3
votes

Note: This doesn't explicitly relate to programming, but I was hoping this can be explained from a programmers point of view.

There are two things I simply don't understand about current 'password strength ratings'. This all pertains to brute force entry. (If these 'password strength ratings' relate to any other type of breach aside from using a common/popular password please let me know).

1) Why does it matter if I include numbers/symbols/uppercase letters as long as the password system allows for the possibility of using them?

For example lets just say:

a) The systems accepted characters are a-z, A-Z, 0-9, and their "shifted values" '!' to ')', so 72 possible symbols.

b) I use a password of length ten, so 72^10 possibilities.

c) My password is not in the top 10,000 most common/popular passwords used. So 72^10 - 10,000 possibilties remain.

Wouldn't an all lowercase password like 'sndkehtlyo' be identical strength as 'kJd$56H3di' since they both share the same possibility of including the additional characters? Doesn't the brute force algorithm have to include those numbers/symbols/uppercase regardless of whether or not I use them? It seems like these rating systems believe a brute force attempt will try all 26^n lowercase passwords first, all 52^n passwords second, then all 62^n passwords, etc, etc.

2) Why does that even matter? I have yet to come across any password system that doesn't lock you out after some small fixed number of attempts (usually 5). How can brute force approaches even work these days?

I feel like I am missing something fundemental here.

3

3 Answers

7
votes

1) Cracking a password doesn't need to happen in one pass. A well implemented brute force crack may iterate first through small ranges of characters and then work its way into caps and numbers. Starting with the simplest ranges first (maybe just lowercase a-z) will find passwords of those unfortunate enough to have constructed a weak password. They may also start with dictionary attacks or Most-common-passwords-used attacks first as they take very little time.

2) Crackers aren't going to brute force right through some online service's login prompt. Anyone truly intent on getting access to an account would retrieve the hash of a user's password and crack it on their own machine, not over the internet. While there are practically infinite ways to hash a password there are some very common methods that can be identified by properties such as the hash's character length. You can read more about common hash algorithms in this Wikipedia article.

2
votes

1) All man-made passwords are not totally random. In other words, taking the human factor (e.g. memorability), the probability distribution of a password space is not even.

2) The attempt times restriction is used for authentication, which is a means of Access Control. It has nothing to do with the password strength. It is the system level control method and it is usually configurable. Of course, it is an effective weapon against brute force attacks, but one can still design a system without that access control method. Also, hackers may not crack into the system directly but they could intercept the user data from the network which contains encrypted password or anything else and use brute force or other ways to crack it. So a high-strength password scheme, a high-security crypto method and a well-designed access system could live together to make a strong security system.

1
votes

In general, with a brute force system, you are correct. But, a lot of automated password crackers out there begin their searches by trying common english words and their combinations. For example: sports teams, states, dates, etc etc... So by having those special characters it immediately eliminates a lot of those possibilities. Generally, if you're worried about brute force, a much longer password is more secure than a shorter one with special characters.