Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

howsecureismypassword.com algorithm

There is a nice site http://www.howsecureismypassword.net/ which determines how long it will take to crack a password.

What I want is to implement feature like this, so I need an algorithm for that

like image 652
hasrthur Avatar asked Sep 25 '12 08:09

hasrthur


2 Answers

Knowing the common password attack vectors will give you an idea of how you might go about calculating this. When we need a number, let's assume that a desktop computer can check 4 billion (4x109) passwords per second, which seems about right.

It's important to realize that an attacker is rarely attempting to crack just your password. Instead, they will have user ids for a large number of accounts, and they want to try to crack as many of them as possible. As such, it pays for them to invest most of the time in cracking the easy passwords, and not bothering with difficult passwords.

0. Really obvious attacks

Try entering the user id for the password. It's surprising how many people do this. Your password is crackable instantaneously.

1. Dictionary attacks

This is simple. The attacker just needs to keep a list of (say) the 106 most common passwords in use, and check each of them once. This can be done in well under a second. If your password is in the list of most common passwords, then it can probably be cracked nearly instantaneously.

2. Brute force

If your password isn't in a dictionary, then one other option is to use brute force. The time taken to crack a password using this method depends on (a) the length of the password, and (b) the symbol set that comprises the password. The general formula is

timeTaken = (sizeOfSymbolSet ^ passwordLength) / (4*10^9)  # (seconds)

For example, if your password consists only of lowercase letters, then the size of the symbol set is 26. Here's a list of how long it might take to crack your password as a function of its length:

Length Time
     4   0.1 millisecs
     6   0.1 seconds
     8   1 minute
    10   10 hours
    12   9 months

If you use all lowercase and uppercase letters, numbers and symbols then the symbol set is closer to 100. It takes correspondingly longer to crack your password:

Length Time
     4   25 millisecs
     6   4 minutes
     8   28 days
    10   800 years
    12   8 million years

Don't get too complacent yet, though! The 8 million year figure assumes that you have a random selection of 12 letters, numbers and symbols as your password, i.e. your password is something like

t8Qkx#rxZAM@
%Kuc;p8WHmFU
xDE!XE$rLGh4
KJdx2K8BS33K
HTaeCc&t46L;

How many people have a password like that?

3. Combined methods

This relies on a combination of ingenuity and brute force. It's a mix between the first two methods, and relies on common "password conventions" rather than common passwords.

For example, many people have a password of the form "a dictionary word followed by a number". There are about 2x105 words in the Oxford English Dictionary, so to generate all combinations "dictionary word followed by number" is about 2 million different passwords, which can again be easily checked in under a second.

Other common tropes include replacing characters by similar-looking symbols- o with 0, l with 1, a with @ etc. Once you have a list of dictionary words, it is trivial to generate all of these replacements. At a guess, you might increase the length of the list by a factor of 1000, which is still checkable in around a second.

My guess is that the site uses a combination of some or all of these approached to work out how long it would take to crack your password.

like image 92
Chris Taylor Avatar answered Sep 28 '22 06:09

Chris Taylor


Well you never know: this got posted today:

  • http://www.leebutterman.com/passphrase-safety/

The checking is done all in javascript.Code is available on github

  • http://github.com/lsb/text-entropy
  • https://github.com/lsb/text-entropy-api

From the How It Works page I get the impression the author knows what he's talking about. (You'll want to read it, the way he wrote his javascript implementation is interesting in it's own right)

Perhaps you can borrow some insights, or even code (forks are welcome, I didn't see a license beyond the copyright declaration).

like image 25
sehe Avatar answered Sep 28 '22 06:09

sehe