In my last two posts (Password Science 101 and Password Science 201), I talked about password security from an introductory view, and hit on some of the math involved.
In this post, I'll talk a little bit about shortcuts that make the math easier, and talk about some of the actual techniques attackers use to attack passwords more efficiently. This isn't designed to be a comprehensive how-to for attackers to crack passwords. It's mainly designed to help the slightly math savvy and curious average person understand a little bit about the mindset of attacking a password.
First, it's important to remember, none of the previously discussed math comes into play unless a system gets broken into and the password hashes are stolen. Hash cracking is much faster than entering a password into a website one at a time.
In fact, many sites will lock accounts if too many bad guesses are used in a login form. But, it would be very inconvenient for you to have to call someone every time your email account was attacked, so most sites won't do this.
To avoid this, sometimes attackers will try very common passwords against thousands of accounts. By only trying one or two passwords, they hope to avoid detection. Eventually, they will find one account that works because the passwords are so common. Variations of the word "password", numbers such as "12345" or "111111", and patterns like "qwertyuiop" are all very guessable, for example. Even if this tactic takes months, or even years, they may still be successful. After all, when was the last time you changed the password for your personal email account?
But, with hashes in hand, cracking is much faster. Let's assume you have an 8 character password that requires at least one uppercase letter, at least one number, at least one lowercase letter, and at least one symbol. When we calculated this before, that was a keyspace of 7.2 Quadrillion possibilities. And using our 40 Billion guesses per second, this could take upwards of 50 days.
The first thing most people will do is attempt to reduce the keyspace they need to work through. This is based on how people think. Most people, for example, will put the capitol letter at the beginning of their password, and then use all lowercase letters, and put the numbers next, and the symbol at the end. For example: "Hotness92!" is more likely than "hoTNe92!ss" because it's easier to remember and to type.
So, if we assume that we only want to attempt to crack passwords that match the pattern ULLLLNNS (upper, lower, lower, lower, lower, number, number, symbol), we only have to test a keyspace of 265 (26 letters in 5 spaces) x 102 (two numbers) x 34 (the number of symbols) or 40,396,678,400. In other words, we're back down to a couple of seconds.
Patterns like this are only one of the ways people use to reduce the keyspace. If we assume that English words are used, vowels and consonents tend to occur in specific patterns and frequencies. Cracking programs can use mathematical models based on these patterns to say that Abbababa is more likely than aaaaaaaa or aaaaabbb, for example, if we assume that English words are being used.
But, the fastest way is to already know the password. By creating large lists of commonly used words or known passwords (often from previous successful attacks), attackers can generate dictionaries and simply quickly compare the hashes to the known values in a dictionary for cracking. This can make even 14 character passwords (or passphrases) easy to crack in minutes, provided they are predictable enough.
This is why you should probably avoid well known sayings or song lyrics in your passphrases. Change at least one word to something unpredictable to avoid this trap.