One of the many topics I like to cover in detail when teaching Essentials of Hacking and Ultimate Hacking is password brute forcing and cracking. I usually start off by letting the students come up with what they think is a strong password policy and later, we analyze common implementations & attacks against them. Inevitably, the password policy they come up with looks a lot like this:
- At least one uppercase character
- At least one lowercase character
- At least one digit
- At least one symbol
- At least 7 characters
A quick analysis of this password policy yields the following:
- Character set is roughly 52 alpha characters + 10 digits + ~12 symbols
- Password length is >= 7
- Most people will pick a password that’s 7-8 character (we’ll compromise here)
- Password keyspace is approximately 74^9 = 66540410775079424 or ~6.7e16
This password policy is inline with what I see on most security engagements. However, the matching implementation that enforces these rules is not as common, but that’s another blog entry. Still, a password policy like this is the common case.
Here’s my password policy (just trying to prove a point here):
- All lowercase characters
- At least 15 characters
- Non dictionary words
A quick analysis of my password policy yields the following:
- Character set is 26
- Password length is >= 15
- Password keyspace is approximately 26^15 = 1677259342285725925376 or ~1.7e21
Let’s figure out which password policy is stronger by using Cain & Abel to test the time required to brute force passwords that are MD5 hashed, which is a common case for web applications.
Here’s Cain & Abel attempting to crack all possible passwords for the typical password policy.
Here’s Cain & Abel attempting to crack all possible passwords for my password policy.
The bottom line:
- In general, password length trumps password complexity. This applies to both cracking and rainbow table attacks.
- Given the opportunity, users will choose the simplest passwords, such as ‘Password1!’, , etc. If you don’t believe me, check out an analysis of the ‘hacked’ Myspace accounts.
- Make sure you account for human tendencies that include usernames in passwords, too many repeating characters, passwords based on dictionary words, capitalization of the first letter, symbols & digits at the end, etc.
- Enforce your password policy – duh. Rememer AOL’s old implementation?