Ride the Lightning

How Many Times Would A Hacker Need to Guess Your Password?

November 15, 2016

Interesting question asked by a post on Naked Security. Could your password withstand 100,000,000,000,000 guesses, the kind of scrutiny it might face if it were stolen in a data breach and attacked offline by specialized hardware?

If that seems too hard, how about 1,000,000 guesses? That's the sort of resilience a password needs in order to fend off a much slower online attack against a website's login page.

Still too hard? What about 100 guesses? That's the number of failed attempts that the very latest NIST (National Institute for Standards and Technology) guidelines suggest should trigger a lock-out:

"Unless otherwise specified in the description of a given authenticator, the verifier SHALL effectively limit online attackers to 100 consecutive failed attempts on a single account in any 30 day period."

And of course we can all make a password that withstands 100 attempts, right? Well, not so fast . . .

According to recent research from China and the UK, an attacker with a little of your PII (personally Identifiable Information) has a one in five chance of guessing your password before they hit NIST's 100-guess shutout.

The researchers from China's Fujian Normal and Peking Universities, and the UK's Lancaster University, have developed TarGuess, a framework that intelligently targets individual users based on personal information that an attacker might reasonably have access to, like your name and birthday. According to the researchers, the sad truth is that TarGuess can achieve about 20% success rates against normal users with just 100 guesses, 25% with 103 guesses, and 50% with 106 guesses. This suggests that the majority of normal users' passwords are vulnerable to a small number of targeted online guesses (e.g. 100 as allowed by NIST)

If you're one of the hundreds of millions of people whose details have been stolen in attacks on Adobe, Yahoo, LinkedIn and others, then your publicly available PII could include another of your passwords, a so-called "sister password". Those "sister passwords" can give clues about how you create passwords – add them to TarGuess and the chances of beating the NIST shutout are even higher: TarGuess-III and IV [which use sister passwords] can gain success rates as high as 73% with just 100 guesses against normal users and 32% against security-savvy users

The chasm is the difference between how many guesses your password needs to withstand to deal with an online attack (about 1 million guesses) and how strong it needs to be to deal with an offline attack (about 100 trillion guesses).

Online attacks occur when someone attempts to log in to a website by guessing the password (they wouldn't type the password themselves of course, they'd use software that types far, far faster).

Offline attacks occur when someone steals, buys or otherwise is in possession of a website's password database and can crack them directly using specialist software and hardware.

The researchers concluded that there was little to be gained by making passwords that sit in the vast 'chasm' between the two thresholds; if your password is good enough to withstand 1 million guesses it won't get substantially better until it can withstand 100 trillion.

All of this is part of a broader recent change in thinking about passwords (the latest NIST guidelines are also a good example) that attempts to shift the burden of password security away from users and back onto system owners and administrators.

Funky password formulas with special characters are out, arbitrary resets are out – throttling and proper password storage is in.

Researchers are telling system administrators to take the strain and that they should worry about the offline attacks and leave users the simple job of making passwords that can handle 1 million guesses – just six characters chosen at random should be enough. However, TarGuess and its developers show us that even that might be too much to ask, saying "…normal users' passwords are even not strong enough to resist online guessing and still far away from the "online-offline chasm".

Many of us remain wedded to our truly terrible passwords. Are you guilty of that?

The researchers used password databases from nine massive breaches including CSDN, Yahoo and RockYou most of which occurred within the last six years. In seven of the nine databases 123456 was the most popular password (Seriously??? We haven't learned better than that?), and none of the top 10 passwords in any of the breaches would surprise readers – they are the usual culprits.

If you're a website owner or operator, follow the latest NIST guidelines, don't allow users to use 123456, password, or any other known bad passwords, and use a reputable password strength meter to ensure they can't pick other passwords that might be easy to crack. Use rate limiting and lock-outs to bolster poor passwords and use two-factor authentication so that when a password is cracked it's not enough by itself to give an attacker access.

But we know from lecturing that the resistance to two-factor authentication is hard to defeat. Laziness and/or convenience seem to rule the day – unless compelled by someone in authority.

Hat tip to Dave Ries.

E-mail: Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology
http://www.senseient.com
http://twitter.com/sharonnelsonesq
http://www.linkedin.com/in/sharondnelson