Tech blog post: is your password easy to crack?
There is good chance that, when you read this, you logged in using a password this morning. There is an even bigger chance that this password has to meet a variety of requirements: length, special characters, and probably a capital letter as well. But where do these requirements come from? And why do these requirements still not result in good passwords? In this first of a series of 3 blog posts, Dutch DPA technologist Jonathan Ellen takes you on a trip through the world of passwords.
You probably know the dilemma: the more complex your password, the more difficult it is to remember it. This is all the more the case if you use many passwords. The result? Short passwords that look complex on paper, but in reality are based on patterns that are easy to guess.
In this first blog post, we look at passwords from the perspective of a computer criminal. This allows you to learn when a password is really strong. And why passwords are often not strong in practice.
In the next blog post, we will look in more detail at how you use strong passwords in practice. Later, other methods for digital access control, including multifactor authentication (MFA), will also be addressed.
Cracking passwords
The art of finding out which password is used in a certain place is called 'cracking'. This is done by trying out various options until a working password is found.
Cracking passwords takes a lot of time and costs a lot of money. So the more time the criminal has to spend on the operation, the less profitable it becomes. The time required for cracking a password depends on the time needed for each attempt and the total number of attempts required.
In general, passwords are not stored legibly. Only an edited version, also known as the hash value, is kept of them. Calculating that hash value takes a lot of time. As a user, you are not aware of this when you log in. But for criminals, time automatically becomes an important factor after billions of login attempts.
Criminals work online, for example at a login portal of a company or a website. In that case, additional requirements play a part, such as a maximum number of login attempts. It also happens that databases with hash values of passwords leak. These can be cracked offline.
In this blog post, we assume that the criminal has stolen a database with login details, including hash values of passwords. The hashing method used is also known. Cracking these passwords is therefore only a matter of time. But how much time?
Brute force attack
The simplest method of attack in a criminal's arsenal is to try all possibilities. This is called a 'brute force' attack. You start with 'a' and calculate the associated hash value. Does it occur in the list? Then you know that 'a' is a valid password. Is 'a' not in the list? Then you try 'b'. And you keep trying until you have found a working password.
The advantage of a brute force attack is that you do not skip passwords. After all, you try them all. The disadvantage is that a brute force attack can take very long, provided that the passwords are strong.
By way of illustration, we crack a number of passwords. The total time depends, among other things, on the hashing method and computing power used. My home computer can make around 400 million attempts per second (on a Nvidea 1060GTX, hashing method used is md5).
Better computers achieve far higher speeds, and this will only increase in the future. The next results are therefore the absolute lower limit.
Characters > | 6 | 7 | 8 | 9 |
---|---|---|---|---|
Small letters only | 0 s | 2 s | 50 s | 20 min |
Small letters and capital letters | 5 s | 4 min | 3.5 hours | approx. 8 days |
Small letters, capital letters, numbers | 13 s | 14 min | approx. 15 hours | approx. 40 days |
Punctuation marks included | 3 min | approx. 5 hours | approx. 18 days | approx. 5 years |
Keep in mind: during these periods, all passwords have been tried, from 'a' to, for example, 'Z#_sB43)X'. It does not matter how difficult to guess the password was. Or how many numbers and capital letters it contained. If it is shorter than 9 characters, my home computer will be able to crack it.
The results show that a long password is better than a password with many special characters. Extending a password by only 2 small letters from 7 to 9 will slow down the cracking process as much as 600 times. Adding all 26 capital letters, on the other hand, will only extend the period for cracking by a factor 120. If you want to know why this is the case, read the text box below.
Mathematical framework
The time required for cracking a password is proportionate to the total number of possible passwords. We call this the password space. It is calculated as: KL. With K representing the number of possible characters and L the length. The password space of 6 small letters is therefore 266 and for 8 small letters it is 268. An extension by 2 characters therefore results in 262 = 676 times more possibilities. By way of comparison: extending the possible characters by 2 characters results in (28/26)6 times more possibilities.
This is because the password length L is in the exponent of the equation. As a result, a longer password ensures an exponential growth of the password space. It therefore grows much faster than if more special characters are used. Of course, a combination of length and special characters is the strongest option.
Better than brute force
Even if you use a password that is strong in theory, you are not yet safe. Criminals have more tricks up their sleeves. In fact, people are extremely predictable. Especially when they try to remember long passwords.
Instead of something completely arbitrary, they will quickly opt for a year, their favourite sports team or another simple adjustment, such as starting with a capital letter. Everyone knows that 'W3lkom2023!' is a lousy password, despite its length of 11 characters.
Criminals make grateful use of this. They do not even have to try the vast majority of all possibilities to get a result. They start with passwords that were cracked earlier, because they are often reused. This is called 'credential stuffing'.
After this, they try the same list again, but then adjusted with patterns that are used by many people. A terrifying number of passwords can be cracked using this 'dictionary attack', because many people use variations on a single password.
The only remedy against this is arbitrariness, i.e. avoiding commonly used patterns, preferably in combination with a long password. This forces criminals to use slower - and therefore less lucrative - options. The downside is, of course, that long, arbitrary passwords are particularly difficult to remember.
Conclusion
Almost everyone uses bad passwords, often unconsciously. The standard password requirements of 8 characters with forced punctuation marks and numbers promote this. They result in short passwords full of human patterns.
It is therefore advisable to use long passwords that are so arbitrary that a hacker has to try all options to find out the password.
Unfortunately, strong passwords are especially difficult for people to remember, though it is necessary. Fortunately, there are ways to make strong passwords usable in practice. You can read more about that in the next blog post.