Using Secure Passwords

Docs that have proven to be a staple in understanding computer/network security. This is not an inclusive forum and nothing ipublished will tell you how to 0wn someone, these docs will help you understand how you got 0wnd.
Post Reply
User avatar
B-Con
Challenge Winner [1x]
Posts: 2679
Joined: Thu Apr 22, 2004 4:19 pm
Location: UC Davis
Contact:

Using Secure Passwords

Post by B-Con » Sun Apr 10, 2005 6:36 pm

Any decent security program or algorithm has at least one weakness: the user. Encryption can only be as strong as the user makes it, and generally the only say that users have in the process is the password that they choose. It doesn't matter how good an encryption process is, it is only as strong as the password. Having a good password is critical to having good encryption, period. In this article, I explain how to choose good passwords. This article is much longer than it needs to be if it were merely providing you with instructions on how to create a strong password. I can do that in one sentance: Use lots of characters and make if very long. But rather, this articles explains, in detail, WHY you need to, and how your password can be broken otherwise.

Brute-forcing:
Encryption programs and hashes can do alot to secure your data. However, *everything* in the world is vulnerable to one thing: The brute-force attack. Brute-forcing is litterally trying to guess the correct (or a correct) answer by guessing everything! For example, if you said that you were thinking of a number between 1 and 10, a smart person would ask if it were greater to or less than 5, then they would try 7, then 9, then 8, and bingo, they would have it in the maximum number of tries that it could take. That would be a "smart" approach to the problem, and many programs use similar tactics to that when trying to break encryption. Sometimes, however, due to the process of the encryptiong/hashing that was used, the cracker trying to break the password has no way of isolating the correct password elegently, and will simply take the non-elegent path, which in our example would be starting at 1 and counting to 10, guessing each number. So in our case, where the number was 8, the elegent guesser made 4 guesses (which was the maximum), while the brute-force guesser made 8 (out of a maximum of 10). So there wasn't a big difference between the two methods in that example, but now let's raise the range of numbers so that it's between 1 and 1000. The elegent guesser will guess 500, then 750, then 625, then 563, then 591, then 577, then 584, then 580, and bingo, he found it in 8 tries, out of a maximum of 10. Then our brute-force guesser goes, and it takes him 580 tries out of a possible 1000. Is the significance of the difference between the two methods becoming more obvious to you? Brute-forcing is simple, yet very protracted.

So now we have established that the brute-forcing process can take a long, long time. And since this will be the most likely potential attack run against most your passwords, it would be a good idea to choose a password that makes the brute-forcer's job as hard as possible, right?

Choosing a strong password:
There are simply two factors that influence the time it takes to brute-force a password: The length and the potential range of characters.

First, let's deal with the character range factor, as it will effect the length factor. What I mean by "character range" is the variety of keyboard characters that are used. For example, you could use the password "abc", but that is nothing but lowercase letters, meaning that if the cracker knows this, he only has 26 possible values for each character of your password. So instead you could use "aBc" as your password, and now there are 52 possible values per character because you've introduced the uppercase character set. Now start throwing in numbers, punctuation, and other oddball characters (like #, %, $) and you have roughly 100 possible values per character! This may not seem significant, but it can litterally take what was just an ardeous task for the brute-forcer, and make it humanly impossible. I recommend doing things like simply replacing normal letters with look-a-like symbols and such, like the following: "1 @m tHe '8eS7' @t Th1s!". Or use AOL speak, "1 @/\/\ 73h 8357 @7 7h15!" That kind of password has a very high character range and is the brute-forcer's nightmare, believe me, I would know.

A simple way to introduce abnormal characters and extra length to your password is to simply enclose what would by your normal password in the stanrdard HTML end tag format, ie: </password>. So if your password was just "irock", you could make it "</irock>". By using this method, you add a decent bit of length to your password and introduce abnormal characters, and the idea is easy to remember since most people are familiar with HTML.

Another simple advantage to using odd symbols is that few people do it, so brute-forcers, in an effort to shorten the brute-forcing process, often gamble that the password they're trying to break won't have them and will use a limited character set of lower/uppercase characters and numbers, usually. Thus, simply by inserting a period or something, you can instantly throw your password outside the range of characters that 95% of brute-forcers will even try!

Now let's deal with the password length factor. Being as how there are a certain number of potential values per character, the total number of guesses that will have to be made to guess every possibility increases expenentially (litterally) with ever character that we add to the password length. Assume that we're using a 62 character value range for our brute-forcing (we're assuming that the user didn't use anyting outside the upper and lower case alphabet, plus numbers). For a one character password, we will have to simply guess 62 times, but for a two character password, we will have to guess 62 values for the first character, but since there is a second one with an equal number of possible values, we will have to make 62 guesses at the first character for ALL of the 62 values of the second one! That means that when the second character is 1, the first one will have to cycle through all 62 different values, when the second character is 2, the first one will have to cycle through all 62 values again, and so on. This means that we have 62 * 62 (62 ^ 2) possibilities, which equals 3,844. This doesn't look too shabby, until you realize that my computer alone can make over 4,000,000 trys a second (in certain conditions). So let's introduce a third character, now the number of possible cominations is at 62 * 62 * 62 (62^3) which equals 238,328. Ok, but still nothing really secure. Let's jump ahead and try 5, which results in 916,132,832 combinations. Not bad, but it could take me as little as 7.5 minutes to break that. Let's skip to 7 characters, which has 3,521,614,606,208 (over 3 thousand million, yes, that is correct, "thousand million") combinations. Not bad, eh? This could take days to break, which few brute-forcers are willing to do. But just for fun, let's bump the character range up to about 100 and our password length up to 24, so that we can see the number of combinations for something like what I used earlier: "1 @m tHe '8eS7' @t Th1s!" That would be about 1,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000 (one thousand billion billion billion billion billion) combinations! No computer now or anything along the lines of what we could soon have could ever come close to possibly breaking that! And not only do you have that total many combinations for that length of characters, but, assuming that the brute-forcer does not know the length of the password (they rarely do), they will have start with the least number of characters and work their way up, so they will have to generate all the combinations for a length of 1, and 2, and 3, etc, which addes up really big, really fast.. Hopefully now you realize why longer passwords are so much more secure. Even one character on the end, like a period, helps TREMENDIOUSLY, as it can throw millions of more possibilitys onto the brute-forcer's sholders.. On a side note, I actually personally recommend adding periods on the end because periods are easy to remember, they add one character in length to your password, and very few people include punctuation when brute-forcing.

Also, notice that the password I just used as an example is actually a short sentance, not really a word. This is commonly refered to as a "passphrase" rather than a "password", because you're using a phrase instead of a word. Passphrases are much better then plain passwords, because they are MUCH longer and make it easier to include punctuation and other odd characters. Plus, they can also be easier to remember. Try remembering "Brad" versus "I visited Brad's site" for a week and see which one phrase you remember best. OK, so you remember both, now, which one is more secure by a LOT? What have you to lose? Use passphrases, they make getting length into your passwords a farily easy task. Plus most words out there are only 7 or 8 characters long, and all in the same case, to begin with, do you know how easy that would be to brute-force? Passphrases aren't just a nice idea, with the speed of the computers that crackers have access to, they're starting to become a neccessity.

Thwarting brute-forcing "shortcuts":
Crackers who are brute-forcing your password know that they are oftentimes up against a potentailly endless problem. So they, like everyone else in the world, try to find shortcuts. What they do is simple, they generate "wordlists" of commonly used words and/or combinations of letters that they manipulate and use. They figure, and rightly so, that not many people, realistically, use passwords such as "Aab89$skl", so instead of trying every possible combination of letters, they will try only somewhat sensible combinations of letters and words. This can cut their work down by thousands of times, while still keeping a very good chance of finding the password. Your job, then, when creating a password, is to thwart this process. Make the attacker sweat for his money, don't give him anything easy. Make it a long passphrase and use characters instead of letters, inject numbers and punctuation, and avoid common words like "the" and common letter sequences like "tion".

Conclusion:
- Use lots of different characters in your password, like ending it with a period and switching normal letters for numbers and/or symbols.
- Use long passwords.
- Don't use common words or phrases.
Follow these tips and you should have a password that you can engrave in stone. Just don't make the mistake of using it too often in different places, so that if someone gets a hold of it, which usually by accident or chance, they don't have access to everything you have.

Oh, and just in case it needs to be pointed, out, make sure that your password is something you can actually remember. Many services use a form of hashing/encryption that cannot be reversed easily, and they are not willing to try and break it for you, which, since you did chose a good password, should be virtually impossible anyway. So if you lose your password, tough, because you're screwed. Just don't forget it.

I hope you learned something here, and I hope that you never, ever, have your password brute-forced by anyone, as that would bring disgrace to my teaching skills.
Last edited by B-Con on Fri May 06, 2005 1:48 am, edited 7 times in total.
- "Cryptographically secure linear feedback shift register based stream ciphers" -- a phrase that'll get any party started.

- Why know the ordinary when you can understand the extraordinary?

User avatar
Life
Corporate Drunkard
Posts: 1911
Joined: Tue Jul 29, 2003 11:47 pm
Location: Guam
Contact:

Post by Life » Sun Apr 10, 2005 8:48 pm

Very nice work B.

It's frustrating that more people don't take this kind of information on board. A large majority of compromised systems these days happen because of user / admin errors, and very commonly, because people are too lazy or too stupid to remember a password longer than "sex".

It is true that once you make a password / passphrase over 8 characters, the chances of someone bruting it (either through standard login, or an encrypted hash) decrease very dramatically. Given this, I can't see why more people don't just use say, a 10 character password that is easy to remember.

Hell, even if your password is something stupid like "orange", you could convert this to say, "Or4ng3p4$$w0rd", it's still easy to remember, quick to type, and it's relatively secure as it takes alpha, numeric and symbollic characters. As you showed, even switching one character out of case on case-sensitive passwords can make a lot of difference.

I've watched a few brute force attacks against SSHd and FTPd on my server in the last couple of months, and all they seem to try are small dictionary words. Luckily, I force anyone with an account on either into using 8+ char passwords with at least alpha and numeric characters. But its sad to think that this kind of attack can often succeed because people refuse to use even half-decent passwords.

Anyway, enough babbling. Nice explanation, it's one we should point newbies towards who are interested in learning about basic computer security methodology.
It was once suggested that a million monkeys working at a million typewriters would produce the works of Shakespeare. However, a million monkeys working at a million keyboards has only produced 2girls1cup, goatse and MySpace.

User avatar
UniX
Veteran
Posts: 600
Joined: Thu Jun 26, 2003 1:17 pm
Location: input("Why are you looking here?")

Post by UniX » Mon Apr 11, 2005 12:50 am

I think this should be made a sticky in the security thread.
"UNIX is an operating system, OS/2 is half an operating system, Windows is a shell, and DOS is a boot partition virus." — Peter H. Coffin .

http://cybergotham.net

User avatar
jstoned
Strike 1
Posts: 137
Joined: Sat Mar 19, 2005 10:51 am

Post by jstoned » Mon Apr 11, 2005 5:48 am

I think that choosing a 'crazy' username is important, too. But that might not be right.
See, in future, when computer system become even more secure and more holes/exploits will be thier patch, you might not be lucky enough to get users list thanks to Google or something like that.
So, if username is complicated, then even a person who wants to get into your mailbox will have a hard time memorizing the username even if he sees it.
Please correct me if I'm, wrong, though.

User avatar
B-Con
Challenge Winner [1x]
Posts: 2679
Joined: Thu Apr 22, 2004 4:19 pm
Location: UC Davis
Contact:

Post by B-Con » Fri May 06, 2005 1:46 am

I made a couple minor updates to my tut and added the entire following paragraph, an idea that basically just struck me out of the middle of nowhere one day:
A simple way to introduce abnormal characters and extra length to your password is to simply enclose what would by your normal password in the stanrdard HTML end tag format, ie: </password>. So if your password was just "irock", you could make it "</irock>". By using this method, you add a decent bit of length to your password and introduce abnormal characters, and the idea is easy to remember since most people are familiar with HTML.
- "Cryptographically secure linear feedback shift register based stream ciphers" -- a phrase that'll get any party started.

- Why know the ordinary when you can understand the extraordinary?

Paragon
n00b
Posts: 3
Joined: Fri Apr 22, 2005 11:21 pm

Post by Paragon » Sun May 08, 2005 2:34 pm

Good article, but it could use a few corrections:
Any decent security program or algorithm has at least one weakness: the user. Encryption can only be as strong as the user makes it, and generally the only say that users have in the process is the password that they choose. It doesn't matter how good an encryption process is, it is only as strong as the password. Having a good password is critical to having good encryption, period.
Not entirely true. There is unbreakable encryption (one-time pad), though it's impractical for many uses, such as the average login password. This holds otherwise though.
However, *everything* in the world is vulnerable to one thing: The brute-force attack.
Not so. First one must be able to conduct such an attack. There are methods to protect against this, such as limiting the number of login attempts. And if the brute-force attack is to be made against encrypted data, you must first obtain a copy of said data.
Also, the one-time pad is immune to brute-force attacks.
There are simply two factors that influence the time it takes to brute-force a password: The length and the potential range of characters.
There is also a third: the type of hash/encryption used. For example, many Windows implementations of hashes are insecure due to splitting the password. The NTLM hash had an optimum of 14 characters. After that there was repetition, which actually served to make it less secure.

User avatar
B-Con
Challenge Winner [1x]
Posts: 2679
Joined: Thu Apr 22, 2004 4:19 pm
Location: UC Davis
Contact:

Post by B-Con » Sun May 08, 2005 4:23 pm

Paragon wrote:Not entirely true. There is unbreakable encryption (one-time pad), though it's impractical for many uses, such as the average login password. This holds otherwise though.
Also, the one-time pad is immune to brute-force attacks.
Indeed. That is why I failed to mention it, beause this article is from the perspective of a user trying to select a secure password, not an admin trying to secure his login system. If PHPBB, VBulletin, etc, ever successfully implement the one-time pad, please contact me immediately. ;)
Not so. First one must be able to conduct such an attack. There are methods to protect against this, such as limiting the number of login attempts. And if the brute-force attack is to be made against encrypted data, you must first obtain a copy of said data.
Yes, there are methods designed to limit BF attacks, the most simple one being to limit, say, login attempts -- and if the attacker does obtain the data, the most simple defense is to make your encryption/hashing method private, and thus they may have the data, but they have no way of knowing how to generate said data.... neither method is 100% secure, however, but neither is directly related to the user's involvement in the password selection process, they are just steps taken by the admins to further secure their systems, not direct implementations of security in the storage process itself....
There is also a third: the type of hash/encryption used. For example, many Windows implementations of hashes are insecure due to splitting the password. The NTLM hash had an optimum of 14 characters. After that there was repetition, which actually served to make it less secure.
Good point. But I neglected to mention that due to the fact that the average user rarely knows/cares what type of hashing system is being used, and rarely could not care less about the specific desgin flaws of the security systems when they are choosing their password. This article is from the user's standpoint of choosing a password.
- "Cryptographically secure linear feedback shift register based stream ciphers" -- a phrase that'll get any party started.

- Why know the ordinary when you can understand the extraordinary?

royliza
n00b
Posts: 1
Joined: Wed Mar 17, 2010 6:59 pm

Re: Using Secure Passwords

Post by royliza » Sun Mar 21, 2010 5:44 pm

As you know Passwords are very important for users choosing a password is very difficult task as it should be long and it should a great mixture of characters and alphabets so that it will become tough to hack. Another thing is it should not be your or family names or birthdays because your friends will be aware about it and its very easy to make guesses. And don't use your one password in all the accounts it will be more dangerous. It is also require that you must change your password after 15 days.
[url=http://www.r4-ds.es/]r4i revolution gold[/url

guidj0s
Hacker in Training
Posts: 74
Joined: Sat Oct 10, 2009 11:29 pm
Contact:

Re: Using Secure Passwords

Post by guidj0s » Thu Apr 15, 2010 5:11 pm

Here's a related link, it's from my blog:

http://codeaddicts.wordpress.com/2009/10/29/crack-that/

Post Reply