Picked this up while I was browsing, thought ya'll might find it informative.


Safety in numbers...and letters...

Submitted By : Michael Bloch

Published Date : 25th October 2001
Viewed : 1028 times


As we spend more time out on the Internet, our passwords list grows as a great number of the services we access require authentication. We are tempted to use the same password over and over, or to use easy to remember words.... a very unwise practice.




The other night I needed to access a Word document that I compiled a couple of years ago. Being a bit on the security conscious side, I had applied a password to it and guess what?...

I had forgotten the password I'd used...

So I set about running a little utility that would extract the password for me. I settled back with my cup of Moccona Indulgence, contemplating the complexities of toenail clipping while I waited for the password to be revealed along with the cheery "ding!" that would signal success.

I waited and waited...and then waited a bit more. I went to bed reassured in the prospect that it would be finished by the morning. And it was; only because I remembered the password. Over 750 000 000 password combinations had been flung at the file and it was still going. My poor PC still hasn't forgiven me...

There are a number of articles available on "how to choose a good password", so I won't reinvent the wheel, but simply provide a few statistics on how long it would take someone to hack a password under certain conditions - to illustrate the importance of having long passwords.

The times stated here are in relation to "brute force" attacks. A brute force attack is carried out by a program that throws every possible combination of letters and/or numbers and/or other characters at a file. Another popular form of cracking/hacking is a dictionary attack which utilises a (very large) file of commonly used words, names, film titles etc and some word substitutions (forwards, backwards,numbers for words,words for numbers). This is why it is never wise to use your name as a password. A cracker can very quickly extract passwords using dictionaries.

There are many types of brute force programs out there. The scariest thing is visiting some of these "security" sites and seeing how many times the utilities, which are often free and require no screening to access, are downloaded. One particular program had been downloaded over 40 000 times from one site. I won't name any programs for obvious reasons. The speed at which these programs work depends on a number of factors including

The speed of the computer using the program
The type of file being cracked (zip, document etc.)
The location of the file (WWW or "hands on" access to the computer)
The design of the program
Some brute force programs only operate at around 10 000 passwords per second, others claim to run at up to 4 000 000 passwords per second on Microsoft Office files using a standard PC. For this example, I will base it on a program operating at 1 million passwords per second on an Office document where the cracker has "hands on" access to the file. Times quoted are maximum.

4 character lower or upper case letters - under 60 seconds
4 character lower and upper case letters - under 60 seconds
4 character lower and upper case and number password - under 60 seconds

5 character lower or upper case letters (e.g golde) - under 60 seconds
5 character lower & upper case letters (e.g Golde) - approx 6 minutes
5 character lower & upper case and number password (e.g Gold4) - approx 15 minutes

8 character lower or upper case password - approx 58 hours
8 character lower & upper case password - approx 21 months
8 character lower & upper case and number password - approx 7 years

10 character lower or upper case password - approx 5 years
10 character lower & upper case password - approx 4648 years
10 character lower & upper case and number password - approx 26984 years



As you can see from the above, the longer your password the more secure it is as long as you adhere to the standard password choice guidelines.

Some other popular methods for hackers and crackers to gain a foothold in accessing your passwords that I haven't seen mentioned in many articles include:

Counting keystrokes as you type in your password - this can save them a lot of time
Installing a keylogger to your machine. This is a program that will record every keystroke into a file that can be retrieved later.
Of course, the 2 methods require the hacker to be in your presence and have direct access to your system. I mention this mainly for the teachers and I.T trainers out there who may have people in their classes eager to "strut their stuff". I once observed a training room where the students had installed a password hacking program that ran in the background onto an NT server . Since the server was on 24 hours a day, all they had to do was wait - administrators have a habit of using short, common passwords.

At the end of the day, no password is long enough and no security system is bulletproof. If someone really wants to access your files or information about you, there are a number of ways to do so. Taking proper precautions will eliminate the opportunist hackers, who aren't really hackers at all, just bored people who are.....let's just say....."socially challenged".... ;-)