Some Interesting Thoughts on Security
I recently received a free copy of the magazine, The Security Advisor, and
there was a fascinating article in it entitled: The Password Paradox: Insecure
Security. I'd like to just highlight the article and share with you the
12 steps to cracking a password. Don't worry (or don't get excited, depending
on what you were expecting), this doesn't tell you anything secret. It just
gives some statistics, and gives an overview of what a hacker will try to do
when they want to crack a password.
Have you ever been to a web site, clicked on a link, and
then a small box appears which requests a user name and password.
This is very common on web sites where there are "Members
Only" areas. Adult sites have them, reference sites have
them, even Microsoft uses them in a Cookie to identify who
you are. Passwords aren't just on the Internet. You can use
a password to log onto Windows, you can password protect any
file, and your PIN (personal identification number) on your
ATM card has a password. I regularly use 8-10 services where
a password is required.
How on earth can I be expected to make up 10 separate passwords
and then remember which one goes with which service. There
are now programs, which themselves are password secured, which
will secure your passwords. With all of these passwords, you'd
think that you'd be safe from hackers, but that simply isn't
the case. Here in Canada IBM has commercials for their web
security programs where they show a couple of hackers breaking
into a corporate Intranet (I'm not sure if they show the same
commercials in the US or not). With the growth of the Internet,
security has become much more of an issue than it used to
be. It isn't that things are less secure now, it's just that
more people are using the Internet and they demand secure
transactions. As with most criminal activity, the authorities
responsible for ensuring our security can't keep up with the
new techniques to steal our security.
The following is summary of the 12 steps of cracking a password as described
in the The Security Advisor. As you read this, just remember that all of the
statistics given are different depending on how many letters are allowed, and
which ones are allowed. A password with lowercase, uppercase and numbers and
symbols with 8 characters (ie. 8H&I$4hf) would be a lot harder
to crack than an all lowercase password with only 6 characters (ie. asdgke).
Step 1: Is there a password?
This is the first thing they find out. If there
is no password, then your data is free for the taking.
Step 2: Is the user ID the same as the password?
In this case, when they know that the user name
is john_doe, they would then guess the password is
John_doe as well.
Step 3: Is the password derived from the user's name?
Using the same user name as above, a password guess
might be jdoe or johnd.
Step 4: Uses the collegiate dictionary wordlist and namelist.
Approximately 30,000 guess are made here. An experienced
hacker could crack this type of password anywhere from 1/2
hour to 6 hours)
If your password can be found using any of the above methods,
then your data is insecure. The first 3 steps are just logical, and if someone
wanted to get your information, they would be willing to go to step 4. If you
fall under these categories, then be sure to change your password.
Step 5: Uses the complete English wordlist.
Approximately 150,000 guesses are made here. This
wordlist would contain unusual names and terms not found in
Step 4. This type of password could take weeks to crack.
Step 6: Uses the complete international wordlist and patterns
list.
Approximately 2,500,000 guesses are made here. Languages
might include Chinese, Spanish, French, etc. and patterns
might include 111111, 123456, abcdef, etc.
Step 7: Uses the collegiate dictionary wordlist with filtering.
Approximately 3,000,000 guesses are made here. An
example of the filtering for the word secret would be:
secret-----the original word
secret!-----add an exclamation mark
s3cr3t-----3 looks like a backward E
Secret-----Capitalize the first letter
SECRET-----capitalize the whole word
terces-----spell it backwards
Step 8: Uses complete English filtering.
Approximately 15,000,000 guesses. This type of cracking
could not be done remotely for a number of reasons. Of course,
in the future it could be possible.
Step 9: Uses complete international wordlist with filtering.
Approximately 250,000,000 guesses. This is the last
reasonable step that would be used that wouldn't take too
much time. A password could be cracked in 18 hours.
Step 10: Uses brute force (letters a to z).
Approximately 205 billion guesses. Even at an already
achieved rate of 1 billion crack attempts per day, that would
still take over half a year to cover all of the possibilities
for LOWERCASE ONLY!!
Step 11: Uses brute force with extended character sets.
The number of guesses is dependent on a number of
things. A password crack for the character set {a-z,0-9} could
be cracked in a week, but as soon as you add a different character,
the time jumps from a week, to a month, to even years.
Step 12: Uses brute force to extinguish all possibilities.
Using the Data Encryption Standard (DES), it would
take approximately 281,000,000,000,000 different password
guesses to exhaust all possibilities.
There is always the question of how much protection do you
need. That would depend on what business you are running,
how many users you have, and what you are trying to protect.
Obviously, you should not make a password that would end up
in Steps 1-4. It would be perfectly reasonable to create a
password with the encryption that requires Step 7.
There isn't a lot to gain by stealing the credit card numbers
or the bank account numbers of an average individual, especially
if the hacker doesn't know you. For all they know, you are
already over your credit limit and only have a few hundred
dollars in the bank. There is probably a better chance that
the waiter at the local restaurant will write down your credit
card information when he takes your card, then you do of someone
stealing information from you online. Yes, there are horror
stories of hackers and other people "stealing identities",
but when you consider the number of people who have passwords,
and the number of such cases, the chances of that happening
are fairly limited.
There is no need to be paranoid about using your ATM card,
using a credit card, or using the Internet to purchase things.
There is no way to guarantee your security, but with some
common sense, and a good password, you can feel safe that
your data is secure.
Return
to Articles Home Page
Return to the FreeHelp Headquarters
|