Good and Bad Passwords How-To
Knowledge of Password Cracking Techniques Leads to a
Single Rule for How NOT to Create Passwords
Whose Side Am I On?
By this point I suspect some readers may be asking whose side am
I on. Haven't I just handed crackers instructions for improving
their cracking dictionaries? Perhaps, but I expect the sharp
crackers figured this out long before I did. Dictionaries can and
should be made irrelevant. To understand why and how, it's
important for those who want passwords that can't be cracked to
understand how cracking tools work.
We know that now and for some time into the future, brute force
attacks cannot reliably succeed against passwords of reasonable
length and sufficient character set complexity. You can break
dictionary attacks just as easily by not using "dictionary" words.
We're going to restate the
DONT's into one
simple absolute rule regarding passwords.
Do NOT create any password from any single character sequence
that is electronically accessible and do not use any variation or
permutation of such a character sequence regardless of how
obscure you think that variation to be!
Because the rule is so general, it should be supplemented with
some of the standard advice identifying more tangible examples
that users will more easily relate to. Without identifying
keyboard sequences, not many are likely to realize lists of
these have been made.
Standard Password DONT's Revisited
Reviewing the standard password do NOTs, every rule listed except
9 (personal information) and 14 (repeating characters) is
actually a specific instance or example of the second rule which
has now been generalized into the new rule above. Even the first
rule about account names and personal information in the password
file is another specific case of the general rule. It's been
shown to be the single most productive source for cracking
passwords available. As cracking tools evolve, they may start
collecting information from other computerized information. If
the more traditional sources of passwords (dictionaries and
ordinary word lists) become less productive and other sources
about the specific account can be shown to be more productive the
cracking tools will acquire these abilities.
Rule 10, what you can imagine being collected into a list, is
good advice for not using things that today aren't in the
crackers' dictionaries but may be tomorrow. The great license
plates is a specific example of this. I've searched and can't
find such a list but it looks like a good candidate. I also
haven't seen any lists of "good passwords" but wherever an
example of one appears, it's probably worth the crackers
efforts to add it to their dictionary. If someone shows an
example of how to form a good password, you can pretty much
count on someone else using the specific example and thinking
they have a good password.
Not using personally related information is typically one of the
first password DONT's. Except for that contained in the passwd
file (or SAM, on Windows systems), this isn't relevant to
password crackers as they
exist and are used today. When looking at what constitutes
personal information, you get names, words and numbers. Unless
there is something very different about a specific individual,
all the names and words that pertain to them, already exist in
computer lists and should not be used for that reason. The
numbers could easily exist as electronically accessible
information.
Personal Information and Focused Dictionaries
Paul Bobby has proposed an approach to creating "Focused
Dictionaries"1
in which significant amounts of personal information is
collected and manually added to the GECOS field of the
passwd file being cracked. He then identifies a number
of transformations including grammar changes (s, ed, ing),
letter substitutions as already
identified and numeric
sequences of 00 through 99. He actually comes up with
over 300,000 transformations per two word pair and provides
John the Ripper rule syntax to implement these.
It's my personal opinion that not enough people make passwords
from personal information to make this cost effective and that
better returns would be achieved by optimizing the dictionaries
and rule sets as discussed previously. At present there is
no empirical evidence to support either position but a
properly conducted study would show the relative merits of
the different approaches. The "Focused Dictionaries" require
a lot of labor for each target and thus must
be highly productive to be worthwhile. Optimized dictionaries
apply knowledge gained from one target to others.
One of the weaknesses with Paul Bobby's proposal is that not
enough variations are identified. For birth date only one format
is identified. Given the numerous ways that any date can be
formatted, I think the suggested format would only account for a
modest percent of those who did use their birth date as or in
their password. mmddyy is the suggested format. I think
mm-dd-yy,
mm/dd/yy, yymmdd, mmddyyyy, and yyyymmdd are all as likely if they are
the entire password. I also think all of the following may be used as
part of a password: myy, mmyy, md, mdd, mmdd, mond (jan4, mar27,
Jul9), dmon. Still more formats are plausible: mm.dd.yy, mondyy
(dec765), dmonyy (11aug72), monyyyy, mmyyyy, monthd (April17). Also
phone number, social security number, license plate number and
addresses contain pieces that are 2 to 5 digit sequences all of which
are easy to remember. Given the amount of labor required to collect
personal information, all plausible transformations and combinations
of that data should be tried.
Thus, there is at least one systematic method proposed for using
personal information in password cracking. Further, it's hard to
keep track of personal information entered into computers or to
predict how inventive crackers might become in finding new
sources of computer information that can automatically be applied
to cracking efforts. Clearly the NT SAM has several large fields
for each user record that are not being used by existing cracking
tools. On NT systems, applications like Outlook and Exchange
might have useful information that can be directly related to
account names. Besides the personal information, the names of
any site specific groups that a user is a member of might be a
fruitful source of account targeted information on both Windows
and Unix. On UNIX systems, users home directories are likely to
present similar opportunities. The safe approach is to not
use any personal information in forming passwords.
It's worth remembering that with today's systems, anyone who can
obtain accounts and password hashes can likely obtain any other
information on the computer, even if they do not yet have full
interactive access.
Top of Page -
Site Map
Copyright © 2000 - 2014 by George Shaffer. This material may be
distributed only subject to the terms and conditions set forth in
http://GeodSoft.com/terms.htm
(or http://GeodSoft.com/cgi-bin/terms.pl).
These terms are subject to change. Distribution is subject to
the current terms, or at the choice of the distributor, those
in an earlier, digitally signed electronic copy of
http://GeodSoft.com/terms.htm (or cgi-bin/terms.pl) from the
time of the distribution. Distribution of substantively modified
versions of GeodSoft content is prohibited without the explicit written
permission of George Shaffer. Distribution of the work or derivatives
of the work, in whole or in part, for commercial purposes is prohibited
unless prior written permission is obtained from George Shaffer.
Distribution in accordance with these terms, for unrestricted and
uncompensated public access, non profit, or internal company use is
allowed.
|