One of the many topics I like to cover in detail when teaching Essentials of Hacking and Ultimate Hacking is password brute forcing and cracking. I usually start off by letting the students come up with what they think is a strong password policy and later, we analyze common implementations & attacks against them. Inevitably, the password policy they come up with looks a lot like this:
A quick analysis of this password policy yields the following:
This password policy is inline with what I see on most security engagements. However, the matching implementation that enforces these rules is not as common, but that’s another blog entry. Still, a password policy like this is the common case.
Here’s my password policy (just trying to prove a point here):
A quick analysis of my password policy yields the following:
Let’s figure out which password policy is stronger by using Cain & Abel to test the time required to brute force passwords that are MD5 hashed, which is a common case for web applications.
Here’s Cain & Abel attempting to crack all possible passwords for the typical password policy.
Here’s Cain & Abel attempting to crack all possible passwords for my password policy.
The bottom line: