Major project theme

Every person has heard about how important it is to have a well-built strong password. An essential number of people would agree that password hygiene is as important as the personal hygiene is, since violation of first may lead to much more serious consequences. However, the statistics show that 59% of users use their names and dates of birth as their passwords, 43% shared their passwords with other people and only 45% would change a password after a breach (O’Driscoll, 2020). The aim of this post is to show how to create strong passwords.

It is necessary to know how passwords are cracked in order to properly understand what password can be referred as strong one. There are to ways to execute an attack: online and offline.

 Online attack is done by trying different passwords one by one through a normal log in process. Usually, such attacks are unsuccessful since they are easy to detect and block if necessary (Burnett and Kleiman, 2006).  I think everybody encountered situations when they forgot the password and were trying to guess it until system had to stop such attempts. Therefore, it is obvious that the attacker would want to guess the password from first 2 – 3 attempts. This attack is usually aimed on people with really obvious, popular and weak passwords, such as password, name and date of birth, qwertyuiop, 12345678. Attacker usually does all available attempts to guess the password and if unsuccessfully – switches to another victim (Burnett and Kleiman, 2006).  The idea is that it is much easier to find a person with weak password than to execute a brute-force attack online.

In order to execute an offline attack, attacker needs to get excess to hashes of passwords he wants to crack. System does not store passwords as a plain text. Passwords are usually hashed. Hash is the result of complex mathematical formula that modifies plain text (Burnett and Kleiman, 2006).  Hashing process cannot be reversed, therefore, it is impossible to get plain text password from the hash. When user enters passwords in a system, the password is going through hashing and the result is compared with the stored hash. If results match – user get access to the service. Hashing protocols are public and any person can get excess to them. There are two ways for an attacker to get excess to the system after he gets password hash. First way is to guess the password. Attacker can execute a brute-force attack – an attack that tries to guess the password through trying passwords one-by-one, hashing them and then comparing with the provided by an attacker hash. Another way is hash-collision. Hashing means using mathematical formula to get the result, therefore, there is always a possibility that two different passwords can have the same result after hashing. 

In order to show how brute-force attack works I will use the program called Cain & Abel which I have installed on windows 7 virtual machine. It provides user with lots of possibilities. Firstly, I need to hash some password in order to attack it. I hashed the 11211311 password. 

You can see a lot of hashing protocols on the picture. There is an information about them later in the post. I used MD5. 

Next screenshot shows the number of possible passwords which consist of only numbers with length between 1 and 16 characters.

The attack was executed and here are the results:

Although I was running the program on virtual machine it took only 3 seconds to crack the password.

Then I investigated how many possible passwords consist of lower-case characters and numbers with lengths 1-8, 1-9, 1-10 and so on:

    1. 1-8: 2901713047668

    2. 1-9: 104461669716084

    3. 1-10: 3760620109779060

    4. 1-11: 135382323952046190

The results show that with adding one more character makes it 36 times harder for the attacker to brute-force your password.

Here is a comparison between the number of possible passwords with length of 8 characters consisting of only numbers (n); lowercase characters(l);  numbers and lowercase characters(nl); numbers, lowercase and uppercase characters(nlu); numbers, lowercase and uppercase characters and symbols such as *%@# (nlu*).

    1. n: 100000000

    2. l: 208827064576

    3. nl: 2821109907456

    4. nlu: 218340105584896

    5. nlu*: 1113034787454976

Next list shows results of division each group by the n-group

    1. n: 1

    2. l: 2088

    3. nl: 28211

    4. nlu: 2183401

    5. nlu*: 11130347

That means that password which consist of numbers, lowercase, uppercase characters is 2183401 stronger than the password which consist of only numbers.

Another problem is that sometimes attacking software do not only check generated hash whether it matches the provided one or not, it can also remember it and then create a table with plain-text passwords and their hashes. With such table, future attacks would be much faster. Such tables are called Rainbow tables and their size can be scaring. 

There are tables with the size up to 1 TB as it is shown on the picture. However, the picture shows that usually such tables consist of passwords with length up to 8-10 characters and up to 14 characters for passwords that consist of only numbers. That means that if your password is longer than 10 characters and consists of lower-case, upper-case characters and numbers, any rainbow table from the list above is harmless for you.

There are different hash protocols. Some of protocols are reliable and safe, some of them not. Such protocols as MD5, SHA-1 are considered to be deemed and unsafe at the moment, though they were considered as safe and reliable when came out. The main weakness of the hashing algorithms is the probability of collisions. Google reported first SHA-1 collision in 2017 (Arias, 2019).

Nowadays, SHA-256 and SHA-3 are considered to be safe and widely recommended by Google (Arias, 2019).

In conclusion, there is a list of qualities the password should meet to be considered as strong:

    • It should consist of numbers, lower- and upper-case characters, since it is 2183401 times stronger than the number password and 78 times stronger than the password with both lower-case and upper-case characters without numbers

    • It should be longer than 14 characters, since it allows to avoid most of the rainbow table attacks.

My major project is going to cover the topic of password security. It will discuss the alternatives to password authentication. Moreover, the quantitative research will cover the level of awareness of people about password security. Furthermore, my project will cover the topic about how criminals gather information in order to prepare for the attack. Case studies will include my personal experience of phishing attack along with other important examples of criminal activities connected with breaking passwords. All activities are covered in the project plan post, the time-management is represented with the gannt chart. 

Reference:

O’Driscoll, A., 2020. 25+ Password Statistics that may change your password habits. [online] Comparitech. Available at: <https://www.comparitech.com/blog/information-security/password-statistics/> [Accessed 14 October 2021].

Burnett, M. and Kleiman, D., 2006. Perfect Password. Saint Louis: Elsevier Science.

Arias, D., 2019. How to Hash Passwords: One-Way Road to Enhanced Security. [online] Auth0 - Blog. Available at: <https://auth0.com/blog/hashing-passwords-one-way-road-to-security/> [Accessed 14 October 2021].