I am an extreme moderate

March 29, 2011

Password strength

Filed under: Scribbles — Tags: , — niezmierniespokojny @ 9:52 am

Yesterday came a news:
Cracking 25 billion passwords with a single computer.

Whenever I see announcement like this, I get a calculator to see how long passwords are sufficient.
Quick results:

  • Password made of small letters only: 12 characters in expected 22 days.
  • Letters and numbers: 11 characters in 30 days
  • Uppercase, lowercase letters and numbers: 9 characters in 3 days
  • All printable ASCII characters: 8 in 1.5 days, 9 in 132
    That’s assuming all characters are equally likely to be used. Really, they are not and one may be able to leverage it.
    Repeat: that’s just 1 off the shelf computer. And running off the shelf software.
    It really shows that passwords are a very bad protection already and shouldn’t be used when you expect that somebody may have physical access to your machine. Biometrics, keys and such are the only good ways already and the only feasible in just a few years.

    But there’s another side of the story. Web services.

    When adversary doesn’t have physical access to the password hash and the only way to brute force it is via a service-controlled gateway, the picture is entirely different. Let’s assume the gateway limits attacker to 3 trials per hour and do the maths:

  • Password made of small letters only: 3 characters in expected 4 months. 4 characters take 8 years extra.
  • Letters and numbers: 3 characters in 8.5 months
  • Uppercase, lowercase letters and numbers: 3 characters in 4.5 years
  • All printable ASCII characters: 2 characters in 2 months, 3 in a little under 16 years.
  • So what do people who create password policies think when they require us to use passwords with 8 characters (Google, 3.967.682 years) or 8 characters incl. both numbers and letters (my bank, 53.600.659 years)? It’s pointless. And harmful because it makes us less capable of remembering different passwords for different services. When we can’t remember, we use the same one in different places or store them somewhere. The first means than a minor breach of trust can be just disastrous. The second is better but still usually stores them unencrypted or encrypted with a password, so when sb. steals your laptop the results may be just as bad.

    The only thing I can tell about such policies is that when a service provider loses their passwords database, it’s harder to extract passwords from it. And it happens. And you know what? A single computer can crack 25 billion passwords per second, Google’s policy is good for 4 seconds, in a few years it will be futile anyway.

    It seems I’m not the only who thinks about the death of passwords.
    UPDATE 2:
    Another proposal. Sadly, it doesn’t fix the core issue and will be obsolete only a little later than regular passwords.

    Create a free website or blog at WordPress.com.

    %d bloggers like this: