Brute Force Attack
A brute force attack is a method of password cracking that tries every possible combination for a password. To illustrate, a brute force cracking software may begin cracking a password with the the following: a. Then, it might try, b. Then, c. (I'm sure you can see where this is going) A brute force attack will simply mindlessly go down a list of characters and enter those as guesses.Once it exhausts all possible one-character passwords, it moves to two character passwords (i.e., aa, ab, ac, ad, etc....). There is a significantly larger number of possible two-character password combinations than there are one-character password combinations. This additional length makes it more secure. This can be, by far the most time-consuming password attack, but given enough time, it will eventually succeed.
Dictionary Attack
A dictionary attack uses a word list to crack passwords. The software references the words in the list to form its guesses. (i.e. dog, cat, bear, etc.) Often, some dictionary attack software will be able to append random numbers or symbols before or after dictionary words, thus making passwords like coffee22 a very weak password if the word coffee is in the attackers word list. Often, these word lists are not user-generated, giving them the potential to be very large and extremely exhaustive. Regardless of whether the words in a given password are obscure or not, it is highly likely that it is contained somewhere in an attacker's word list.
Hybrid Attack
A hybrid attack combines the use of dictionary words and symbols to allow for the replacement of certain letters with symbols. This attack is very helpful against passwords written in "l33t speak". An example of a l33t speak password is the following: k!ngsc0ff33. Certain letters have been replaced by either a number or a symbol so that an actual word is not formed, thus defeating a simple dictionary attack. However, hybrid attack software has the ability to take a dictionary word list and make numero-symbolic replacements of particular letters: 3 for e or E, @ for a or A, 1 or ! for i/I or l/L, and so on. This makes the above-mentioned password example very susceptible to cracking.
How to create a secure password
First, a secure password must have a proper length. It is recommended that your password consist of at least 8 characters. Assuming that your password is properly complex enough (such that dictionary and hybrid attacks are impossible), a 8-character password can take up to 11 yrs to crack (assuming that the cracking software takes into account all 26 letters, both upper and lower case, 0-9, and basic punctuation). This number, of course, changes depending on how many computers are working together to crack the password, but even with 50 computers at at 2,800,000 passwords attempts a second, it still would take up to 75 days to crack the password. And typical password-changing policies recommend at the most 60-day password changes, so your password might very well get changed before the attacker has a chance to crack your password.
In addition, dictionary words and dictionary words written in l33t speak are highly discouraged. It is recommended that you include numbers and punctuation in your password, but not as replacements for letters in a word. Instead, it it best to use them sporadically in a password to make it more complex and less susceptible to dictionary/hybrid attacks.
With all this talk about security, it is easy to forget about the need for a password to be memorable so it's not forgotten. Although increasing the character length above 8 characters will make the password more difficult to brute force, it often is unnecessary (and in the case that the password is 14 characters worth of dictionary words, this will be defenseless against a dictionary attack). So, 8 characters will do the trick.
Here's an example of how to form secure, but memorable passwords.
ilcvm (I begin with a memorable word or short phrase; acronyms can also be helpful; this one stands for "i love coffee very much")
IlcVM (I make some of the letters uppercase; this is made memorable because the acronym would appear as "I love coffee VERY MUCH")
IlcVM11 (include some numbers such as your favorite number)
&IlcVM11 (add punctuation)
Creating a final password of : &IlcVM11. The only way this password is going to get cracked is by using the brute force method, which will take a very long time to crack.
Now go change your password and secure your data!!
No comments:
Post a Comment