Breaking Passwords - All too easy if we are lazy!

Everyone always tells you the importance of having a strong password that is be hard to guess. Use letters and numbers they say.... Did you listen?

I've recently been doing some reading on passwords and crypto [1] and came across the best explanation for the need for strong passwords and I wanted to pass it on.

Consider for a moment if you have an application that uses DES as a cryptographic algorithm. DES requires a 56-bit key, which means that a good DES key has an equal probability of falling anywhere in the range of 0 to 2^56-1. A big number!

Ah, Ha! Not so fast. Take as an example an english language user. When asked for a password, we will typically pick something easy to rembember, most likely containing ASCII values such as A-Z, a-z, 0-9 and possibly punctuation marks.. Guess what, you just cut down (waaay down) on the number of possible values for a password that an attacker needs to try and guess. The attacker simply has to attempt to guess easy-to-remember ASCII groups of values.. Yikes!

Now, let me show you the bit that REALLY brought this home to me about how bad passwords could be! Given that DES has a 56-bit key and is considered INSECURE for long-lived data, take a look at these very common scenerios regarding the available character pool size and the password lengths that are required to create an equivalent 56-bit and 128-bit keys.

Available Characters and Password Lengths for Two Keys [2]

Scenerio Available Characters Required Password length for 56-bit key Required Password length for 128-bit key

Numeric Pin 10 (0-9) 17 40

Case-insensitive alpha 26 (A-Z or a-z) 12 28

Case-sensitive alpha 52 (A-Z or a-z) 10 23

Case-sensitive alpha and numeric 62 (A-Z, a-z and 0-9) 10 22

Case-sensitive alpha, numeric and punctuation 93 (A-Z, a-z, 0-9 and punctuation) 9 20

SCARY! When was the last time you created a 8-10 character password that contained case sensitive alpha, numeric and punctuation? Hmmm...?

[1] "Writing Secure Code, 2nd Edition" by Michael Howard and David LeBlanc
[2] Table 8-1, "Writing Secure Code, 2nd Edition" by Michael Howard and David LeBlanc

BTW, I can't recommend the second edition of this book enough!

posted on Monday, February 02, 2004 5:20 PM

This website is Copyright © 2001-2004 by Kylas Group LLC. All rights reserved. By using this website you agree to abide, comply, and be bound by these Terms of Use and Terms of Service. As a user of this website you agree that all information is provided on an as is basis, and the use of this web site is at your sole risk. Links listed are solely based on our opinion of value. The links provided are maintained by their respective organizations, who are solely responsible for its content. Trademarks are the property of their respective owners. Use of trademarks, logos, and brand names on this site are for identification purposes only, and does not imply an endorsement of this website by the trademark owner.

My Links

Archives

Post Categories

Articles

Blogs - Architecture

Blogs - Security

Blogs - Smart/Great/Local

Info - Architecture

Info - Essential

Info - Security

Affiliations

Sponsored By

Breaking Passwords - All too easy if we are lazy!