You think you think that's a safe password?

What is a good password? Almost every website gives almost the same standard:

The

length is more than 8, it should contain uppercase and lowercase letters, numbers and symbols; Do not use any words that appear in the dictionary, including partial replacements (such as using [email protected] or FAI1).

As long as your password meets these criteria, basically the site will reward you with a green strong password-good password. But in fact you and the site are wrong. Why? The reason for this is to start with how the password is cracked.

How hackers crack passwords

A Web site validates a user by more than the password entered in the database. However, in general, these passwords are not stored in clear text, but a hash algorithm for the saved password one-way encryption, the output of the results can not be calculated. For example, "123456" through the SHA-1 hashing algorithm results are 7110eda4d09e062aa5e4a390b0a572ac0d2c0220, through this result is unable to know the original password.

The password entered when the user logs in will also be computed using the same hashing algorithm as the hash value, and the correct password hash value stored in the database, consistent with the correct input password.

Hackers who get hashed password files can use brute force to crack Fabienne which account is associated with which password. They can start with a simple password, which can be found from the previous attack dictionary library, or from a generic dictionary, and then a combination of words.

If the password length is shorter, the character set used is only case-sensitive, the crack speed will be much faster. Hackers can use rainbow tables (pre-computed hashes) to speed up brute force. The use of complex and uncommon passwords should be a good choice (for example, like spooning1!, which is difficult to include in a rainbow table). But that's not really the case.

Because the computing power is now very powerful, with ordinary computers combined with the GPU capabilities of the graphics array, brute force can handle 1 billion to hundreds of billions of passwords encrypted with the SHA-1 algorithm per second. However, if the password is 11, 12, or more, and is randomly generated in all possible characters, it is difficult to crack even with such a powerful computational power brute force method.

But the problem is that most people are not using randomly generated passwords. Of course, there is a reason for not having a random password, because random passwords are hard to remember (the brain mechanism is so hard to remember the combination of random alphanumeric symbols). Trouble is here, because those "good password" rules have been known to hackers. Markus Jakobsson points out that this is a contradiction between the security and usability of password settings.

in the study Jakobsson found that some people because like Apple, so the password is used "apples", but the site requires capital letters, so he changed the first letter to a, perhaps the site said it is unsafe, there must be numbers and letters, Usually the user chooses the simplest way to satisfy the rule, add a 1 and add one later! -"apples1!". According to the previous password setting rules, "apples1!" is undoubtedly a good password (at least compared with those of XXX).

but hackers often do the same, using dictionaries and individual letter substitutions, as well as the usual number and symbol extensions to shorten the time to crack (as predicted by Markov chain techniques). In 2013 years, three security experts used a compromised database for testing, with a 1-hour success rate of 60%, and 20-hour success rate of 90%.

That being said, the story cannot be told when the password is set. The researchers found that the security of passwords set with the "Fast password" method depends on the probability of the combination being used in the corpus. For example, the common "I Love You Honey" appears in Microsoft's Corpus Web N-gram services at a frequency of 2/100000000, which is relatively bad password. And about the work on the road accidentally trampled a frog's "Frog works flat" The probability is only 3 of the million one, the intensity is very high. So, to get a good password, the key is to tell your story.

Instead, Jakobsson advises users to use the so-called " Quick Write Word " method to set a password, which is organized into a story with several words, which forms a combination of passwords. For example, when running a squirrel, you can quickly remember as "running Forest Squirrel". This approach is easy to remember because of the storyline, but since the number of characters used usually exceeds 10 to 12, brute force is difficult to crack unless the cracker uses other techniques such as word combination. But the likelihood of a word combination is almost limitless, which is almost impossible for brute force.

Originally from: IT http://techfoxbbs.com

You think you think that's a safe password?