Strong passwords are often considered to be an double edged sword – they must be strong so they cannot be broken, but they are also required to be easy to remember (so that they are not written down and lost). The problem is, the more complex you require a password to be, the harder it is to remember for the user and the more likely it will be written down and lost. Additionally, because passwords are required to be changed so often (for security reasons), it makes it even harder to remember them -usually by the time you get it down, it is time to change it again. This is very frustrating to users.
Recently, I was introduced (from Steve Gibsons Security Now podcast) to what could be a possible solution to this issue. It is called the “Password in the Haystack” approach. This methodology contends that it is not the complexity of the password that gives us strength.
There are two main ways to attack a password – both online and offline. An online attack is when a malicious person will send the password to the server and attempt to guess the password until he/she gets it right – this is commonly referred to as a Brute Force attack- this method requires the attacker to try every combination of characters until they get the correct one. An offline attack occurs when an attacker gains access to a database containing passwords and performs an attack -using items such as rainbow tables – to break the one-way hash that is performed on the passwords.
In either case, it is commonly assumed that the more complex your password is, the harder it is to guess. That is not necessarily the case.
There are two things that make passwords secure; the size of the dataset characters of pulled from and, the length of the password.
Take for instance the two following passwords:
VrF39..1aw
……Pass……………
Which do you think would take longer to crack?
The first password seems to be more secure; it uses numbers, lower case alpha characters, upper case alpha characters, and special characters.
The second password would not meet the complexity standards of most organizations, contains a common dictionary word, yet is much more secure that the first.
The reason is because the length of the password. This is the most important aspect of creating a password.
An offline attack using rainbow tables basically uses a database of hashes that correspond to passwords for all combinations of the dataset characters. The drawback to this methodology is that the databases that store the pre-defined hashes are huge -in fact, a database that supports passwords up to 8 characters (using a 95 character dataset to generate the password) is 576 GB – and that is per algorithm used to hash the password (NTLM, MD5, SHA1, etc). The issue with this method of attack is that, as the passwords grow longer, the number of possibilities that must be hashed and stored grows exponentially with each additional character, making it impossible to store all that data. A long password defeats current capabilities with Rainbow tables (except for possibly the NSA, but who knows what they have).
In an online attack, the attacker must generate the password and send it to the server. The response from the server is a simple YES or NO on whether the entire password was correct. That means that the attacker must cycle through all combinations of the character set until they find your password – the shorter the password, the faster they can cycle through the combinations. With each character added, the number of combinations grows exponentially, making the password harder to guess.
In both cases, the complexity of the password has nothing to do with the security. More so, the size of the dataset that the attacker must choose from – and the length.
The size of the dataset can be defined in this way –
lower case alpha – 26 Character dataset
lower case + Upper Case alpha – 52 Character Dataset
lower case + Upper Case alpha + numeric – 62 Character Dataset
lower case + Upper Case alpha + numeric + special characters – 95 Character Dataset
So let’s break down a password.
Using the just the password “Pass”, we have a 52 possible character (upper and lower case alpha) dataset that must be used to attack (online or offline) the password. Since the length is four, that gives us 7,454,980 possible combinations that must be attempted.
In an online attack scenario, that would take roughly 2 hours.
In an offline attack scenario. that would take less than 1 second.
Simply by adding an additional character set — replacing a s with a period (length is still four) we can greatly increase the security.
Pas.
85 possible characters to choose from
52,822,060 Possible Combinations that must be tried
In an online attack scenario, that would take roughly 14.5 hours.
In an offline attack scenario. that would take less than 1 second.
We see that the character set can increase security, but I want to show how the length can greatly increase the security of a given password.
Just by simply adding an additional character (instead of a whole new character set), we see a dramatic increase in security.
Passs – 387,659,012 Possible Combinations, Online 4.5 Days, Offline <1 sec
This trend continues:
Passss – 20,158,268,676 Possible Combinations, Online 7 Months, Offline <1 sec
Passsss – 1,048,229,971,204 Possible Combinations, Online 33 Years, Offline 10.5 Seconds
As you can see, as you increase the length, the combinations that must be tried grow exponentially, thus making the password harder to guess.
This gives credence to the new proposal of password in a haystack.
The basic premise of password in a haystack is to hide a simple, easy to remember password, in a “haystack” of padding that you know and use.
One common method of defeating offline attacks and rainbow tables is web site admins will often “Salt” their passwords before they are hashed and stored. This basically means that there is a common set of characters that is used to PAD all passwords before they are hashed and stored into a database. Unless the SALT is known by the attacker, they will never be able to crack the stored credentials.
The password in the Haystack method is similar in that we want to use padding on our passwords (basically to make them longer, but easier to remember). From our original example, we can see that we simply used periods to PAD or “Salt” a simple password and make it nearly unbreakable, yet easy to remember.
The trick is that the user must devise a unique pattern (that only they know) that they use with their passwords. They must also come up with a simple password that uses one of each of the character sets. Combine it in any form they want.
For instance – if I want to devise my own scheme, it might be:
Open bracket and 5 periods, whatever my password of the month is, 15 asterisks and close brackets
[…..Pass***************]
When I change my password next month, all I need to do is change the needle (Pass) inside of my haystack – the padding. The scheme or haystack padding will always stay the same.
[…..W0rd***************]
By always using the same haystack (as long as it remains secret and you do not write it down), I am able to create simple passwords that are easier to remember, yet passwords that are unbreakable by current technology.
To give you an idea of the strength of this password:
Possible Combinations -2,663,234,997,260,162,196,476,097,223,547,872,948,519,727,017,017,120
Online Attack – 8.47 hundred trillion trillion trillion centuries
Offline Attack – 8.47 thousand trillion trillion centuries
The final recommendations is to:
Use at least one character from each character set.
Create your own padding scheme
Make the password as long as you care (over 20 characters – preferably 25).
Further examples of this methodology are:
Pass888888888888888..
Word888888888888888..
911911911911911Pass!!
911911911911911Word!!
859859.Pass.859859859
859859.Word.859859859
Come up with your own haystack and test your password strength at https://www.grc.com/haystack.htm.
NOTE – please keep in mind that one vulnerability to this methodology would be shoulder surfing. Because your padding might be repeating characters, it would be easier devise your password as opposed to overly-complex passwords where your fingers are dancing all over the keyboard
informal security 