Passwords- how long to hack yours

[pb4uski]

I typically use the first seven numbers of an old cellphone number plus a special character and I substitute a lower case o for the zero in the old cellphone number... usually preceeded by a capital letter and other letters that are unique to each website.... 34,000 years according to the table.

For example, American Express might be Amex followed by the string described above... at least it would be if I still had an Amex account.

 

[zinger1457]

I never understood this. Why force users to include a number? That automatically reduces at least one of the characters to 10 tries to guess it.

Similar with forcing one symbol. There are ~ 33 symbols, but 62 number/Upper/lower case choices. Or 95 if the symbols are optional. So now two are easier to crack.

And one upper case means one only has 26 choices versus the 95 . They have reduced the complexity on 3 of the 12 entries.

-ERD50

I'm missing your point. If you require the use of all characters and each character in a password is random then each character could be one of 95(?) choices. You don't crack one character at a time and a bell goes off when you get it right. If you didn't require the use of numbers, symbols, etc. then a password generated with only lower case letters would be valid and they are much easier to hack using brute force hacking software.

 

[ERD50]

I'm missing your point. If you require the use of all characters and each character in a password is random then each character could be one of 95(?) choices. You don't crack one character at a time and a bell goes off when you get it right. If you didn't require the use of numbers, symbols, etc. then a password generated with only lower case letters would be valid and they are much easier to hack using brute force hacking software.

I'm just thinking in terms of basic math. Take a 3 character password as a simpler example.

If there are no restrictions, each char can be one of ~ 95 possible characters (plus/minus a few, depending on keyboard symbol layout?). So that is:

95 * 95 * 95 = 857,375 possible passwords.

If I'm told one must be a number, one must be upper case, and one must be a symbol, we now have:

10 * 26 * 33 = 8,580 possible passwords.

Maybe I'm looking at it wrong, but I see fewer codes to hack. A brute force attack can always use 1 ~10 on one of the characters, etc. That's fewer attempts required, no?

-ERD50

 

[Gumby]

I'm just thinking in terms of basic math. Take a 3 character password as a simpler example.

If there are no restrictions, each char can be one of ~ 95 possible characters (plus/minus a few, depending on keyboard symbol layout?). So that is:

95 * 95 * 95 = 857,375 possible passwords.

If I'm told one must be a number, one must be upper case, and one must be a symbol, we now have:

10 * 26 * 33 = 8,580 possible passwords.

Maybe I'm looking at it wrong, but I see fewer codes to hack. A brute force attack can always use 1 ~10 on one of the characters, etc. That's fewer attempts required, no?

-ERD50

Most passwords with these requirements also require a certain (longer) length - like 8 characters. The issue for a hacker is that he does not know whether any particular character is an upper case letter, a lower case letter, a symbol or a number. So a brute force hack must try all four possibilities for every character. In an 8 character password, that is (26+26+10+33)^8 = 95^8 = 6.6342E15 possible combinations. You have to adjust for the fact that there are at a minimum 4 different types of character, but I cannot at this moment remember how to correct for that.

Edit to add: Upon further reflection, I think the way to correct for the 4 minimum types of characters is to change the formula to (95^5)x(95-26)x(95-52)(95-62) = 7.5762E14. But I'm not sure, so I invite correction from anyone who knows.

 

[ERD50]

Most passwords with these requirements also require a certain (longer) length - like 8 characters. The issue for a hacker is that he does not know whether any particular character is an upper case letter, a lower case letter, a symbol or a number. So a brute force hack must try all four possibilities for every character. In an 8 character password, that is (26+26+10+33)^8= 6.6 quadrillion possible combinations. You have to adjust for the fact that there are at a minimum 4 different types of character, but I cannot at this moment remember how to correct for that.

Yes, but not quite (I think). If you put together a truth table, and there is a "one must be a number" requirement, then for each iteration through, one column/char can always be restricted to 0~9, instead of all 95 possibilities. That restriction would cycle through the columns. Seems to me there would have to be fewer possibilities to test.

Without the requirement, the brute force can't assume that one char is 0~9 or restricted in another way, it has to try all 95 on all columns.

edit/add: OK, I used the 3 char password for simplicity, but if we take this out to a full 8 char PW, those extra 5 characters provide ~ 7.7 Billion combination (95^5 ≈ 7.7378094E9).

So while I still believe that the restrictions reduce the number of hits needed, it becomes pretty insignificant. You've got the 7,737,809,400 minus only ~ 850,000 hits for the restrictions. In practical terms, not really reducing the effort for the attack in any meaningful way. In theory, it is still less though. What's that old saw, In theory, practice should always follow the theory, in practice it doesn't? Something like that?

-ERD50

 

[USGrant1962]

I think the number and special character requirements provide more value in keeping the user from using guessable, dictionary look-up passwords than in brute force space (which I'm still not convinced is a thing for random web users IRL).

 

[Chuckanut]

I never understood this. Why force users to include a number? That automatically reduces at least one of the characters to 10 tries to guess it.

In the past some password cracking systems consisted of brute force attacks using dictionaries.

Adding a few numbers means people can't only use ordinary words. I would think mypassword is easier to guess than mypasswor7. Both are lousy passwords, but you see my point (I hope).

 

[sengsational]

I think the number and special character requirements provide more value in keeping the user from using guessable, dictionary look-up passwords than in brute force space (which I'm still not convinced is a thing for random web users IRL).

Forcing a larger character set (upper/lower/number..) is beneficial for several reasons. First, it prevents idiotic simple passwords subject to easy attack. But more interestingly, it forces the cracker into using a large character set in the attack (slowing them down). It reminds me of how when Lo-Jack, which locates stolen cars, was installed on just a small fraction of cars (I think the study was in LA), the overall number of car thefts plummeted. So if everyone is using large character set, random passwords, people who don't do that are still protected, as long as they stay away from idiotic simple passwords.

 

[easysurfer]

My passwords are mostly random, created with password generators.

I say mostly because they aren't 100% random. Technically, if I prefer a certain special character (for easier typing) in my passwords, then not totally random. But random enough. Plus, I have some that are long but writable passwords and not vague characters. This way, if I have to enter on my mobile, I won't be flustered guessing was that an character "O" or number zero, as an example.

 

[Trooper]

And, they can try the same password at various other sites (such as banks) because they know many people reuse passwords.

Exactly. So the two essential requirements for passwords are strong AND UNIQUE. Password managers make easy work of this.

 

[Turbo29]

Yes, but not quite (I think). there is a "one must be a number" requirement,
-ERD50

"One must be a number" but if you have a ten character password that requires lowercase, uppercase, special character, and number couldn't you have 7 numbers, one lower case, one upper case, and one special character? Or maybe 2 numbers, 3 upper case, 3 special characters, and 2 lower case, or ..., etc? The cracker doesn't know how many number you used, or how many special characters, or how many upper case (although, I get it, most people use one as the instructions say "at least one").

 

[Chuckanut]

My passwords are mostly random, created with password generators.

I say mostly because they aren't 100% random. Technically, if I prefer a certain special character (for easier typing) in my passwords, then not totally random. But random enough. Plus, I have some that are long but writable passwords and not vague characters. This way, if I have to enter on my mobile, I won't be flustered guessing was that an character "O" or number zero, as an example.

Passwords don't have to be perfectly random. They just need to be more random than somebody else's with the same or a bigger bank account.

 

[easysurfer]

Passwords don't have to be perfectly random. They just need to be more random than somebody else with the same or a bigger bank account.

Yes, the locked bicycle on bike rack analogy.

No lock is foolproof. But as long as your bike has a decent lock, a thief will most likely move on to an easier target.

 

[braumeister]

Yes, the locked bicycle on bike rack analogy.

No lock is foolproof. But as long as your bike has a decent lock, a thief will most likely move on to an easier target.

But a little research can pay big dividends.
I remember some years ago when one of the most popular bike locks on the market could be opened easily with an ordinary Bic pen. A bit of googling will reveal quite a few strategies that either work or fail miserably when putting a password together.

 

[easysurfer]

But a little research can pay big dividends.
I remember some years ago when one of the most popular bike locks on the market could be opened easily with an ordinary Bic pen. A bit of googling will reveal quite a few strategies that either work or fail miserably when putting a password together.

I'm good with mostly random passwords. Easier on the brain and if someone tortures me to reveal, well, passwords not in my mind, so good luck with that .

 

[Kwirk]

TLDR: There is benefit from requiring uppercase, lowercase, digits, and symbols with an 8 character password. There is even more benefit with longer passwords. I'm sure I've gone wrong somewhere.

Let's assume an 8 character password using at least one each of upper case, lower case, digits, and special characters. (I suspect that even fewer than 10 special characters are commonly used and many sites are restricted in which special characters they will accept. I'll use 10 possibilities for special characters.) This gives 72 possibilities for 4 character locations, 26 possibilities for each of 2 locations, and 10 possibilities for each of 2 locations. So we get (72^4)(26^2)(10^2) possible passwords if we know the location of each type of character. Of course, we don't know the precise locations but we can say there are 8 possibilities for the required uppercase, leaving 7 possibilities for the required lower case, leaving 6 possibilities for the number, and leaving 5 possibilities for the special character.

So, the final formula with these assumptions is (72^4)(26^2)(10^2)x8x7x6x5. A mathematician would write the last part of that as 8!/4!.

If my calculations are correct that gives ~3.05x10^15 possible 8-character passwords with typical requirements for lower case, upper case, digit, and symbol.

Even if we assume that many people will use exactly 1 upper case, 1 digit, and 1 special character then the number of possible passwords is (26^6)(10^2)x8x7x6. That's ~1.04x10^13.

If we assume that many people would just use lower case for each location of an 8 character password the number of possible passwords would be 26^8, or ~2.09x10^11. Clearly much worse than with the typical requirements.

If we assume that many people would use both upper and lower alphabetic characters the number of possible passwords would be (52^6)(26^2)x8x7, or 7.48x10^14. This is an improvement but not quite equal to the typical requirement.

Increasing the number of password characters beyond 8 further increases the benefit of requiring upper case, lower case, digits, and special characters. I won't do the math because you can probably do it yourself if I haven't already put you to sleep.

While it may seem that requiring a digit and a special character would reduce the number of passwords in comparison with just alphabetic characters, the fact that we don't know the precise location and number of these types of characters compensates. (There may be only 10 digits to choose from but there are 8 or more locations where it can be placed.)

 

[Retch The Grate]

Thanks!, that makes sense. I used to be admin for several unix systems and I was able to copy passwd files from one system to another. I couldn't see the passwords but I could see the usernames. So it would have been possible to write a script to create a process for each username and systematically guess the password. Of course this would find the short passwords first.

In college the password file was accessible so I wrote a program that just ran everything in /usr/bigdict against the password file and cracked about 1/3 of the other CS major's passwords. Then the sysadmin locked me out of the system for a week as punishment. I didn't do anything with them, aside from tell people how bad their passwords were, it was purely an experiment.

 

[MC Rider]

In college the password file was accessible so I wrote a program that just ran everything in /usr/bigdict against the password file and cracked about 1/3 of the other CS major's passwords. Then the sysadmin locked me out of the system for a week as punishment. I didn't do anything with them, aside from tell people how bad their passwords were, it was purely an experiment.

They should have given extra credit for figuring it out and helping them make things more secure.

 

[Graybeard]

I never understood this. Why force users to include a number? That automatically reduces at least one of the characters to 10 tries to guess it.

Similar with forcing one symbol. There are ~ 33 symbols, but 62 number/Upper/lower case choices. Or 95 if the symbols are optional. So now two are easier to crack.

And one upper case means one only has 26 choices versus the 95 . They have reduced the complexity on 3 of the 12 entries.

-ERD50

Why just use a 12 character password? I use at least 16 and usually 20 characters. Numbers and special characters add more possibilities, that's entropy.

How strong is a 12 character password?
According to the traditional advice—which is still good—a strong password: Has 12 Characters, Minimum: You need to choose a password that's long enough. There's no minimum password length everyone agrees on, but you should generally go for passwords that are a minimum of 12 to 14 characters in length.May 9, 2018

Is a 16 character password secure?
A 90-bit password is well outside the range of what even the most determined and well-resourced attacker could do. They simply would not try to guess it. ... A 16-character properly generated password is going to be more than strong enough.Oct 10, 2018

I can't copy and paste from the link provided below so I'll just say this is an example of my userids and passwords but is just made up for an example:
k0Pp$cE23!a@AS98HnjT

Per this site https://www.grc.com/haystack.htm

Online Attack Scenario:
(Assuming one thousand guesses per second) 1.15 thousand trillion trillion centuries
Offline Fast Attack Scenario:
(Assuming one hundred billion guesses per second) 11.52 million trillion centuries
Massive Cracking Array Scenario:
(Assuming one hundred trillion guesses per second) 11.52 thousand trillion centuries

You can test your password or userid at the site but don't use your actual ones cuz who knows whether they are captured and used to break into your accounts! For example, if your password was F5$jj*1K (just as a shorter example than a 20 character password) then I would use a corresponding set of characters like K9(uu%7M to test the strength.

 

[Retch The Grate]

You can test your password or userid at the site but don't use your actual ones cuz who knows whether they are captured and used to break into your accounts! For example, if your password was F5$jj*1K (just as a shorter example than a 20 character password) then I would use a corresponding set of characters like K9(uu%7M to test the strength.

Of course if I'm a hostile using that website to harvest passwords, I'd try pattern replacements using it as a template, which reduces your entropy considerably.

The big scary is at what point do quantum computers with enough qubits become accessible to bad actors to run Shors algorithm and break basically all of modern cryptography? Hopefully people switch away from vulnerable math before that happens, otherwise we get to watch the banking industry go belly up.

 

[Bullwinkle]

I am all about using a physical key. That's all I ask for. Simple, secure, easy...but so slow to adopt.

This has been the standard at all companies I worked at for the last 20ish years. You get a hardware key that you poke when prompted. The early ones made you copy numbers from a little screen, but the newer ones (yubikey etc.) you just touch a nub and it even bypasses the keyboard entirely. I wonder why these laptop manufacturers don't start including them? Chicken and egg problem I guess.

However, banks have only just gradually started to catch on to the idea of 2FA at all, let alone the state of the art from the '00s. It's funny but not surprising online video game stores caught on to 2FA much earlier than major banks. The banks I know of either can't do it, or they do that "send you SMS/email" thing. It seems even Vanguard hasn't figured it out, if those search results about it are accurate.

 

[sengsational]

...

Is the math really that complicated? I always thought it was about 2 values: 1) the size of the character set, and 2) the length of the password. Upper and lower gives 52. Add numbers, you're up to 62. According to the haystacks page, adding special characters gets you to 95. Then it's about how long.

If you ever had to type a 20 character, totally random password, you're in for quite a task, which is why I never create those kinds of passwords. If I felt the need to go beyond 8 (which I normally don't), I would use something like this:

*******PrXy0.N(*********

instead of this:

PrXyc.N(n4k77#L!eVdAfp9

And note that the first one is 95 times stronger than the second one, and one heck of a lot easier to type, if you ever need to type it.

 

[rk911]

Is the math really that complicated? I always thought it was about 2 values: 1) the size of the character set, and 2) the length of the password. Upper and lower gives 52. Add numbers, you're up to 62. According to the haystacks page, adding special characters gets you to 95. Then it's about how long.

If you ever had to type a 20 character, totally random password, you're in for quite a task, which is why I never create those kinds of passwords. If I felt the need to go beyond 8 (which I normally don't), I would use something like this:

*******PrXy0.N(*********

instead of this:

PrXyc.N(n4k77#L!eVdAfp9

And note that the first one is 95 times stronger than the second one, and one heck of a lot easier to type, if you ever need to type it.

which is why i use a PW manager. EZ PZ

 

[ERD50]

Originally Posted by ERD50 View Post
I never understood this. Why force users to include a number? That automatically reduces at least one of the characters to 10 tries to guess it. ...

Why just use a 12 character password? I use at least 16 and usually 20 characters. Numbers and special characters add more possibilities, that's entropy.

How strong is a 12 character password?
According to the traditional advice—which is still good—a strong password: Has 12 Characters, Minimum: You need to choose a password that's long enough. There's no minimum password length everyone agrees on, but you should generally go for passwords that are a minimum of 12 to 14 characters in length.May 9, 2018

Is a 16 character password secure?
A 90-bit password is well outside the range of what even the most determined and well-resourced attacker could do. They simply would not try to guess it. ... A 16-character properly generated password is going to be more than strong enough.Oct 10, 2018

I can't copy and paste from the link provided below so I'll just say this is an example of my userids and passwords but is just made up for an example:
k0Pp$cE23!a@AS98HnjT

Per this site https://www.grc.com/haystack.htm

Online Attack Scenario:
(Assuming one thousand guesses per second) 1.15 thousand trillion trillion centuries
Offline Fast Attack Scenario:
(Assuming one hundred billion guesses per second) 11.52 million trillion centuries
Massive Cracking Array Scenario:
(Assuming one hundred trillion guesses per second) 11.52 thousand trillion centuries

You can test your password or userid at the site but don't use your actual ones cuz who knows whether they are captured and used to break into your accounts! For example, if your password was F5$jj*1K (just as a shorter example than a 20 character password) then I would use a corresponding set of characters like K9(uu%7M to test the strength.

I certainly wasn't arguing against long(er) passwords! I was just questioning the ( one char MUST be a number) type restrictions, which mathematically reduces the number of attempts required, as the hacker knows that one column is always restricted (even though they don't know which column, the truth table would be reduced).

Though I later realized, that by the time you even got to an 8 char PW, the difference was very slight a fraction of a % fewer tries?), and of no real practical concern. And that just becomes less and less with longer PWs

Any PW for a site that I actually care about is at least 12 char.

-ERD50

 

[Kwirk]

...And note that the first one is 95 times stronger than the second one...

It's not stronger if the person cracking knows that you like to use a series of asterisks (or any one character) at the beginning and end of your password.

Anything the cracker knows about your predilections makes it easier. For example, one might guess that special characters tend to come at the beginning and/or end of passwords, and that certain special characters are much more commonly used than others. One might guess that the capital is only the first letter of many passwords, possibly following the only special character. One might guess that many users don't exceed the minimum number of characters. Those guesses, if correct, could make it possible to crack many passwords with much less effort (even if yours would be very safe).