In todays scenario. where using internet has become an important part of our daily activities, we feel free to use the new developments on e-pays,e-ticketing,e-shopping and so on. We just login to different websites fulfilling our required needs, put the password and complete online transactions very easily and conveniently.
But the question is that how much safe we are when we choose a password. We ocassionaly choose the password as the name of our girlfriend/boyfriend,vehicle numbers and so on which are really very much predictable by your near ones or even hackers who have eye on your personal online banking accounts and etc. It is really a very panic situation when we loose our passwords or our accounts are compromised. So here I got an “interesting theory of passwords” while I was surfing on this issue. I would like to share the similar theory with you too. Just go through and if you feel any trouble while understanding, leave a comment so that I can clarify upto my knowledge regarding the topic.
Before you can easily identify what a “good” password is we should look at what a “bad” password is and why they are not good for security. An example of a bad password might be “book” which has several reasons for being considered bad:
- It is a word that can be found in the dictionary,
- It is a very short password,
- It contains only letters,
- More than one character is the same.
Two types of attack would “guess” that password in a relatively short space of time. The first of these is a dictionary attack – going through every word in the dictionary is something that is do-able, and whether it appears near the start of the dictionary or at the end it doesn’t matter as it will eventually figure it out (it’s just a matter of how long it takes). The other way it could be obtained is through brute force. Brute force is where every character combination is tried, so if we assume it’s only trying characters but tried passwords of every length from 2 characters onwards we can easily calculate the most attempts that would be needed to crack the password. For each character there are 26 combinations, and for 2 letters we would multiply it so it’d be 26 * 26 attempts. So for a 4 letter password we would have 676 + 17576 + 456976, which calculates as being 475228 attempts. It might sound a lot, but if a piece of software was guessing the password then it wouldn’t take long at all.
Increasing the complexity and length of the password makes a huge difference in how secure your password is. Using capital letters isn’t a huge benefit on it’s own as it’ll still be vulnerable to dictionary attacks, but would increase the attempts on a 2-letter password to 2704. By then adding numbers into the fold we then have a possible of 62 characters for each character of the password and so a 2 letter password would suddenly take 3844 attempts instead of 676. Adding numbers also decreases the likelihood of a dictionary attack from working, but with passwords such as 3book90 there is still a possibility that a dictionary attack would work due to the English language word being in there, but surrounded by integers.
The trick is to use a word that is not in the dictionary and to mix in integers and possibly even symbols into what you use for a password. Using a brute force algorithm on passwords with symbols only appearing on the keyboard would increase to around 96 different characters depending on your keyboard layout. With 96 different characters to choose from a brute force attack would require a maximum of 9216 attacks to correctly guess your password. When we start to increase the length of your password this increases dramatically. Consider the following table:
| Password Length | Lower case | Any Letters | Alphanumeric | Any char |
|---|---|---|---|---|
| 2 | 676 | 2,704 | 3,844 | 9,216 |
| 3 | 17,576 | 140,608 | 238,328 | 884,736 |
| 4 | 456,976 | 7,311,616 | 14,776,336 | 84,934,656 |
| 5 | 11,881,376 | 380,204,032 | 916,132,832 | 8,153,726,976 |
| 6 | 308,915,776 | 19,770,609,664 | 56,800,235,584 | 782,757,789,696 |
| 7 | 8,031,810,176 | 1,028,071,702,528 | 3,521,614,606,208 | 75,144,747,810,816 |
| 8 | 208,827,064,576 | 53,459,728,531,456 | 218,340,105,584,896 | 7,213,895,789,838,336 |
This can represented mathematically as x^y where x is the number of characters available, and y is the length of the password. As y is used to increase the power x it signifies that the length of the password holds greater importance than the number of different types of character that could be used in an algorithm. As proof let us consider the following example. We have our “base” measure of 26 * 26 to signify 2 characters each with the possibility of 26 characters (lower case only). If we increase the number of characters in the password by one we get 26 * 26 * 26, but if increase the number of available characters by one instead we have 27 * 27. From the table above we know a 3 character password in lower-case is 17,576 attempts, and 27 * 27 comes to 729 and hence proves the fact that password length matters more.
Saying that an 8 character password in lower-case will take 208,827,064,576 attempts though is not strictly true – if the 8 characters formed a word from the dictionary or a word in common usage then it is likely that the word could be calculated in a significantly fewer number of attempts. For example the English language contains approximately 1,000,000 words including scientific words – on top of this we can also include names and words from popular culture and it will still be an awful lot less than the attempts it would take to brute force that password. Hence the reason why it is equally important to also include a range of other characters such as numbers and symbols in your password.
Based upon this reasoning a password such as 90ge0$tationarY100 would be a very strong password. Such passwords don’t have to be hard to remember either – if you use memorable numbers either side and then think of one or more words with some letters replaced by numbers and/or symbols you will have a memorable password that is also secure due to a high number of possible characters, it being long, and not being in a dictionary. Using this example which is 18 characters in length would mean a stunning 4.76 x 10^35 (using standard notation) attempts.
If the system was to block the user after 5 failed attempts for a period of 2 hours then the likelihood of such a password being guessed is impractical. Under such a system it would only manage 60 combinations per day, 420 per week, and 21840 per year. For this password it would then take approximately 2.2 trillion trillion years at most to be cracked. Such a thing is just not feasible – it is more likely they would find a security hole in the system and gain access that way.
So hence, this article might help you to understand the theory of passwords. Better choose an uncrackable password next time.
Popularity: 21% [?]
No related posts.
April 9th, 2009 at 12:56 pm
I noticed that this is not the first time you mention this topic. Why have you decided to touch it again?
April 10th, 2009 at 11:51 pm
This is just meant to spread knowledge to the visitors to Tech N Hack..And thats not a specific question that why I have put it again although its on net. The knowledge spread is the knowledge gained..
April 15th, 2009 at 10:30 pm
I follow your blog for a long time and must tell you that your posts are always valuable to readers.
June 5th, 2009 at 5:22 pm
thanks to admin who wrote such a valuable post