A password is a secret phrase or word known to a user alone or a restricted group of users. Countless websites require a password to secure users' accounts. The password might require a minimum number of characters or a symbol and a number combination.
But does that guarantee a safer password?
Regardless of web users' intentions, policies often force them to choose terrible passwords. Evidence demonstrates that when sequences of arbitrary procedures are implemented, users become irritated and select awful passwords. This occurs partly because most people have no idea of how their passwords can be maneuvered.
Despite repeated warnings from the cybersecurity community, many think switching letters for their numerical variant –like "3ebra"– makes their passwords more challenging to crack during an attack when it does nothing. Once this happens, users have two problems: an unsecured password and a delusion of security because the password appears difficult to them but is simple for a computer to decipher.
You can generate or teach others how to set up good passwords by better understanding how passwords are compromised and the math involved.
All in the Same Place
Assuming a pickpocket stole your credit card and then tried to use it to access your account. (Let's also think your bank won't freeze the stolen credit card after five or more unsuccessful attempts, as it is done nowadays). Like most banks, a 4-digit PIN is used to withdraw money from an ATM. So what are your chances that your money is secure?
What are the odds that he will successfully guess your password only by chance?
There are ten possible combinations since the first digit of your PIN could be any number from 0 to 9. There are also ten options because there isn't a limitation for the second digit that would restrict his possibilities (for example, if you couldn't use a PIN with recurring numbers). The same goes for the third and fourth digits.
There are 10,000 possible passwords, one of which could be yours: 10 x 10 x 10 x 10=10,000. A random sample of 10,000 passwords would have a 1 in 10,000 probability of an attacker accurately predicting your password.
Because humans cannot generate random numbers or anything else, this is not completely true in reality. The prejudices in our brains hold us captive. Even while it seems like we came up with the numbers at random, we tend to utilize sequential numbers and think in groups of two or four numbers more frequently.
In practice, a subset of those 10,000 possibilities occurs significantly more frequently in the real world. For example, 1234 or 1111 show up much more regularly than 7148.
Although it is improbable that the criminal will have ample time to input 10,000 combinations in an ATM, a standard computer can perform tens of billions of attempts per second. An attacker could easily decode a 4-digit PIN.
However, while it is unlikely that the criminal will have enough time to type in 10,000 combinations in an ATM, a regular computer today can accomplish tens of billions of trials per second. A 4-digit PIN would be cracked rapidly. Increasing the sample space of your password as much as possible can make it difficult to break; it is more difficult to deduce the right password out of a trillion combinations than a thousand.
What is Password Space?
Password space is the total number of possible password combinations for a specific alphabet, set of characters, and maximum password length. It measures the security and vulnerability of passwords by calculating the number of random guesses that can be made to find a password during a brute force attack.
The size of allowed characters (alphabets, numbers, symbols, etc.) and the length of the password determine how large the potential password space is. As a result, the longer and more complex passwords are used, the more challenging it becomes for adversaries to brute force a somewhat uncrackable password because password space becomes wide.
How to Calculate Password Sample Space
From the credit card example earlier discussed, we calculated the sample space of the PIN by multiplying the number of permitted characters for permitted digits. Ten eligible characters were input for each digit; 10 x 10 x 10 x 10 or 104.
To calculate password sample space, we can use the formula S = CN
Where:
S= total number of possible passwords in the sample space
C= the number of characters in the pool of available characters
N= the number of characters in our password.
• If you use a password that has only uppercase letters, then C =26 • If you use a password that has uppercase and at least one lowercase letter, then C =52 • If you use a password that has uppercase letters, at least one lowercase letter, and numbers, then C =62 • If you use a password that spreads across all characters, then C =95 Now, let's compare different passwords and see how their sample space will differ from each other: Example: YGMEOH C = 26 (uppercase only)N=6 S = 308,915,776 or about 309 million password combinations
S= CN S= 266 = 308,915,776 combinations Using all characters and leaving the password length at 6 characters, we have:
Example: @Q:t-2
C = 95
N=6
S = 735,091,890,625 or about 735 billion password combinations
S= CN S= 956 = 735,091,890,625 combinations.
Using only uppercase letters and increasing the length to 16 characters, we have
Example: tfucbxqhjyepvgmw C = 26
N = 16 S = 43,608,742,899,428,874,059,776 password combinations, approximately 59 billion times greater than @Q:t-2, our last example. S= CN S= 2616 = 43,608,742,899,428,874,059,776 combinations. From the above illustration, it is evident that sample space makes a password hard to crack, not the inclusion of symbols or numbers. You can increase the size of the sample space in length with more characters.
How to Measure Password Strength: Entropy
Entropy in this regard is a measure of the size of the sample space of a particular password, i.e., a measure of the password strength. It is not easy to measure how difficult cracking a password could be without knowing how it was generated. Nevertheless, having a number –expressed in bits of entropy– that shows whether a password could be easy or hard to crack comes in handy. The higher the entropy, the harder it becomes to crack the password; the lower the entropy, the easier to crack. Recall that decimal digits have ten possibilities; 0 to 9 but a binary digit –also known as a bit– has only two possibilities which are 0 and 1; i.e., S=CN for decimal digit is 10N, but for a bit, it is 2E; where E is the number of bits. So, if a bit represents a sample space of two possibilities, then the entropy of 50 bits will define a space of 250= 2 x 2 x 2 x … possibilities. Therefore, a password of 50 bits of entropy will be gotten from a pool of 250 unique passwords. Likewise, a password with 51 bits will be obtained from a collection of 251, making it harder to crack than a 50-bit password. The formula below can be used to calculate a password's entropy E= log2 (CN) OR E = N x log2 (C) For example, let’s calculate the entropy of BerbeCUE201 Here C= 26 +26 + 10 =62 N = 11 E = N x log2 (C) E = 11 x log2 (62) = 11 x 5.9541 E = 65.5 bits From S= 2E S = 265.5 S = 52,175,271,301,331,128,849.398 combinations For Berbecue2(!0>}}} the entropy will be E = N x log2 (C) E = 16 x log2 (95) = 16 x 6.5698 E = 105.1 bits From S= 2E S = 2105.1 S = 43,476,296,738,970,232,553,127,150,068,066.389 combinations The above examples validate that the higher the entropy, the harder it becomes to crack such a password. So entropy shows how many trial attempt it will take to brute force a password. Statistically, an adversary will get the password earlier than the last attempt; they do not need to go through all combinations before getting the right one. So when calculating a password's strength, the expected number of guesses is considered; this is often 50% of the number of attempts to guess right. For a 105.1 bits password, S= 2E – 1 S = 2105.1 – 1 S = 21,738,148,369,485,116,276,563,575,034,033.194 combinations.
Why High Entropy is not Enough
Choosing a secure password involves many factors, which include password entropy. If two passwords have the same entropy, one can be moderately strong while the other is incredibly weak. This is due to password dictionaries, which are catalogs of leaked passwords available on the internet.
Using such catalogs is known as a Dictionary Attack, where any adversary attempting to crack your password would try the password dictionaries before attempting a brute force attack. So, if you use a password in this dictionary, the number of bits of entropy won't matter as the password will be cracked swiftly.
Password Hashing Algorithm
If web administrators stores password in plain text on their server, it'll be easy for attackers to get the passwords if they can access the web server, even if the passwords are strong. This is why it is highly recommended that passwords should be salted and hashed before storing them. Instead of storing the password itself, a signature of the password is produced via a hashing mechanism, and the hash is stored.
Salting of passwords involves adding a string of 32 or more random characters to a password before hashing passwords.
Hashing algorithms are one-way processes that make it computationally impossible to reconstruct a password from the hash–signature. This algorithm turns passwords into an opaque series of irreversible numbers and letters. Numerous algorithms can be used for hashing, including bcrypt, MD5, SHA, NTLM, and so on.
How Passwords can be Cracked
-
Hashing of all possible passwords in the sample space Since it is impossible to reverse hashed passwords back to plain text, what you can do to crack a password is to hash all possible passwords of that sample space and find the hash that matches your target. If found, then you've successfully cracked the password. Hashing passwords requires hash rate –computational power– and some hashing algorithms are harder to compute compared to others, making them time-consuming or even unable to crack. This is why the SHA-1 algorithm is a poor hashing choice because SHA-1 hashes are calculated by the computer very quickly, which makes it vulnerable.
As previously explained, the more comprehensive your sample space of password, the more possibilities an attacker has to hash before finding any hash that matches. Sometimes, a more expansive sample space can make cracking your password impossible, taking hundreds of thousands of years to crack.
-
Brute Force Attack A brute force attack is when an attacker tries to guess the correct password out of the password possibilities on the sample space. This is done by submitting many passwords until the correct one is found. This approach is relatively uncommon because it is so ineffective. It only works if your password is very short, like less than eight characters, or if the attacker is aware that you only used a particular character set (e.g., numbers, alphabets, or alphanumeric alone).
-
Dictionary attack Attackers usually make assumptions about how people create passwords, especially longer passwords, where brute force attack is inefficient. As mentioned earlier about human prejudices, our choices are influenced by certain behaviors. So attackers create a catalog of commonly used phrases, patterns, and passwords like "mypassword" and start trying them to see if their hashes match their target. If it doesn't, they adjust it slightly, like changing it to "myp4ssword," and try again.
Any attack arising from this kind is called a Dictionary attack, where computational power is used to create dummy passwords from words most people are likely to use.