Chances are that if you are reading this, you logged in with a password this morning. An even bigger chance that this password had to meet all sorts of requirements: length, special characters and probably a capital letter. But where did these requirements come from? And why do these requirements still not produce good passwords? In this first of a series of 3 blog posts, AP technologist Jonathan Ellen takes you into the world of the password.
You probably know the dilemma: The more complicated your password, the harder it is to remember. This is all the more true if you use many passwords. The result? Short passwords that seem complicated on paper, but in reality are based on easy-to-guess patterns.
In this first blog post, we look at passwords from the perspective of a computer criminal. So you'll learn when a password is really strong. And why passwords usually aren't in practice.
In the next blog post, we'll take a closer look at how to use strong passwords in practice. Later, we will cover other methods of digital access control, including multi-factor authentication (MFA).
The art of figuring out which password was used at a particular place is called "cracking. This is done by trying different options until a working password is found.
Cracking passwords takes time and money. So the longer the criminal takes, the less profitable the operation becomes. The time it takes to crack a password depends on the time each attempt takes and the total number of attempts required.
In general, passwords are not stored legibly. Only a processed version of it, called the hash value, is stored. Calculating that hash value takes time. As a user, you don't notice this when you log in. But for criminals, after billions of login attempts, time automatically becomes an important factor.
Criminals operate online, for example at a company's login portal or website. In that case, additional requirements come into play, such as a maximum number of login attempts. It also happens that databases containing password hash values are leaked. These can be cracked offline.
In this blog post, we assume that the criminal captured a database containing login credentials, including password hash values. The hashing method used is also known. So cracking these passwords is only a matter of time. But how much time?
The simplest attack in a criminal's arsenal is to try every possibility. This is called a brute force attack. You start at 'a' and calculate the corresponding hash value. Does it appear in the list? Then you know that 'a' is a valid password. Is 'a' not in the list? Then try 'b'. Just until you find a working password.
The advantage of a brute force attack is that you don't skip passwords. After all, you try them all. The disadvantage is that a brute force attack can take a very long time, provided the passwords are strong.
To illustrate, we crack some passwords. The total time depends, among other things, on the hashing method used and computing power. My home computer achieves about 400 million attempts per second (on an Nvidea 1060GTX, used hashing method md5).
Better computers achieve much higher speeds and this will only increase in the future. So the following results are the absolute lower limit.
|
Characters > |
6 |
7 |
8 |
9 |
|
Lowercase only |
0 s |
2 s |
50 s |
20 min |
|
Lowercase and uppercase letters |
5 s |
4 min |
3.5 hours |
approx. 8 days |
|
Lowercase, uppercase, numbers |
13 s |
14 min |
approximately 15 hours |
approximately 40 days |
|
Also punctuation |
3 min |
approximately 5 hours |
approximately 18 days |
approx. 5 years |
Remember: in these times, all passwords have been tried, from 'a' to, say, 'Z#_sB43)X'. No matter how hard to guess the password was. Or how many numbers and capital letters it contained. If it is shorter than 9 characters, my home computer can crack it.
The results show that a long password is better than one with many special characters. Extending a password by only 2 lowercase letters from 7 to 9, makes cracking it as much as 600 times slower. Adding all 26 uppercase letters, on the other hand, saves only a factor of 120. If you want to know why this is so, read the box below.
The time it takes to crack a password is proportional to the total number of possible passwords. We call this the password space. It is calculated as:KL. Where K represents the number of possible characters and L represents the length. Thus, the password space of 6 lowercase letters is 266 and that of 8 lowercase letters is 268. So a 2-character extension provides 262 = 676 times more possibilities. In comparison, extending the possible characters by 2 punctuation marks provides (28/26)6 times more possibilities.
This is because the password length L is in the exponent of the equation. As a result, a longer password causes the password space to grow exponentially. Thus, it grows much faster than with more special characters. Of course, a combination of length and special characters is strongest.
Even if you use a password that is strong on paper, you are still not safe. Criminals have more tricks up their sleeves. After all, people are extremely predictable. Especially if they try to remember long passwords.
Instead of something completely random, they then quickly choose a year, their favorite sports team or some other simple modification, such as starting with a capital letter. Everyone knows that "W3lkom2023!" is a lousy password, despite its length of 11 characters.
Criminals make grateful use of this. This way, they don't even have to try the vast majority of all possibilities. They start with previously cracked passwords because they are often reused. This is called credential stuffing.
Then they try the same list again, but modified with patterns that many people use. With this "dictionary attack," a startling number of passwords can be cracked, because many people use variations of a single password.
The only solution to this is randomness, dodging common patterns. Preferably in combination with a long password. This forces criminals to use less fast, and therefore less lucrative, options. The downside, of course, is that especially long, random passwords are difficult to remember.
Almost everyone, often unknowingly, uses bad passwords. The default password requirements of 8 characters with enforced punctuation and numbers encourage this. These lead to short passwords full of human patterns.
Therefore, it is recommended to use long passwords that are so random that a hacker has to try all options to figure out the password.
Unfortunately, especially strong passwords are difficult for people to remember. Still, it is necessary to use strong passwords. Fortunately, there are ways to make strong passwords usable in practice. You can read more about that in the next blog post.
