Bruce Schneier has an article at Wired about computer passwords.
Offline password guessers have gotten both fast and smart. AccessData sells Password Recovery Toolkit, or PRTK. Depending on the software it’s attacking, PRTK can test up to hundreds of thousands of passwords per second, and it tests more common passwords sooner than obscure ones.
So the security of your password depends on two things: any details of the software that slow down password guessing, and in what order programs like PRTK guess different passwords.
What are “common” passwords?
When attacking programs with deliberately slow ramp-ups, it’s important to make every guess count. A simple six-character lowercase exhaustive character attack, “aaaaaa” through “zzzzzz,” has more than 308 million combinations. And it’s generally unproductive, because the program spends most of its time testing improbable passwords like “pqzrwj.”
According to Eric Thompson of AccessData, a typical password consists of a root plus an appendage. A root isn’t necessarily a dictionary word, but it’s something pronounceable. An appendage is either a suffix (90 percent of the time) or a prefix (10 percent of the time).
So the first attack PRTK performs is to test a dictionary of about 1,000 common passwords, things like “letmein,” “password1,” “123456″ and so on. Then it tests them each with about 100 common suffix appendages: “1,” “4u,” “69,” “abc,” “!” and so on. Believe it or not, it recovers about 24 percent of all passwords with these 100,000 combinations.
Then, PRTK goes through a series of increasingly complex root dictionaries and appendage dictionaries. The root dictionaries include:
- Common word dictionary: 5,000 entries
- Names dictionary: 10,000 entries
- Comprehensive dictionary: 100,000 entries
- Phonetic pattern dictionary: 1/10,000 of an exhaustive character search
Password crackers also take advantage of biographical data, including things like birthdates, relatives names and birthdates, the names of pets, home towns, and teachers. The zip code where a person lives turns up in a surprising number of passwords. Adding this data to the dictionary can significantly shorten the amount of time it takes to guess a password.
So if you want your password to be hard to guess, you should choose something not on any of the root or appendage lists. You should mix upper and lowercase in the middle of your root. You should add numbers and symbols in the middle of your root, not as common substitutions. Or drop your appendage in the middle of your root. Or use two roots with an appendage in the middle.
Even something lower down on PRTK’s dictionary list — the seven-character phonetic pattern dictionary — together with an uncommon appendage, is not going to be guessed. Neither is a password made up of the first letters of a sentence, especially if you throw numbers and symbols in the mix. And yes, these passwords are going to be hard to remember, which is why you should use a program like the free and open-source Password Safe to store them all in. (PRTK can test only 900 Password Safe 3.0 passwords per second.)
And then there’s another problem, which may render this moot…
Even so, none of this might actually matter. AccessData sells another program, Forensic Toolkit, that, among other things, scans a hard drive for every printable character string. It looks in documents, in the Registry, in e-mail, in swap files, in deleted space on the hard drive … everywhere. And it creates a dictionary from that, and feeds it into PRTK.
And PRTK breaks more than 50 percent of passwords from this dictionary alone.
What’s happening is that the Windows operating system’s memory management leaves data all over the place in the normal course of operations. You’ll type your password into a program, and it gets stored in memory somewhere. Windows swaps the page out to disk, and it becomes the tail end of some file. It gets moved to some far out portion of your hard drive, and there it’ll sit forever. Linux and Mac OS aren’t any better in this regard.
So maybe you need to have a routine in the background that continually re-formats these pages of data as soon as they’re released by whatever application created them. (Call it “dust buster”?)
Rate this post:
(No Ratings Yet)
Loading ...
Stumble It!
