Monday, 14 November 2016 15:02

What You Need To Know About Passwords?


Choosing and managing passwords is the fundamental security measure in client’s control. Even if the application and it’s server is impenetrable, it means absolutely nothing if your password can be cracked by an average Joe.

You would think that all security conscious people would know how to protect themselves, but I frequently see cases like this:

CaliConnect’s Private PGP Key & Account Password Was “asshole209

Twitter– Launched & Hacked in 2 Hours (Password was: 123123123…)

Cantina Marketplace PWND: Admin Password was: “Password1” ?!

This tutorial contains explanations of password cracking when the server and client side are protected. These methods’ effectiveness highly depend on attacker’s processing power which we’ll analyze after attack methods.

If you just want to know easy way to be safe, jump to the ‘Easy way to manage strong passwords’.

Brute Force Attack

Brute-force attack is a technique of enumerating all possible password candidates and checking each one. This is no elegant attacking method, but sometimes it’s all that’s needed. This attack is feasible only for very weak passwords.

Dictionary Attack

Dictionary attack is a variant of brute force attack in which the attacker gathers all information about targeted password(s) and creates a ‘dictionary’. Dictionary is a customized list of password candidates, typically including a list of most common passwords first, dictionary words that are frequently used and some combinations. Next, the dictionary often contains all those words with common prefixes and suffixes such as numbers and punctuation signs.

Dictionary attacks are relatively easy to defeat by choosing a password that is not a simple variant of a word found in any dictionary. Many password cracking tools have built-in dictionaries. This page contains information on most popular tools, their dictionaries and collections of leaked password for analysis in one place.


Rainbow Tables

This attack is used when attacker owns the password database. It’s worth mentioning here because the complexity of your password will protect you even if the server is compromised. Protection wise, it’s enough to know that a strong password will do the trick here as well.

Skip this part if you just want to secure yourself without bothering with hashing, rainbow tables and salting.

Databases don’t contain plaintext passwords, but password hashes. Hash is the result of time-consuming function that obfuscates the input. When you enter your password, server calculates the hash of the entered value and compares it to the one stored in the database for the confirmation.

Very simple hash function example: take number 4 as the input: square it (16), take natural log (2.7725), multiply by pi (8.7103) and take factorial (gamma function) -> 189843.119. Now ask your friend how is 189843.119 related to 4. Chances are, no one can figure it out.

Password hashes often look like this one: qiyh4XPJGsOZ2MEAyLkfWqeQ

So, when an attacker compromises the password database he won’t be able to figure out your password (or will he?, read on). Here’s when rainbow table comes in – it’s a pre-computed table of passwords and their hashes. Attacker then compares the rainbow table hashes to those in the database. If hashes match, the password is discovered. Here’s a short example:

This is what we can find in a database:

User Password
RegularUser1 HgkHJgKHgKhKGhjfhgKvkGjKG
Administrator qiyh4XPJGsOZ2MEAyLkfWqeQ

Lets try to find this hash in the rainbow table:

Password Hash
password asdh4DFGsOZ2MEAyLkfWqES
qwerty qi8H8R7OM4xMfdMPuRAZxlY
pass1234 GsOZ2MEAM4xPuRAZxlqiyAFiy
passw0rd qiyh4XPJGsOZ2MEAyLkfWqeQ
abcdefgh nKv3LvrdAVtOcE5EcsGIpYBtniN

That’s why some servers ‘salt’ the hash by adding random value into the equation so the attacker can’t just download finished rainbow table, he needs to create a custom one for that salt and that requires a lot of time because hash functions are time-consuming. If different salt is used for each password, attacker needs to create a custom table for each password which is not feasible. Salt is stored next to the password, it’s no secret since it’s just making the attacker’s computer do a lot of ‘work’.

There’s only that much server side can do for you, it’s up to you to choose a strong password. If the attacker targets you specifically, he may create a rainbow table for your salt. It’s up to you to have a password that will not be in his table.

I’m surprised how many sensitive web services allow having weak password.

Practical analysis of these attacks

Analyzed time represents offline attack speed, online attacks are much slower than this, but it’s logical to seek for a password strong enough for offline attacks because it’s the maximum speed and it’s just a few characters away.

Password complexity depends on 2 characteristics: length and number of different characters. For example, if you use 8 digit password (only numbers – 10 characters): _ _ _ _ _ _ _ _ each field can contain 10 different characters, so there are 10*10*10*10*10*10*10*10 = 108 possible combinations. If attacker has a Pentium 4D, 3.2 Ghz processor he can try 2 million passwords per second. That means the password can be broken in 108 / (2*106) = 50 seconds.

Formula for the number of combinations the attacker need to try:

Awhere: A – number of different possible characters

B – password length

If password length is unknown, the attacker will usually try only the shortest ones. Let’s say he wants to try all 8,9,10 characters long passwords, the number of combinations is: A+ A9 + A10 .

Exponential growth

Luckily for us, password complexity rises exponentially when length increases. In the example above (only 10 digits) each extra character adds 10 times more possible combinations.

Here’s a table for passwords that contain only lower-case letters from English alphabet and digits – 36 different characters (Combinations = 36 ^ length):

Length (B) Combinations (36B) Individual capability 5000x individual
1 34 < 1 second < 1 second
2 1 296 < 1 second < 1 second
3 46 656 < 1 second < 1 second
4 1 679 616 < 1 second < 1 second
5 60 466 176 30 seconds < 1 second
6 21 76 782 336 18 minutes 1 second
7 78 364 164 096 10 hours 55 seconds
8 2 821 109 907 456 16 days 33 minutes
9 101 559 956 668 416 1 year 20 hours
10 3 656 158 440 062 976 60 years 30 days
11 131 621 703 842 267 136 2140 years 3 years
12 4 738 381 338 321 616 896 77025 years 110 years

X axis – password length in for 36 charset (letters and numbers)

Y axis – days to crack

word-image-20 What You Need To Know About Passwords?

Blue – Time in the first case was an experiment with previously mentioned Pentum 4D, 3.2 Ghz processor, affordable processing power for an individual.

Red – Time in the second case represents someone that can use 5 000 such processors.

We can see length 12 is sweet, it’s even more safe if we expand the character set to uppercase and lowercase letters, numbers and punctuation signs. Number of possible characters is 126:

Length (B) Combinations (126B) Individual capability 5000x individual
1 126 < 1 second < 1 second
2 15 876 < 1 second < 1 second
3 20 00 376 1 second < 1 second
4 252 047 376 2 minutes < 1 second
5 31 757 969 376 4 hours 22 seconds
6 4 001 504 141 376 23 days 47 minutes
7 504 189 521 813 376 8 years 4 days
8 63 527 879 748 485 376 1 032 years 2 years
9 8 004 512 848 309 157 376 130 000+years 184 years

X axis – password length in 126 charset

Y axis – days to crack

word-image-21 What You Need To Know About Passwords?

Blue – Time in the first case was an experiment with previously mentioned Pentum 4D, 3.2 Ghz processor, affordable processing power for an individual.

Red – Time in the second case represents someone that can use 5 000 such processors.


Using only lowercase or only uppercase letters and numbers, you need 11 characters long password.

If you’re using both lowercase and uppercase letters, numbers and punctuation signs you need 8 characters long password.

Neither should be predictable enough to be part of a dictionary attack list. I would recommend using 12 characters long password and wide charset.

Easy way to Manage Strong Passwords

Different password should be used for each sensitive account because attackers often check all your accounts for password they compromised.

Password should be at least 12 characters long and include uppercase and lowercase letter, number and a punctuation sign. You can easily meet those requirements by rambling on the keyboard, but it would be difficult to remember passwords.

Password Manager

Password manager allows the user to use hundreds of different passwords, and only have to remember a single password, the one which opens the encrypted password database. Needless to say, this single password should be strong and well-protected (not recorded anywhere).

Most password managers can automatically create strong passwords using a cryptographically secure random password generator, as well as calculating the entropy of the generated password. A good password manager will provide resistance against attacks such as key logging, clipboard logging and various other memory spying techniques.

To generate 1 strong password that’s easy to remember you can use a great source of entropy – your mind. Think of a sentence or two. Something like: ‘any sentence will do the trick, Just Make Sure It’s Over 12 Words’. Password would be: aswdtt,JMSIO12W (first letters in each word). You can remember the sentence easily and recreate the password later. Ideally, the sentence would include a sign and number.

There are many similar tricks out there if you don’t like this one.


So you don’t like installing a manager? Think of a good pattern that will not be obvious. An example would be: pick 2 numbers: 6,7 and surround your password with 67 and shift+6 = &, shift+7 = /. Also, uppercase 6thand 7th letter. If your password right now is password -> 67passwORd&/ is easy to remember and strong. The word can be something you can remember for each site, but stay away from obvious like domain name.

Avoid common letter-number substitutions like o – 0, I – 1. Here’s the same link once again, I highly recommend taking a look at common dictionaries and tools attackers may try to use against you.



World's leading professional association of Internet Research Specialists - We deliver Knowledge, Education, Training, and Certification in the field of Professional Online Research. The AOFIRS is considered a major contributor in improving Web Search Skills and recognizes Online Research work as a full-time occupation for those that use the Internet as their primary source of information.

Get Exclusive Research Tips in Your Inbox

Receive Great tips via email, enter your email to Subscribe.