Passwords P@$5w0rD5....

We type in passwords for just about everything or have a password manager put it in for us. Whatever the case may be we have come to use passwords as a fact of life. In fact I know plenty of people who hate passwords but probably would feel a little uncomfortable creating an account with no password at all (if that is even allowed) . It is a solution to a potential problem or so most seem to think. We find comfort in creating a password for an account because it is what some call “security theater”. Sure it will work and stop people from logging onto your account without typing a password but that isn’t exactly enough.

A great example of security theater is from Hollywood. Sure we have watched plenty of films and shows where a file or location is guarded by a password as the wily hacker is the only one who can figure out the supersecret password “OSCAR”. An old tv show I remember is from Knight Rider. In the episode a person is murdered but left a disk behind as it was protected by a 6 digit password which no one knew. During the episode there were references that the possible combinations is infinite yet a car that could drive itself at speeds of over 200mph and a team of scientists were working on it could not seem to brute force a password. Granted this was the early 1980s but they had a computer that could drive a car better than the self driving cars of today even. This is security theater at its finest.

Password guessing is really a numbers game based on a set of probabilities. A six digit password simply means that there are 1,000,000 possible combinations. Sounds quite a task for a human to guess on their own but a computer can do this easily and quickly. Let’s take some examples here.

A common password trick is using the name of their pet as a password so we will use the word ‘fido’ here. With only lowercase letters being used each character has 26 possibilities using the English alphabet. With 4 letters being used there are 456,976 possible combinations. How do we calculate that number? We can use

26 x 26 x 26 x 26

Or 26 to the 4th power to come up with our answer. With today’s computers this is not a very large number of guesses. With a simple password cracking program it can find the password in less than one second. So let’s try to make it a little harder by having both lowercase and uppercase letters such as ‘FiDo’ which now gives each character 52 possibilities. So we can use 52 to the 4th power which gives us a bit more possible combinations of 8,503,056. Adding numbers gives 10 more possibilities for each character at 62. So the password ‘F1d0’ could take up over 14 million guesses to crack. Some password policies have gone even better by including special characters such as ‘#@%….’ and so on which can add another 10 possibilities to the number of 72 per character in a password. So the password ‘F1d@’ could take over 26 million tries to guess. Certainly much better than only 456,976 guesses. Add more characters such as 8 or 12 characters for a password the number of guesses grows exponentially. Most password policies today expect 8 or more characters for good measure.

There are 2 common ways to attack a password which are dictionary and brute force. A dictionary attack simply takes a wordlist file and tries each word on the file on the password until it either cracks the password or reaches the end of the dictionary file. A common dictionary file such as rockyou.txt has over 14 million words on file. In a brute force attack the program will start at the number 0 for example and keeps guessing one number at a time until it finds a match if allowed to keep going forever. Personally I find that a brute force attack is a last resort as it can take much longer than a dictionary attack since most people tend to use known words or names as part of their password.

Going back to the TV episode example I ran both types of attacks with the password from the show. First I created a password protected zip file and ran the tool fcrackzip against it. The first attack used the well known rockyou.txt dictionary file and the 2nd attack using a file starting at number 0 and ending at 999999 to simulate a brute force concept. The dictionary attack took .004 seconds while the brute force attack took .073 seconds to guess the password 362436. It took less than a second in both cases to find the answer. It drives away the illusion of protection. To this end the longer the password one uses the better. More characters mean more variables which require more time and computing power to guess.