, you should, on average, be done after checking 500 of them. Some will take longer, some will be shorter. To divide by the possible combinations by 2, using entropy above, simply subtract 1 from the entropy (it is a log). Therefor, the number of guesses to crack a password, on average, will be
+<code perl>
 number_of_guesses = 2^(entropy-1)
+</code>
 And the average time to guess a password, in seconds, would be
+<code perl>
 time_to_guess = 2^(entropy-1) / guesses_per_second
+</code>
-== Secure, Memorable Passwords
+===== Secure, Memorable Passwords =====
 Let's look at two variants to measure the strength of a password: If the attacker does or does not know how you created it. If the password is totally random, using all printable characters, the entropy is the same for both scenarios.
@@ Line 153: / Line 158: @@
 With passwords created in either of the following two ways, the entropy will vary widely with knowledge. Note: I have read older documentation where it is suggested to keep your entropy above 52 bits. However, I think we can hit a trillion (1E12) guesses per second over the next 10 years, which would reduce 52 bits to cracking in about a half hour (38 minutes).  I prefer an entropy of about 100 which, if my calculations are correct, would take at least a century to crack.
-== Haystack (aka Padding)
+==== Haystack (aka Padding) ====
 I found a very interesting article about "haystacking," a process which takes a poor password and turns it into a very strong one. See https://www.grc.com/haystack.htm.
@@ Line 161: / Line 166: @@
 However, I'd be leery of doing this with anything like my bank or something if there is a chance that some knowledge may be available to the attacker. If they know you have an old password that you liked, and you were using haystacking, the number of possiblities could be reduced into the thousands and be cracked faster than it would take to enter the command to do it.
-== Diceware (random word list)
+==== Diceware (random word list) ====
 This is a weird one, but definitely proven. It creates a passphrase composed of randomly selected words, separated by a special character. https://xkpasswd.net/s/ in the XKCD preset, is a tool to create these, but I recommend a minimum of 5 words as that increases the "full knowledge" entropy to over 100. For the technically oriented amongst you, you can download the source code driving that site from https://github.com/bbusschots/hsxkpasswd and create your own dictionary for very good security.
 This is an example Diceware. The procedure is fairly simple, though tedious, and can be done by hand.
-. Create a list of 7,776 words from  the dictionary
+  - Create a list of 7,776 words from  the dictionary
-. Roll 5 die, using the result to look up a single word in the list
+  - Roll 5 die, using the result to look up a single word in the list
-. Repeat until you have found 5 words
+  - Repeat until you have found 5 words
-. Put the words, in order, into a phrase, separating them by a special character
+  - Put the words, in order, into a phrase, separating them by a special character
 This will result in something like 'mexico-bread-inside-this-factors', which is good, but by randomly making words capitalized, could end up being 'MEXICO-bread-inside-THIS-FACTORS', which is not much harder to remember, but much more secure (raises entropy by one). And, the human mind can turn this into something memorable.
@@ Line 175: / Line 180: @@
 The site above uses a known dictionary (the Black Hats know it), and even with that, the entropy on this is 102 bits, even if they know how you did it. You can enhance it even more by generating your own word list, in which case it becomes even more difficult.
--- Theory
+==== Theory ====
 The wikipedia article at https://en.wikipedia.org/wiki/Diceware explains this well, but I'll summarize. The number of possible combinations is namespace ^ length, from above. Increasing length definitely has a strong effect, but increasing namespace has a greater one (2^2 = 4, 2^3 = 8, however 3^2 = 9). In this case, we are increasing the namespace from 95 (number of ASCII characters) to 7776 (number of words in the list), or 15552 (if we randomly capitalize). Ignoring the separators, that gives us a huge namespace increase, meaning we don't need to have as many "tokens" (characters under standard passwords vs words with Diceware). 5 randomly chosen words from the word list gives us a whopping 9E20 (9 followed by 20 zeros) possible combinations, or an entropy of 69 bits. Adding in the special characters you can put in between, and you get an entropy of over 100.
@@ Line 183: / Line 188: @@
 All this in an easy to remember, easy to write down, easy to type in, passphrase.
-== Links
+===== Links =====
-http://password-checker.online-domain-tools.com/
+  * http://password-checker.online-domain-tools.com/
-https://generatepasswords.org/
+  * https://generatepasswords.org/
-https://www.grc.com/haystack.htm
+  * https://www.grc.com/haystack.htm
-https://en.wikipedia.org/wiki/Password_strength#Entropy_as_a_measure_of_password_strength
+  * https://en.wikipedia.org/wiki/Password_strength#Entropy_as_a_measure_of_password_strength
-https://resources.infosecinstitute.com/password-cracking-evolution/
+  * https://resources.infosecinstitute.com/password-cracking-evolution/
-https://en.wikipedia.org/wiki/Diceware
+  * https://en.wikipedia.org/wiki/Diceware
-https://www.microsoft.com/en-us/research/publication/a-large-scale-study-of-web-password-habits/
+  * https://www.microsoft.com/en-us/research/publication/a-large-scale-study-of-web-password-habits/
-https://xkpasswd.net/s/
+  * https://xkpasswd.net/s/
-https://github.com/bbusschots/hsxkpasswd
+  * https://github.com/bbusschots/hsxkpasswd