14th September 2014, 2 min read

On Password Security and Cracking

Six months ago Bruce Schneier posted an article on "Choosing Secure Passwords". Some of the key points are (mostly copied verbatim from mentioned post):

1. The best way to explain how to choose a good password is to explain how they are broken.
2. Password crackers do not brute force all 8 character combinations, but rather they brute force all 6 character passwords, then they check for common passwords.
3. A typical password consists of a root plus an appendage. The root isn't necessarily a dictionary word, but it's usually something pronounceable. An appendage is either a suffix (90% of the time) or a prefix (10% of the time). One cracking program I saw started with a dictionary of about 1,000 common passwords.
4. Crackers use different dictionaries: English words, names, foreign words, phonetic patterns and so on for roots; two digits, dates, single symbols and so on for appendages. They run the dictionaries with various capitalizations and common substitutions: "$" for "s", "@" for "a," "1" for "l" and so on. This guessing strategy quickly breaks about two-thirds of all passwords.
5. Last year, Ars Technica gave three experts a 16,000-entry encrypted password file, and asked them to break as many as possible. The winner got 90% of them, the loser 62% -- in a few hours.

Bruce Schneier cites the following:

1. Ars technica article: Anatomy of a hack: How crackers ransack passwords like “qeadzcwrsfxv1331”
2. hashcat: advanced password recovery

To give an idea of the performance of brute force attacks on all 6 character passwords, assuming, lowercase letters plus 10 digits. There are $36^6 = 2,176,782,336 \approx 2\cdot 10^9$ combinations. Use a program like Very simple SHA1 test program written in C and wrap a loop around it. With this I can test all SHA1 hashes in less than 45 seconds using 8 cores, see this post for my CPU description.