Last time, we talked about the various polices mentioned in the first part of Lorrie Cranor’s video: What’s wrong with your pa$$w0rd? Today, we are going to look at how Hackers breach accounts, and some other methods to consider when trying to increase the strength of your password. Forewarned is forearmed, after all.
You can find the video in our last
article or at TED
for reference.
Attack Types for
Strength Measurement
Cranor and company tested password strengths for each of the
policies we discussed previously using the major methods of attack that modern
black hats exploit. As most protocols
send passwords using a Hash Function or something similar, the Hacker often
strives to steal this function. In turn, the hacker attempts to derive a
password for the intended account to match the function. When it comes to this method of attack, you
typically find two types of attackers: Dumb and Smart.
Dumb Hackers
Dumb Hackers, as the name implies, take the much slower,
round-a-bout way in breaching into foreign accounts. These hackers compile a list of every
conceivable password, beginning with one like ‘AAAAAA’ and moving on to
‘AAAAAB” etc. When executed properly,
it’s only a matter of time before this hacker finds out how to access an
account. It’s like one of those
Hollywood janitors who has a key ring with over a thousand keys, and takes
forever to find the one key to open the door.
Eventually, he’ll figure it out, but the wait can drain the value of the
results. A strong, complex password can
increase the longevity of an account against this type of attack by an
exponential amount.
Smart Hackers
Smart Hackers are much more precise and methodical, however.
They typically reference a list of popular passwords provided by other
attackers and use those first. Smart
Hackers understand that people are wont to follow comfortable, safe
patterns. Given the predictability of
most users, Smart Hackers tend to have a higher success rate for infiltration. Laziness and lack of ingenuity on the part of
the user are a Smart Hacker’s greatest allies.
So while Basic16 might be preferable to Comprehensive 8, if
a password is a simple one such as ‘basketballbasketball,’ it won’t stop a
hacker, whether smart or dumb for very long.
Special care must be taken no matter what policy you choose to enact to
strengthen your passwords. Maybe you are
looking for something else entirely? If
so, Cranor has another option to try.
PassWORD or
PassPHRASE?
One of the interesting portions of the talk was an
experiment that Cranor and company did with relation to the structure of the
password credentials. Based on a wildly
popular viral comic from XKDC, Cranor tested
the notion of using a passphrase over a password. The pass phrase makes use of four random,
connected words that are easy to remember, but might not make sense to guess
right off.
Sounds good, right?
Wrong. As it turns
out, human error plays a big part in ruining the strength of these complex
password policies as well as the others.
In the same way that certain symbols are weak additions to a password,
the passphrase just short of perfection.
Most human beings, when attempting to generate a passphrase, will choose
words that go very well together, as opposed to just barely at all. Instead of
something that they created specifically for the password, like in the comic
above, most human beings pick something like “pen note mouse exercise.” It
sounds clever, but how long would it take you to guess a password like that at
a desk filled with pens, sticky notes, and an obviously used wireless mouse? This
lack of creativity makes for a predictable security weakness for any
hacker.
Don’t Despair
Well, now that Cranor and myself have almost ruined your
hopes for strengthening your password for your accounts, let me provide you
with a useful nugget of advice. Take the
weaknesses illustrated through the video and this article, and derive new
strengths from them. Strengthening your
password is not something impossible to do.
Strong password policies are a great start, but there has to be more
effort taken by the individual users.
Just remember: human beings are predictable. Those things that make your password easy for
you to remember, makes them wildly easy to crack for the Black Hat on the other
end.
No comments:
Post a Comment