I am an extreme moderate

March 29, 2011

Password strength

Filed under: Scribbles — Tags: , — niezmierniespokojny @ 9:52 am

Yesterday came a news:
Cracking 25 billion passwords with a single computer.

Whenever I see announcement like this, I get a calculator to see how long passwords are sufficient.
Quick results:

  • Password made of small letters only: 12 characters in expected 22 days.
  • Letters and numbers: 11 characters in 30 days
  • Uppercase, lowercase letters and numbers: 9 characters in 3 days
  • All printable ASCII characters: 8 in 1.5 days, 9 in 132
    That’s assuming all characters are equally likely to be used. Really, they are not and one may be able to leverage it.
    Repeat: that’s just 1 off the shelf computer. And running off the shelf software.
    It really shows that passwords are a very bad protection already and shouldn’t be used when you expect that somebody may have physical access to your machine. Biometrics, keys and such are the only good ways already and the only feasible in just a few years.

    But there’s another side of the story. Web services.

    When adversary doesn’t have physical access to the password hash and the only way to brute force it is via a service-controlled gateway, the picture is entirely different. Let’s assume the gateway limits attacker to 3 trials per hour and do the maths:

  • Password made of small letters only: 3 characters in expected 4 months. 4 characters take 8 years extra.
  • Letters and numbers: 3 characters in 8.5 months
  • Uppercase, lowercase letters and numbers: 3 characters in 4.5 years
  • All printable ASCII characters: 2 characters in 2 months, 3 in a little under 16 years.
  • So what do people who create password policies think when they require us to use passwords with 8 characters (Google, 3.967.682 years) or 8 characters incl. both numbers and letters (my bank, 53.600.659 years)? It’s pointless. And harmful because it makes us less capable of remembering different passwords for different services. When we can’t remember, we use the same one in different places or store them somewhere. The first means than a minor breach of trust can be just disastrous. The second is better but still usually stores them unencrypted or encrypted with a password, so when sb. steals your laptop the results may be just as bad.

    The only thing I can tell about such policies is that when a service provider loses their passwords database, it’s harder to extract passwords from it. And it happens. And you know what? A single computer can crack 25 billion passwords per second, Google’s policy is good for 4 seconds, in a few years it will be futile anyway.

    It seems I’m not the only who thinks about the death of passwords.
    UPDATE 2:
    Another proposal. Sadly, it doesn’t fix the core issue and will be obsolete only a little later than regular passwords.


    1. You forgot something: attacker can (and often do) use distributed attack to attack many accounts at once. So one can try millions of passwords per second using a bot-net. And don’t overlook a situation where attacker steals a database of password hashes. And then reuse that decoded passwords.

      Comment by Piotrek — April 10, 2011 @ 3:53 pm

      • Good call!
        I remembered about stolen database, it’s written in the post, but the botnet idea is new for me.
        I did quick calculations that assumes that a service can spot many trials from one IP and limits it to 3 trials/hour, but doesn’t issue longer term bans. And there are 30 000 000 bots running 12/7.
        6 letters: 1 account / 7 hours
        8 letters: 1 account / 200 days
        Now a slight change in the way service handles such things.
        3 trials per hour, but after 6 failures straight a 1 month ban:
        6 letters: 1 account / 50 days
        8 letters: 1 account / 95 years
        3 trials per hour, but after 6 failures straight a 1 month ban, after another 6 – a 6 month ban. For simplicity I assume that the net is stable, no new bots come and go:
        6 letters: 1 account / 10 months
        I’m dissatisfied with these calculations because they don’t tell whole truth – in such attack dictionaries are going to wreak havoc.
        Also, IP bans are almost meaningless with IPv6.

        It seems there are people looking for password successors already. I updated the post to include a note about it.

        Comment by niezmierniespokojny — April 10, 2011 @ 9:34 pm

    RSS feed for comments on this post. TrackBack URI

    Leave a Reply

    Fill in your details below or click an icon to log in:

    WordPress.com Logo

    You are commenting using your WordPress.com account. Log Out /  Change )

    Google+ photo

    You are commenting using your Google+ account. Log Out /  Change )

    Twitter picture

    You are commenting using your Twitter account. Log Out /  Change )

    Facebook photo

    You are commenting using your Facebook account. Log Out /  Change )


    Connecting to %s

    Blog at WordPress.com.

    %d bloggers like this: