L337 crackrz use dumb passwords too Black hats are just as blithe about the passwords they use as the rest of the world, according to a bit of research by security outfit Avast. The anti-virus company's Antonín Hýža, writes here that after he'd built a dictionary of hacked hackers' passwords, the most common password was “hack”. Hýža says his work began because …
> and interestingly, when he had to resort to brute force, in all cases the passwords were six characters or fewer.
Thats because he will have completely exhausted the 1 to 6 character search space but might still be searching the 7+ address space.
It all depends upon how efficient his brute force attack is. If it is pathetically slow and only manages 100,000 attempts per second it will take him about 3 months to exhaustively search* the 6 character password space and nearly 25 years to do the same with the 7 character address space.
* This assumes each character is one of the 96 printable ASCII characters. If he uses the reduced character set in the article then it would take 10 days to exhaustively search the 6 character address space and over 20 months to search the 7 character one.
" Apparently hackers have gaps in their ABCs"
It might tell us something about the keyboards they are using.
On the various non-English keyboards I have used things like square brackets, braces etc are obtained by using Alt or Gr Alt modifiers..
And some have "dead" keys which don't get through until the next character is typed. These can be a nightmare for password use so are best avoided.
The maximum length supported by whatever application requires the password, as long is it is not guessable using phrase based attacks. For instance using a password of:
Now, witness the power of this fully operational battle station
is going to be far less secure than
np0b8yp(BG)Til;ghp789tK:HG)*(&B PIUp97p( &TP ~(U~L@K
which I derived by mashing this keyboard and deleting extra stuff until it looked about the same length ;)
@Tom 13
That xkcd works great against standard brute-force attacks, agreed.
You're going to run into trouble fast, tho, if you think you're safe from dictionary / phrase-based attacks.
correct horse battery staple basically has the security of 4 elements of a set. The set here are simple english words. I don't know the exact amount of words there are in this set, but I'd approximate it's between 2000-5000. @ 10,000,000 tries per second with a set of 2000 words, it'd take a maximum of ~18 days to crack "correct horse battery staple".
You'd get a much more secure password if you used the same number of characters with completely random chars. Assuming 96 characters of ASCII with 28 characters we get:
3.1885594968609569219249376411887986022218245751739252736... × 10^55 permutations with random characters and
625000000000000 permutations with a 5000 word charset of simple english words.
Noticing a difference?
quote: "Obligatory XKCD since you seem to have missed it:
http://xkcd.com/936/"
I like that XKCD, but note that for your 44 bits of entropy, you need to extend the length of password by a factor of 2 or more, and you are only using lowercase letters. You could add another 4 bits per word using the same common substitutions, and an extra 7 by adding numeral-punctuation at the end, for 67 bits of entropy using the same base password string. An extra 23 bits of entropy that also changes it from a 4-word dictionary attack to effectively a brute force on a 30 character password.
I still stand by the "most secure" password being one that is the maximum size that the application allows, and that is composed of a random character stream which includes all allowable characters, as that is the only way to maximise the effort required to crack it; you have to brute force because a dictionary attack will never get it. It is not easy to remember, but that's why there are a myriad of password suites around now to help people use secure passwords without needing to memorise random sequences of gibberish.
For most practical applications, the XKCD method of random word association combined with basic substitutions should yield ok results though. It does at least get people used to using longer passwords, which can only be a good thing :)
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
