Passphrases

First of all, I am very sorry that I couldn’t keep up with my blogging promise, I got quite sick, moved to a different apartment and then run directly into an accident… But I recovered and I’m ready to tackle the next topic.

So let’s start with an easy security topic. It’s actually quite related to privacy because a good passphrase can prevent your data being fully leaked on a breach.

Choosing a Passphrase

If we look at common passwords from dumps I kinda have to throw up a little, but at least most services now days force you to have at least a handful of characters and maybe some differentiated capitalization plus a number. But let’s pick one of the most common passwords from SplashData 2017 data result. On the 7th Place is “letmein” *throws up a little*

Second to picking a common password out of a dump, we will pick a password with my method before we get into analyzing the strength and usability of a password. My method is actually pretty simple, I’m really strong on the phrase part in the passphrase and just Form a whole phrase. “Remember back then, in 2012, when everyone thought we’ll die!”

Break the password

To analyze a password we need to know how to break it, so we can kind of “verify” it’s strength. Next to social engineering and tables are two major attempts which are Brute Forcing and the Dictionary Attack.

Brute Force

Brute Force is a really simple one. You choose your character-set (e.g. a and b) and your password length (2 characters) and then it generates all the combination (e.g. aa, ba, ab, bb) and applies them. This method would of course also work with a prefix, so if you would know that your colleague always uses “letmein” on the beginning of his passwords and has different digits at the end, you could then just brute force the last digits.

Dictionary Attack

A dictionary attack is basically also very simple. You have a list of words in a text file or something and he will go down that list, one by one, trying every line in the text file as a possible password.

Analyzing the Password

Let’s get back to our main path and analyze the two passwords we have picked in the beginning. I looked up some benchmarks and it seems to be, that a standard GeForce GTX 1080 can brute force about 25.000 Megahashes with MD5 and 3.000 MH/s with SHA256 so we’ll go with 3.000.000 hashes per second in our example.

So we will start off with calculating the possible combinations of our own password. There is a pretty simple formula and it’s

possibleCombinations = possibleCharacters ^ passwordLength

If we look at “letmein” we have the common a-z alphabet so we have 26 characters. So following our formula, it takes 45 minutes at maximum, for a common person, to brute force this password.

Let’s also have a look at my passphrase “Remember back then, in 2012, when everyone thought we’ll die!”. So here we have the common a-z alphabet twice (capital and non-capital), also we have special characters and digits, so we have 26 (a-z) + 26 (A-Z) + 10 (0-9) + 33 ( !”#$%&'()*+,-./:;<=>?@[\]^_`{|}~) = 95

4,3766309037604472008182006329351e+120 = 95 ^ 61

Meaning it would take waaaaaaaaay above a billion years to brute force this password.

Conclusion

At the end of the day, I actually used fewer speeds than are possible at the current moment to just prove my point. There are 8-GPU cracking machines that are capable of 400 GH/s which means a Password like “shine2468” would be cracked in up to 5 Minutes despite the fact that is has a character set of 36 chars.

Solution

Move away from the common password and step back to the passphrase like everyone called it back then. So what I actually do, I have a couple of useful phrases in my head for services that I use frequently and can’t use my password manager on -> everything else is stored in a password manager. I personally use and recommend LastPass – of course, it costs a little money (not much actually) but I recommend paying your password service with money and not with your data (free services).

If you don’t trust other organizations there are still plenty of open source options like KeePass available.

 

TheWoolHatBoi

 

Leave a Reply

Your email address will not be published. Required fields are marked *