Jump to content
Login with your Gmail HERE and start posting in seconds! ×

Which Of These 2 Passwords Would Be More Difficult To Crack?

Maestro

By Maestro
in IT and Computers

 Share

Recommended Posts

Maestro Star Member

Maestro

Posted
Posted

I know – or I think I know – all about how to create a strong password, ie it should be long and it should be a combination of lower case and upper case characters plus numeric digits plus non-alphanumeric digits, but this is not what I want to ask about.

Question: which of these two passwords would be more difficult to crack?

dobka倫qtoq

dobka20523qtoq

There is probably a mathematical formula to figure this out but I would not know where to start looking for it.

--

Maestro

Link to comment
Share on other sites
Maestro Star Member

Maestro

Posted
  • Author
Posted

Thank you for the link to the Password Meter. I thought the Chinese character with the high unicode number 20523 might count more than a simpler symbol like, for example, a question mark but now I see that they count exactly the same. Doesn’t seem fair.

--

Maestro

Link to comment
Share on other sites
harrry Star Member

harrry

Posted
Posted (edited)

You may also find that depending on the way they have been programmed some sites may reject the unicode character as many limit the acceptible set to upper and lower case symbols numerals and a selected set of characters

Edited by harrry
Link to comment
Share on other sites
Maestro Star Member

Maestro

Posted
  • Author
Posted

Varying my examples a little I now came up with a password that counts 100% on the Password Meter: d6Bk3a倫q>X

I may be wrong but I still think an algorithm would take longer to crack a symbol with a 5-digit unicode than a symbol with a unicode <256. However, I do not know how these cracking algorithms are usually used and it may be naive of me to think that they start at zero and work up from there. More like, they work at random and therefore can hit on 20523 just as quickly as hitting on 63.

I've learnt something more today about the strength of a password and will keep it in mind for my periodic password changes. Of course, it should be something that is not too difficult to remember, like an Esperanto or Swahili word spelt backwards with some individual letters upper case and the odd number and symbol thrown in.

--

Maestro

Link to comment
Share on other sites
Maestro Star Member

Maestro

Posted
  • Author
Posted

I took my precautions. There are unicodes for only about 32, 233 Chinese characters, or some are perhaps Korean. A random number generator gave me the number 20523 for 倫 and I will be careful not to use that one for my ThaiVisa login :)

--

Maestro

Link to comment
Share on other sites
nikster Diamond Member

nikster

Posted
Posted

I don't think you need super strong passwords at all

Your password will be guessed only if you used something very easy, like an English language word. As long as you didn't do that, people will get your passwords by installing a key logger or trojan on your system, but not with a brute force attempt. I'd assume most websites will only let you try a limited number of times (10? 100?) before shutting you out completely, so brute forcing won't work for the most part.

Link to comment
Share on other sites
delta7 Apprentice Member

delta7

Posted
Posted

It is also important to think of what for / where the password will be used. Actually trying to crack a password is very inefficient and not what most hackers/crackers would use. A brute force attack ... i.e. trying all the combinations is the last resort.

Generally most brute force attacks will first use a dictionary based attack using common / default password .... e.g. password. date of birth, football team name etc. before moving on to try letter / number combinations.

If you look at the current iphone worm attack, the attack was a lot easier because the default password has not been changed.

Apple iphone worm attack

Man in the middle and Man in the browser attacks use social engineering to try to get programs on your computer and then they will monitor what is going on in the background ... in these cases whatever your password is it won't prevent the problem. These types of attack are what have been used in several high profile (and in some cases undocumented) attacks on on-line banking accounts that have resulted in the loss of millions of dollars ....

Man In The Middle Attack

Man In The Browser Attack

If the password is to protect something like an excel spreadsheet then again the password can be broken in seconds using programs easily found on the internet that scan the actual excel speadsheet.

More often than not, the hacker / cracker will target the actual code that checks the password and then bypass that by injecting code so that the password code returns a 'valid password' reply.

Link to comment
Share on other sites
tjo o tjim Silver Member

tjo o tjim

Posted
Posted

If the Unicode is accepted as a single character, then that password would be significantly stronger from a brute-force perspective.

You calculate the number of possibilities as n^x, where n is the number of characters, and x is the total available characters you can use for any digit. Therefore, with 8 characters you have the following:

0-9: 10 possibilities per character, 1,073,741,824

a-z: 26 possibilities per character, 3x10^23

a-z, 0-9: 36 possibilities per character, 3x10^32

a-z,A-Z: 52 possibilities per character, 9x10^46

a-z,A-Z,0-9: 62 possibilities per character, 4x10&59

UTF-32: up to 4 billion possibilities per character...

Security people are warning that you now need a minimum of [a-z|A-Z|0-9] character options and 12 digits to make the password not economically crackable for the next 5 years. If any part of the word can be guessed by a dictionary and numbers associated with you (birthday, anniversary, etc), the security drops off significantly. A dictionary attack on English words can reduce the problem to about 10^11 to 10^20 with a little effort. Any password that is not truly random is significantly less secure than a random one.

Link to comment
Share on other sites
nikster Diamond Member

nikster

Posted
Posted (edited)
If the Unicode is accepted as a single character, then that password would be significantly stronger from a brute-force perspective.

You calculate the number of possibilities as n^x, where n is the number of characters, and x is the total available characters you can use for any digit. Therefore, with 8 characters you have the following:

0-9: 10 possibilities per character, 1,073,741,824

a-z: 26 possibilities per character, 3x10^23

a-z, 0-9: 36 possibilities per character, 3x10^32

a-z,A-Z: 52 possibilities per character, 9x10^46

a-z,A-Z,0-9: 62 possibilities per character, 4x10&59

UTF-32: up to 4 billion possibilities per character...

Security people are warning that you now need a minimum of [a-z|A-Z|0-9] character options and 12 digits to make the password not economically crackable for the next 5 years. If any part of the word can be guessed by a dictionary and numbers associated with you (birthday, anniversary, etc), the security drops off significantly. A dictionary attack on English words can reduce the problem to about 10^11 to 10^20 with a little effort. Any password that is not truly random is significantly less secure than a random one.

Pearls to the pigs here.

Who are these "security people"? Which systems actually let you attempt to brute force passwords? And which of those are security relevant? What's the point of a 20 character ultra-random password when most passwords nowadays are either keylogged or bypassed altogether? Do you know the number of real world exploits using brute force attacks on passwords in the last 2 years? It's zero.

Take my banking password. I chose a reasonably good password, e.g. not my last name, or my mother's maiden name. If you were to attempt to brute force that password, you'll get 3 attempts before the server locks you out and I have to call in to reset this.

Brute forcing passwords is a thing of the past, so don't obsess about the security of your password. Just choose one that's not totally stupid, and that's good enough.

Exception: If you have sensitive data on your laptop and you are encrypting your hard drive, then a really strong password will keep it secure. That's the only instance I can think of where a brute force would be attempted. I personally don't encrypt my home folder because I think the possibility of losing data from a disk error is much higher than the chance that my laptop gets stolen.

Edited by nikster
Link to comment
Share on other sites
Crushdepth Ruby Member

Crushdepth

Posted
Posted (edited)

I agree that good enough is good enough for most applications, but I would add don't reuse passwords on different sites! Here is my Tale Of Horror:

I used to be involved in an open source CMS project. One of the developers was asked to leave for anti-social behaviour, and turned nasty. He managed to break into the project's community website and capture the database for about 30,000 members, including the hashes of the passwords. He used a brute force dictionary attack to against the hashes and was able to recover many passwords (presumably weak ones). We don't know how many passwords he got, but probably quite a lot. That was the the beginning of the nightmare.

At first he was just logging into people's website accounts and trolling with them. Then he discovered that many people had been using the same password everywhere, and he started breaking into people's private email accounts elsewhere. From there, he could use password retrieval services to access other websites and services people had accounts with, messing up their business sites, clients etc.

But the real gem was that one of the passwords he obtained belonged to a developer, who had reused the password on the *software repository for the project*. He managed to slip some poisoned code into the software that gave him a back door. The next time the project released a new version most people downloaded it, installed it and he suddenly had backdoor access to everyone's site, and thousands more hashes to play with. What a mess.

Cleaning it up took about 2 years. We knew fairly quickly that he had recovered passwords, but convincing thousands of people to change their passwords and not to reuse them on sensitive sites was a very painful process. He probably has access to a large number of people's personal stuff to this day, only the individuals he victimised sufficiently would have gone and changed every password to everything they had. The project software now adds a long salt to whatever password people choose to use, to make dictionary attacks on the hashes very difficult.

So personally I used Password Safe. It generates and stores long random passwords, you just have to remember one 'master' password to open the safe. This stops the 'lazy' effect of reuse due to having too many passwords to remember!

Edited by Crushdepth
Link to comment
Share on other sites
nikster Diamond Member

nikster

Posted
Posted

Good story, crushdepth. Certainly worth thinking about that.

I don't think the guy would have caught me because of my three level system. I use a weak password for all websites where I don't care. A medium one for email access that I don't use for anything else. And a hard one for my banking. So I have to remember three passwords. And the majority of sites just gets the weak password so then if you steal this password you can post as me on TV or whatever, but nothing else. It would be a nuisance but nothing too tragic. Certainly not get you my email or bank info.

Now maybe I'll add a fourth for all my work accounts haha. Seems like that's where I'd be most vulnerable.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.










×
×
  • Create New...