Sunday, February 12, 2012

Password Strength

How secure is your password from being compromised?

The average user will create a password using one of the following:
  • Name of a family member
  • A pet’s name
  • Favorite sports team
  • Yours or a family member birthday

They may also try to make that password “more” secure by substituting vowels with numbers, adding numbers behind it or a combination of the two. Attackers can use a process known as a dictionary attack to try to guess your password. There are public available dictionary files on the Internet that consist of thousands of entries such as popular used passwords, names, and word combinations that attackers can use to reveal your password if your password happens to be one of the entries in the dictionary files. Depending on where your password is utilized i.e. password protected file or site/system that does not have a password lockout if you enter the password incorrectly to many times, attackers can utilize what is known as a brute force attack which essentially tries every combination of characters for each position but at a cost of time depending on the length of the password. So if your password was one character, the brute force attack could possibly try 62 characters to guess your password.

[A->Z->a->z->0->9]
Upper Case Letters 26
Lower Case Letters 26
Numbers 10

Total Characters 62

For a system that able to process 500,000 password per second, it would take that system up to a minute to guess your password using a brute-force attack. The time required for a brute-force attack grows exponentially with the increase in size of the password. For that same system the following is the amount of time it will take a brute force the following length passwords: 

4 Characters Password Brute Force Attack will take up to a minute
5 Characters Password Brute Force Attack will take up to 31 minutes
6 Characters Password Brute Force Attack will take up to 32 hours
7 Characters Password Brute Force Attack will take up to 82 days
12 Characters Password Brute Force Attack will take up to 207450281 years

Brute Force times were calculated using a password calculator from LastBit http://lastbit.com/pswcalc.asp

Note: Adding a special character to your password such as !@#$%^&*()_+? will also increase the time of a brute-force attack example:

5 Characters Password will now take up to 74 minutes instead of 31 minutes with out special characters.

Picking a secure password

So the best way to make sure you password will not be compromised is by selecting a secure password using the following guidelines:

  • Select a strong 6 or 7 characters password, then double it (type it twice). You now have a 12 or 14 character password but only really have to remember 6 or 7 characters.
  • If the system allows it, always include a special character i.e. !@#$%& It normally best to start your password with the special character because it can throw off password crackers before they event start to guess your password.
  • Don't use any of the following for your password, you want your password to be as random as possible so that it can't be easily guessed just by knowing information about you:
      • Name of a family member
      • A pet’s name
      • Favorite sports team
      • Yours or a family member birthday
  • Try to avoid using the same password for multiple sites and system.

By following the above guidelines, it will greatly increase the strength of you password.

Test you password strength using the Microsoft password strength page that can be found at the below URL or determine how long it would take someone to attack your password using brute-force via the GRC Interactive Brute-force Password Search Space Calculator. Double your password and see how it will greatly increase the security of your password.

Microsoft PC Security Password Strength

GRC's Interactive Brute Force Password “Search Space” Calculator

1 comment:

  1. Nice post keeps on posting this type of interesting and informative articles.
    Barracuda Web Application Firewall

    ReplyDelete