Security Corner

May 29 2013   8:02PM GMT

Is your password “qeadzcwrsfxv1331?”

Ken Harthun Ken Harthun Profile: Ken Harthun

If so, it has been cracked. And rather easily, I might add. How is it that a 16 character password with seemingly random characters could be easily cracked? The answer might surprise you and you’ll definitely rethink the way you create passwords.

An article on Ars Technica (link) discusses how three crackers have achieved a 90% success rate on 16,000+ hashed passwords using some quite sophisticated techniques. These days, before crackers attempt brute force attacks – which can take a very long time to complete – they run a series of hybrid attacks which are a marriage of dictionary and brute-force attacks which greatly expand the word lists while keeping the keyspace manageable.

Another highly effective method is the Markov attack. Here’s a simple explanation from the Ars Technica article:

Where a classic brute-force tries “aaa,” “aab,” “aac,” and so on, a Markov attack makes highly educated guesses. It analyzes plains to determine where certain types of characters are likely to appear in a password. A Markov attack with a length of seven and a threshold of 65 tries all possible seven-character passwords with the 65 most likely characters for each position. It drops the keyspace of a classic brute-force from 957 to 657, a benefit that saves an attacker about four hours. And since passwords show surprising uniformity when it comes to the types of characters used in each position—in general, capital letters come at the beginning, lower-case letters come in the middle, and symbols and numbers come at the end—Markov attacks are able crack almost as many passwords as a straight brute-force.

Are you feeling a bit insecure yet? You should be, if your passwords conform to any of those “standard” practices. I think the discovery of the password in the headline was probably an example of a good, educated guess and I’m sure a password like !!sREkaerb-Eci@@ would prove next to impossible to crack even with sophisticated tools.

But, I could be wrong…

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: