other:xkcd_passwords
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revision | |||
other:xkcd_passwords [2022/11/07 01:26] – rodolico | other:xkcd_passwords [2022/11/07 01:41] (current) – rodolico | ||
---|---|---|---|
Line 1: | Line 1: | ||
====== Generating good passwords ====== | ====== Generating good passwords ====== | ||
- | Password security is very much on everyones | + | Password security is very much on everyone' |
===== Summary ===== | ===== Summary ===== | ||
- | If you don't want all the ins and outs, just do one of the following. For the reasons why you should do one of them, read the rest of the article. | + | If you don't want all the ins and outs, just do one of the following. For the reasons why you should do one of them, read the rest of the article. |
==== Generate a totally random, 20 character password ==== | ==== Generate a totally random, 20 character password ==== | ||
Line 80: | Line 80: | ||
- | -- Name Space | + | ==== Name Space ==== |
- | Finally, it should use as many different possible " | + | Finally, it should use as many different possible " |
- | 35 minutes | + | ^Time to Crack ^ Namespace ^ |
- | 8 hours - all lower case and numeric digits | + | |35 minutes |
- | 6 days - Lower and Upper case | + | |8 hours |
- | 25 days - Lower, Upper, numeric digits | + | |6 days | Lower and Upper case | |
- | 2 years - lower, upper, numeric, special characters (period, comma, colon, hash mark) | + | |25 days |
+ | |2 years | ||
I used the Desktop Computer to show the increase in difficulty. Most Black Hats are using special equipment, called GPU's, or clusters of computers (called botnets) to do the cracking. An 8 character password with lower, upper, numeric and special characters can be cracked on a medium sized botnet in about a minute, instead of 2 years. | I used the Desktop Computer to show the increase in difficulty. Most Black Hats are using special equipment, called GPU's, or clusters of computers (called botnets) to do the cracking. An 8 character password with lower, upper, numeric and special characters can be cracked on a medium sized botnet in about a minute, instead of 2 years. | ||
- | == Other tricks, and how to avoid them | + | ===== Other tricks, and how to avoid them ===== |
- | -- Password duplication | + | ==== Password duplication |
If one of your accounts is successfully compromised, | If one of your accounts is successfully compromised, | ||
- | -- Dictionary Attacks | + | ==== Dictionary Attacks |
Passwords are not stored "in the clear" (ie, the original password in text form) on reputable sites. Instead, they use a mathematical function called a hash to turn your password into a big number. The good thing about the hash is, it is very easy to calculate the hash of a password, but very difficult to calculate the password when given the hash. In other words, it is not easily reversable. When you log into a web site and provide your password, the web site calculates the hash of what you entered, then compares it the the result they have stored, and if they match, you're allowed access. When the Black Hats "steal your password", | Passwords are not stored "in the clear" (ie, the original password in text form) on reputable sites. Instead, they use a mathematical function called a hash to turn your password into a big number. The good thing about the hash is, it is very easy to calculate the hash of a password, but very difficult to calculate the password when given the hash. In other words, it is not easily reversable. When you log into a web site and provide your password, the web site calculates the hash of what you entered, then compares it the the result they have stored, and if they match, you're allowed access. When the Black Hats "steal your password", | ||
Line 104: | Line 105: | ||
Instead of trying the very time consuming process of reversing the process for every hash they steal, they have calculated list of hashes for known or suspected passwords. Then, all they have to do is look to see if that hash has already been pre-calculated and, if so, they know your password. It took a long time, but there are lists available that have the hashes for every word in the dictionary (in almost all languages). In addition, there are lists of hashes for passwords that have been stolen before, and passwords that have been created by modifying the other lists slightly. To see if a password is in any of the known lists (with emphasis on the word ' | Instead of trying the very time consuming process of reversing the process for every hash they steal, they have calculated list of hashes for known or suspected passwords. Then, all they have to do is look to see if that hash has already been pre-calculated and, if so, they know your password. It took a long time, but there are lists available that have the hashes for every word in the dictionary (in almost all languages). In addition, there are lists of hashes for passwords that have been stolen before, and passwords that have been created by modifying the other lists slightly. To see if a password is in any of the known lists (with emphasis on the word ' | ||
- | -- Brute Force | + | ==== Brute Force ==== |
If the hash is not in one of the pre-calculated lists, it is more difficult to figure out. Previously, we mentioned that it would take 2 years using a standard desktop computer to reverse calculate a password that was 8 characters long. However, realize, the Black Hats are not using Standard Desktop Computers! | If the hash is not in one of the pre-calculated lists, it is more difficult to figure out. Previously, we mentioned that it would take 2 years using a standard desktop computer to reverse calculate a password that was 8 characters long. However, realize, the Black Hats are not using Standard Desktop Computers! | ||
Line 112: | Line 113: | ||
All of these options shorten the time it takes to crack a hash and figure out a password. Let's take a simple example. The password ' | All of these options shorten the time it takes to crack a hash and figure out a password. Let's take a simple example. The password ' | ||
- | 2,000 years - Standard Desktop PC | + | ^Time ^ Equipment ^ |
- | 46 years - Fast Desktop Workstation | + | |2,000 years | Standard Desktop PC | |
- | 18 years - Workstation with a single GPU | + | | 46 years | Fast Desktop Workstation |
- | 9 years - Workstation with a single, fast GPU | + | | 18 years | Workstation with a single GPU | |
- | 11 month - Workstation with parallel GPU' | + | | 9 years | Workstation with a single, fast GPU | |
- | 2 hours - medium size botnet | + | | 11 month | Workstation with parallel GPU' |
+ | | 2 hours | medium size botnet | ||
So, as you can see, 2 hours after someone running a botnet puts it to work on your password, they will know it. And, store the hash, and the known password, into the lists freely available on the Internet. | So, as you can see, 2 hours after someone running a botnet puts it to work on your password, they will know it. And, store the hash, and the known password, into the lists freely available on the Internet. | ||
- | == Password Theory | + | ===== Password Theory |
There are two things that affect how long it takes to crack well formed (randomly generated) passwords; the speed with which the hardware/ | There are two things that affect how long it takes to crack well formed (randomly generated) passwords; the speed with which the hardware/ | ||
Line 127: | Line 129: | ||
Password cracking via brute force is determined by the number of possible combinations you could have. This is calculated as namespace raised to the length power, or namespace^length. Namespace is the number of possible elements in the key. If you only use lower case letters, it is 26 for English. If you use lower and upper case, it is 52. Add in numbers and it is 62. All ASCII printable characters (what you can enter from the keyboard) is 95. | Password cracking via brute force is determined by the number of possible combinations you could have. This is calculated as namespace raised to the length power, or namespace^length. Namespace is the number of possible elements in the key. If you only use lower case letters, it is 26 for English. If you use lower and upper case, it is 52. Add in numbers and it is 62. All ASCII printable characters (what you can enter from the keyboard) is 95. | ||
- | Namespace | + | ^Namespace |
- | 26 8 26 ^ 8, or 208, | + | |26 | 8 | 26 ^ 8, or 208, |
- | 52 8 52 ^ 8, or a 9 followed by 13 zeros | + | |52 | 8 | 52 ^ 8, or a 9 followed by 13 zeros |
- | 62 8 62 ^ 8, or a 2 followed by 14 zeros | + | |62 | 8 | 62 ^ 8, or a 2 followed by 14 zeros |
- | 95 8 95 ^ 8, or a 6 followed by 15 zeros | + | |95 | 8 | 95 ^ 8, or a 6 followed by 15 zeros |
Those numbers are very large, so we take the log2 (log base 2) of them and call that the entropy of the password. In the above case, the entry would be 37.60, 45.60, 47.63 and 52.56 respectively, | Those numbers are very large, so we take the log2 (log base 2) of them and call that the entropy of the password. In the above case, the entry would be 37.60, 45.60, 47.63 and 52.56 respectively, | ||
Line 138: | Line 140: | ||
On average, you will guess the correct password when you are half way through the list of possibles. If you have 1000 things to check, you should, on average, be done after checking 500 of them. Some will take longer, some will be shorter. To divide by the possible combinations by 2, using entropy above, simply subtract 1 from the entropy (it is a log). Therefor, the number of guesses to crack a password, on average, will be | On average, you will guess the correct password when you are half way through the list of possibles. If you have 1000 things to check, you should, on average, be done after checking 500 of them. Some will take longer, some will be shorter. To divide by the possible combinations by 2, using entropy above, simply subtract 1 from the entropy (it is a log). Therefor, the number of guesses to crack a password, on average, will be | ||
+ | <code perl> | ||
number_of_guesses = 2^(entropy-1) | number_of_guesses = 2^(entropy-1) | ||
+ | </ | ||
And the average time to guess a password, in seconds, would be | And the average time to guess a password, in seconds, would be | ||
+ | <code perl> | ||
time_to_guess = 2^(entropy-1) / guesses_per_second | time_to_guess = 2^(entropy-1) / guesses_per_second | ||
+ | </ | ||
- | == Secure, Memorable Passwords | + | ===== Secure, Memorable Passwords |
Let's look at two variants to measure the strength of a password: If the attacker does or does not know how you created it. If the password is totally random, using all printable characters, the entropy is the same for both scenarios. | Let's look at two variants to measure the strength of a password: If the attacker does or does not know how you created it. If the password is totally random, using all printable characters, the entropy is the same for both scenarios. | ||
Line 153: | Line 158: | ||
With passwords created in either of the following two ways, the entropy will vary widely with knowledge. Note: I have read older documentation where it is suggested to keep your entropy above 52 bits. However, I think we can hit a trillion (1E12) guesses per second over the next 10 years, which would reduce 52 bits to cracking in about a half hour (38 minutes). | With passwords created in either of the following two ways, the entropy will vary widely with knowledge. Note: I have read older documentation where it is suggested to keep your entropy above 52 bits. However, I think we can hit a trillion (1E12) guesses per second over the next 10 years, which would reduce 52 bits to cracking in about a half hour (38 minutes). | ||
- | == Haystack (aka Padding) | + | ==== Haystack (aka Padding) |
I found a very interesting article about " | I found a very interesting article about " | ||
Line 161: | Line 166: | ||
However, I'd be leery of doing this with anything like my bank or something if there is a chance that some knowledge may be available to the attacker. If they know you have an old password that you liked, and you were using haystacking, | However, I'd be leery of doing this with anything like my bank or something if there is a chance that some knowledge may be available to the attacker. If they know you have an old password that you liked, and you were using haystacking, | ||
- | == Diceware (random word list) | + | ==== Diceware (random word list) ==== |
This is a weird one, but definitely proven. It creates a passphrase composed of randomly selected words, separated by a special character. https:// | This is a weird one, but definitely proven. It creates a passphrase composed of randomly selected words, separated by a special character. https:// | ||
This is an example Diceware. The procedure is fairly simple, though tedious, and can be done by hand. | This is an example Diceware. The procedure is fairly simple, though tedious, and can be done by hand. | ||
- | 1. Create a list of 7,776 words from the dictionary | + | - Create a list of 7,776 words from the dictionary |
- | 2. Roll 5 die, using the result to look up a single word in the list | + | |
- | 3. Repeat until you have found 5 words | + | |
- | 4. Put the words, in order, into a phrase, separating them by a special character | + | |
This will result in something like ' | This will result in something like ' | ||
Line 175: | Line 180: | ||
The site above uses a known dictionary (the Black Hats know it), and even with that, the entropy on this is 102 bits, even if they know how you did it. You can enhance it even more by generating your own word list, in which case it becomes even more difficult. | The site above uses a known dictionary (the Black Hats know it), and even with that, the entropy on this is 102 bits, even if they know how you did it. You can enhance it even more by generating your own word list, in which case it becomes even more difficult. | ||
- | -- Theory | + | ==== Theory |
The wikipedia article at https:// | The wikipedia article at https:// | ||
Line 183: | Line 188: | ||
All this in an easy to remember, easy to write down, easy to type in, passphrase. | All this in an easy to remember, easy to write down, easy to type in, passphrase. | ||
- | == Links | + | ===== Links ===== |
- | http:// | + | * http:// |
- | https:// | + | |
- | https:// | + | |
- | https:// | + | |
- | https:// | + | |
- | https:// | + | |
- | https:// | + | |
- | https:// | + | |
- | https:// | + | |
other/xkcd_passwords.1667805986.txt.gz · Last modified: 2022/11/07 01:26 by rodolico