![]() " jumpdesk polish" is a 3-word, random password. "MTLWcAXfY4Dy" is a 12-character, random password. Now you understand how passwords are stored & broken, we can begin to understand why some believe 3 (or more) random words are a better, more secure alternative. Obviously, that's an enormous burden to our attacker and results in a password they're never going to break, assuming the password is chosen at random. Now let's assume it's 12 characters long, meaning our exponent is 12.Ħ2^12 = 3226266762397899821056 permutations (three sextillion, two hundred twenty-six quintillion, two hundred sixty-six quadrillion, seven hundred sixty-two trillion, three hundred ninety-seven billion, eight hundred ninety-nine million, eight hundred twenty-one thousand & fifty-six) If a password consists of a-z, A-Z and 0-9, we have 26 characters + 26 characters + 10 numbers. Let's take it one step further with a real-world example. In this example, there are 512 possible permutations meaning our attacker is guaranteed to access our account after 512 attempts. If our password consists of 8 possible characters and is 3 characters long, the calculation would look like so: To understand the challenge our attacker faces, we first need to understand exponents. It is however, a guaranteed way (given sufficient time & resources) to gain access to an account. The Mathsįor an attacker, carrying out a brute-force attack is a last resort the process of trying every possible permutation in order to break a password hash. However, are words really a secure alternative? Let's dive in. On that basis, I fully understand the need for an alternative, more-pragmatic approach. ![]() This inevitably leads to password re-use, recycling & insecure storage. Long, strong, unique & complex passwords are inherently difficult to remember. Characters vs words the premise behind the advice Examples of such hash algorithms are MD5 (still very common and possible to brute-force at a rate of 200 billion permutations a second), SHA1 (70 billion a second), SHA256 (23 billion a second), SHA512 (8 billion a second) and so on.Īs this article & indeed most password advice is aimed at the end-user, it's important to choose a password based on the worst case scenario assume the site stores our credentials in the weakest possible way and mitigate that risk first. However, these hashes are blisteringly fast to compute. The underlying principle remains the same derive a fixed-length output for any given input. Getting the basics wrong.Īnother, entirely inappropriate storage method is a cryptographically strong hashing/digest algorithm. In an ideal world, sites would all use a well-configured algorithm & users would opt for strong, truly random passwords. A 0.5 second delay is insignificant to the real user, but a real burden to an attacker needing to try trillions of various passwords. This delay is crucial, as it dramatically increases the time required to brute-force their way into your account. For example, it's reasonable to expect a hash to be generated in 400/500 milliseconds (or roughly half a second). will configure their chosen algorithm such that each hash takes a set time to compute. The developer, mindful of the threat landscape, value of the data & server resources. this is a different concept from a cryptographic hashing algorithm. ![]() Note, I said "password hashing algorithm". Understanding the basics.Īfter you've entered your chosen password, a responsible site should store it using a suitably-strong password hashing algorithm (bCrypt, PBKDF2, Argon2 etc). ![]() If you're one of them (looking at you I implore you to read this article thoroughly and reconsider your position. #Thinkrandom when creating passwords – #use3randomwords to make them /qtA43ffLf6- Cyber Aware April 21, 2017Ģ years later and a plethora of respected Twitter users continue to push this advice. In 2015, the UK government released an article advocating the use of 3 random words in passwords, citing "pragmatism and algorithmic strength against common issues like brute force attacks". ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |