Search News from Limbo

Tuesday, July 23, 2013

The word on passwords: shun words

Memorable passwords are often devised by placing one or two words within the passphrase. But these blocks represent the computer-assisted code-cracker's first line of attack.

Of course, internet services such as Google and Yahoo block attempts to test more than a few passwords in one day. But passwords for your personal computer, laptop and smartphone are not necessarily immune from what might be called modified dictionary attacks.

One reason so many Google, Yahoo and Facebook accounts are hacked is because a typical hacker tries a few common password types and if he doesn't strike pay dirt within the allotted number of tries, he moves on to the next account. Of course, there are many other tools and tricks for obtaining passwords, but one should at least put the first latch on the door. The word "password," for example, is used by a great many people, whose accounts are of course highly vulnerable.

So let's consider a modified dictionary attack.

There are 26 letters in the English alphabet. 26! = 4 x 10^26, a fantastically high number of combinations. But, who uses a random 26-letter password?

Or you might use all numerals. But a 10-digit password (say, a phone number) is part of a set of 10! = 3,628,800, which is within the range of any modern code-cracking algorithm. If the password is, say, 13 digits, we  have 10!(10C3) = 435,456,000, which is pushing half a billion combinations, so a certain level of security is found here. Fifteen numerals yields 10!(10C5) = 914 million, or pushing one billion combinations.

But there is a more efficient way to do things.

If we use upper and lower case letters, we have 52 letters plus 10 numerals. If we also employ the punctuation and other symbols -- my keyboard has 32 -- we arrive at a grand total of 94 characters (or 95 if you include the space bar).

So, a 7-character password nests within a set of 10 billion combinations. Nine characters nests within a set of one trillion 
combinations.

Technically, if many others are drawing from this set for their passwords, you needn't use all types of characters. But, because most people use a much smaller set of characters, you are better off drawing from every type.

Now consider what happens if you use a word, let's say, having between 3 and 7 letters, in a 7-character password.

The decryption program has access to a database of all such character combinations, of say between three and seven letters. Using a database commensurate with the program's computational power, it runs a modified "dictionary attack."  The database might have all the words in all English dictionaries as well as all dictionaries of other languages, along with common strings of numbers. So maybe there are a million such entries, which are ranked by frequency and hence probability of occurrence. But, the program prioritizes candidate words by frequency and language of the user. It is likely to drop all words that occur at less than some specific frequency.

Suppose the program "guesses" that your password contains a word.

It breaks your password into blocks like this:

1. (XXXXXXX) Rather than bother with the 94C7 = 10 billion combinations, it first checks common words of 7 letters, which I would guess come from a set of no more than 100.

2. x(XXXXXX) Similarly for six letters, maybe 100 words. It begins checking words slotted on the first space, then if necessary the second. There are only two possibilities, so the total of items to be checked is 2 x 94 x 100 = 18800

3. (xx)(XXXXX) For five letters, let's make a ballpark estimate of 300 probable words. This gives us 2 x 94C2 x 300 = 2,622,600. Still easy going for a code-cracking program.

4. (xxx)(XXXX) For five letters, I can't imagine more than 350 probable words. This gives us 2 x 94C3 x 350 = 93,830,800. Still feasible for a powerful computer.

Our total of combinations is 100+18800+2622600+93830800 = 96,472,300.

But in fact, the decryption program would likely have a suite of subroutines, so that it wouldn't first run the program that accounts for 94 characters, but would start out with an algorithm that uses 26 lower-case letters, then one that uses 26 lower-case letters and 10 numerals. Chances are good that that will suffice to expose most passwords that contain a word of three to seven letters.

In the past, I have used a block of lower case letters and some numerals. Had my password been seven characters long and had I used a recognizable word,
we would get 100; 2 x 36 x 100 = 7200; 2 x 36C2 x 300 = 378,000; 2 x 36C3 x 350 = 4,998,000 for a total of 5,383,300. A snap for a modern decryption program.

We must also be careful about deliberately misspelling a word, because common improper spellings may be included in the decrypter's database. I made an embarrassing gaffe on this point. The word "wordd" was part of my password. But a block-checker of the type I've described would have tested the word "word" and treated the extra d as part of another block.

The advice to shun words holds for common digit strings such as 1234567 or 24681012 or 3141592 (leading digits of pi).

This is all very well, you say, but you'd like to be able to remember your password.

If you can memorize your phone number, there's no reason you can't remember a haphazard group of eight or so characters from a 94-character set.

But, you might try something like this:

Write down an auto license plate number from a random vehicle, say

JCB37K

Insert two characters, such as $ and =, for JC=B37$K

Change one or two letters to lower case, as in jC=B37$K

You'll never remember that? OK, try this:

Last two letters of your place of birth.

ON

Street address number, or last two letters of your zip code

41

Last two letters of mother's maiden name

KE

This gives us, in this example,

ON41KE

change one or two letters to lower case

oN41kE

Sprinkle with punctation marks:

oN,41&kE

You can reconstruct the password by remembering that it is related to the sequence "street address, mother's maiden name." Once you do that, your memory should be refreshed as to the remaining steps.

Another possibility is a type of code that might be easy for a human expert to break, but not so easy for a typical code-cracking program.

You have a number that is easy to remember, such as the last four digits of your phone number.

3776.

Another easy number to remember might be the last four digits of your Social Security number. 5893

Add them together:  9669

Take a friend or relative's name and reverse the order of letters: sam to mas

Write maybe 9669mas and change one or two letters to uppercase. 9669Mas. Toss in one or two punctuation marks 9669&Mas!

So if you forget your password, you remember your two numbers and the name and reconstruct the password. As you do so, your memory of the "&" and the "!" will be refreshed.

There are many such stratagems. Yes, making and remembering strong passwords can be annoying, but the small bit of effort required may pay off in a big boost in security.

Disclaimer: These tactics won't stop the NSA or other federal agency. On the internet, they simply siphon your data before your provider encrypts it. On your home PC or laptop, they have a suite of high-tech methods to detect it; though you might conceivably defeat federal snoops from prying into your system, their hackers know a great number of weaknesses in whatever operating system you use and can probably insert a spyware program to obtain your password as you type it in, even if you use a keyboard scrambler. Unless you are a real expert, it isn't worth the effort to try to outwit the feds; you'll only get a false sense of cyber security.

Related post: the Kalin cipher
http://kryptograff.blogspot.com/2007/06/kalin-cipher.html

No comments:

Post a Comment