In The New Password Paradigm – Part 1, I promised to expand on the concept and also to provide an analysis of things I have told you in the past about passwords. Some of what I told you is still valid, even in the light of the new paradigm. Some of the information was off the mark.
Probably the most important concept of the new password paradigm is the idea of forcing the hacker to resort to brute force techniques by creating passwords that are not on known password lists or in the dictionary. The first things hackers try when attacking passwords is various lists of common passwords such as Top 500 Worst Passwords of All Time, Top 10 Most Common Passwords, and information gleaned from studies such as A Large-Scale Study of Web Password Habits published by Microsoft. The next thing they will try is names and dictionary words. If you use your name, a pet’s name or a dictionary word as your password, it will be discovered virtually instantly. Even an obscure dictionary word like “ratiocination” won’t work; however, simple changes to any common password, name or dictionary word cause the hacker to resort to brute force techniques.
I am not talking about merely capitalizing the first letter or changing some letters to their leet speak equivalents, such as 3 for “e.” The hackers know all these tricks, too and will likely incorporate them into their dictionaries, so taking my example of “ratiocination” and turning it into Rati0cin@tion might not work very well. Yes, a brute force attack would take a long time on such a combination, but the hacker is likely to try the common patterns that most people would choose. The list might look like this:
and so forth. Each different combination that the hacker incorporates into the dictionary tables increases the chance of a successful match without having to resort to brute force. However, add something to the word, and you’re golden: the hacker is now doomed to using brute force. Steve Gibson explains on his Password Haystacks page:
… the attacker is totally blind to the way your passwords look. The old expression “Close only counts in horseshoes and hand grenades” applies here. The only thing an attacker can know is whether a password guess was an exact match . . . or not. The attacker doesn’t know how long the password is, nor anything about what it might look like. So after exhausting all of the standard password cracking lists, databases and dictionaries, the attacker has no option other than to either give up and move on to someone else, or start guessing every possible password.
It’s such a simple concept, it’s beautiful! Just pad the password with a known pattern of your own invention.
In Part 3, I’ll list my previous articles on passwords and comment on them.