So not only will he try cracking the very simple “password” but also all 6,561 versions, to include the complex are approximately 220,000 dictionary base words, meaning that even if you added up to three extra digits to your transformed, base-word-based password and formed something like a computer would take about 26 minutes to crack it – no matter how long the password is. That intelligence most often involves using common base words. He is going to apply intelligence to the cracking. Thus, a hacker using a brute force technique isn’t just going to start with “aaaaaaaa” and go down the list, “aaaaaaab”, “aaaaaaac”, etc. So a password that was “password” becomes In fact, if each letter could be one of an uppercase, lowercase, or special character, there are 6,561 (38) versions of “password” – which is far from an unbreakable amount. Many people often choose a base word for their password, like “password,” and transform it to be logically “complex.” So they’ll replace letters with special characters or digits and add some capitalizations. In order for a password to be considered secure, it needs to be truly random and unique. Unfortunately, the speed at which passwords are broken is as much about the number of digits as it is the predictability of human behaviour. For example, does the attacker consider A or 0 the first digit? And is Z or 9 the last digit? Or if the attacker knows that everyone uses passwords that starts with characters towards the end of the alphabet, then he/she may try brute-force in reverse-sequence, and the password that starts with '0' will be safer. But this is tricky to deal with since you can never know what order the attacker may use. 0-9.A-Z), and the brute-force attack uses sequential guesses, then a password starting with a '0' will be broken at least 100x faster than a password that starts with LAST character in that sequence (let's call it 'Z'). For example, if your password 100-character alphanumeric system (e.g. A more accurate statement would be, "it takes 10 years to test all combination of 8 digit passwords." But the fact is that some passwords would be guessed much faster depending on the character selection and attack method. That is, when someone says "an 8 digit passwords take 10 years break," that 10 years is the MAXIMUM time required. This is not to say the specific characters used in a password don't affect the speed at which it is broken. This is why sysadmins might force everyone to use different character types to make sure that a would-be intruder has to try all permutations. The principal of this is identical to that of the dictionary attack. But if, despite the availability of 100 digits, it is known to the attacker that everyone is using only X, Y and Z, then the attacker can narrow down the brute-force attack and negate the benefit of 100 digit security system. ![]() For example, a random sequence of 'X', 'Y' and 'Z' is just as hard to guess as a random sequence of all letters of the alphabet.as long as the attackers doesn't know you prefer X, Y, and Z. ![]() In other words, what matters most is what characters EVERYONE in the system uses, not just you. What matters most is what the attacker expects to have to tried, not what characters you chose. On the issue of characters used in a password, this is not quite as simple as most people state. It might take longer, due to the speed of the USB connection, but human typing rate is not a good reference on this matter. Even if you can't get to the HDD, the attacker would simply replace the keyboard with a computer that would send 'keystrokes' much faster than you could type. And frankly, that is easy to do, if you have access to the computer itself. But that assumes the attacker has access to the file that stores the encrypted password. In that case, an 8 digit password would be blown in less than 6 hours sooner depending on the brute-force method. I know of one modest demonstration (Feb 2012, link) that claimed the power to make 400 billion guesses a second on a 25 GPU system.
0 Comments
Leave a Reply. |