Passwords are as only as strong as the requirements to make the password. When I was a kid one of the passwords to our clubhouse was “opensesame”. This was probably the same password as half the kids across the United States who watched the same Sinbad and Aladdin movies that I did. Obviously this was a weak password which was easily guessed. Let’s move onto those locks which have four spinning numbers from 0 to 9.
Each of these numbers can be 0 to 9 and there are four numbers. So the total possible number of combinations is 10*10*10*10 (otherwise written as 10^4) or 10,000 combinations. This is easily conceptualized because the possible combinations are the numbers between 0 and 9,999 which are indeed 10,000 combinations.
Now imagine if each of these wheels had all of the lowercase letters of the alphabet and there were four of them. The total number of possible combinations would be 26*26*26*26 (26^4) since there are 26 characters in the alphabet. The total keyspace would be aaaa through zzzz for a total of 456,976. Keyspace is the entirety of all possible combinations of an algorithm. In this case the algorithm is to turn the four wheels until it matches the known combination.
So what happens if I double the number of characters on each wheel. Let’s say that I add all of the upper case letters from A to Z to each wheel. That would be a total of 52 choices at each position. The total keyspace is now 52*52*52*52 (52^4). The total number of combinations are now 7,311,616. However, let’s imaging that instead of doubling the choices on the wheel we double the number of wheels. We return the choices of each wheel to the 26 lowercase letters and increase the number of wheels to eight. The total possible combinations are 26*26*26*26*26*26*26*26(26^8). This means the total number of combinations for this 8-wheel lock are 208,827,064,576. As you can see, longer passwords are usually better than more complex passwords when it comes to brute force attacks but may be less secure when it comes to dictionary attacks. We will talk about these in the next segment.
In order for an operating system like Microsoft Windows to check to see if you are entering the correct password, it has to store those passwords in some form to check against what you are entering every time you log in or unlock your screen. What Windows does, and most other systems do, is to take your password and hash it and store the hashed password. What is hashing, you ask? Hashing is taking your password and running it through a cryptographic algorithm. Let me give you a simple example. Let’s say your password is “eggs”. A simple hashing algorithm is to take the numeric value of each letter and add them together. In this case an “e” is 5, a “g” is 7, and an “s” is 19. So the hash of your password is 5+7+7+19 or 38. That number 38 would be stored by the operating system and checked against the password you enter every time you log in or unlock the screensaver. A cryptographic hash is considered a one-way algorithm in that if you had the number 38, you couldn’t say that “eggs” was your password. Of course, the algorithm used by most operating systems are much more complex than just adding numbers together. That said, MS Windows uses one of the oldest hashing algorithms of any modern operating system in use today.
The two main ways passwords are broken are through brute force and through dictionary attacks. Since passwords are stored as one-way hashes, the only way to figure out the password from the hash value is to repeatedly go in that same direction of starting with a word and entering it through the algorithm.
To use a brute force method for a four-character password, I would start with aaaa and then move to “aaab” and then “aaac” and then “aaad”. This would continue until I got to “eggp”, “eggq”, “eggr”, and “eggs”. As you can imagine this can be quite extensive if we have to go through every combination of letters one by one.
Once this becomes too time-intensive to do because we are trying to crack eight-character passwords, we start using dictionaries to create password guesses. In this case I would start using a list of English- language 4-character words like those found here http://www.yougowords.com/start-with-e/4- letters. Using a dictionary I would try “else” then “ever” then “evil” until I came to “eggs”. As you can see, it is a lot easier to try known words from a dictionary than to try all possible letter combinations.
But it gets better than this. Hackers know that people like to keep things simple when using complex passwords. One of the most common things to do to meet complexity requirements is to add “!1” to the end of a password. So if “eggs” is not good enough, then “eggs!1” should be sufficient. This becomes important when we talk about why this matters below.
A password is meant to protect your data for a short period of time. The base premise is that hackers already have the hash of your password and it is just a matter of time before they crack the password. So it is a race. If you can change your password before they crack your current password, you win. If they crack your current password before you change your password, they win. So two things are at play here, one is to set a password reset period to a reasonable time. Most companies use 90 days. Then the company has to set a complexity or length rule that will stymie hackers for at least 91 days. The longer the time between password changes, the more complex or the longer the password has to be.
So if my username and password are compromised, why should I care? If the complexity was good enough, then I have already changed my password by the time the password was cracked. That is a good thing right up until we take human nature into account. Chances are that when “eggs!1” expired that I rolled right into “eggs!2” and then “eggs!3”. Since hackers know this, they take these base dictionary words and add common combinations of symbols and numbers to the beginning and end. They can also change “E” to “3” or an “L” to a “1”. So if “eggs!1” is compromised, so is every other iteration of “eggs!1” through “eggs!9”. So, if you use complex passwords with a base word surrounded by common complexity characters such as “!” or “@” and one of your passwords is compromised, every iteration of passwords containing that base word should be considered compromised.
Oftentimes, the rules will allow you to use very long non-complex passwords which we showed above are better than short, complex passwords. To show you this I need to add one more fact and that is that the character set for complex passwords that includes lowercase, uppercase, symbols, and numbers is 94 different characters. So “astringofpoloponies” is better than “#JF*&Dgu”. Remember, 26^18 is bigger than 94^8. To show you this, here are the two numbers below:
94^8 = 6095689385410816
26^20 = 29479510200013918864408576
So, even if an old password is found to be compromised, you should be concerned enough to change your habits and start using longer passwords. Compromises happen and the weak hash in which Windows stores passwords can only be countered by very long passwords that only you can create. Oh, and extra credit for anyone who got the Honeymooners reference, Season 5, Episode 31. https://longislandweekly.com/string-poloponies-thats-polo-ponies/