A few weeks ago, David K. Sutton posted his thoughts on passwords on this blog, and since I had coincidentally just finished trying to hack a password around that same time, I thought I might add and/or elaborate a little on what he said, and offer some real world context and numbers.
Someone sent me a password-protected Excel file to unlock and they had NO IDEA what the password was, but they suspected the person who locked it had used a “decent” password. I was lucky enough to have access to a copy of Elcomsoft’s Advanced Office Password Recovery software, which is one of the more advanced applications for hacking passwords, and is supposedly used by various law enforcement agencies, as well as major corporations. This software happened to be running on a brand-spanking-new Dell workstation, just purchased a month or two ago, sparing no expense. It is running 8 cores at 3.9GHz, along with a pretty good (by Dell standards) graphics card. The graphics card is relevant because the password recovery software also takes advantage of your GPU, for more horsepower, bringing my total processor crunching capacity to 9.
Unfortunately, the process for hacking a password is nothing like in the movies. There really are only two options to get into a password protected Office file: dictionary attack, or brute-force. In some programs in Windows (e.g., IE), you can get software to reverse-engineer algorithms, and you can click a button to get a user’s password (i.e., see through the asterisks), but with Office files at least (and with important stuff like the main Windows logon), apparently they still can’t do that.
The dictionary attack on this file didn’t find the password (that’s when they try a list of over a million words/phrases that are common/likely passwords), so after wasting that second or two(!), I had to resort to trying the brute force method, which is literally trying every combination of every possible character. For a 4-character long password you try aaaa, then aaab, then aaac, etc., including both upper and lower case letters, plus spaces, and all punctuation. Unfortunately (and as David K. Sutton mentioned in his earlier post) this method of cracking takes FOREVER. The good news, is, I can be specific about what exactly I mean when I say “forever,” since we can do the math. If you include all standard characters (letters, numbers, symbols) as possibilities in a password, then that’s 95 total characters. To determine the number of possible combinations, it’s just 95 to the power of n, where n = the character length of the password.
95 ^ n = total character combinations
So for a 7 character password that could have ANY character in it, I had 95 to the 7th power of passwords to try before I exhausted all possibilities.
95 ^ 7 = 69,833,729,609,375
Thankfully, I was on a cutting edge machine, which could attempt about 2.31 million passwords per SECOND, and so if I’d let it finish, it would’ve taken me about 349 days to try all possibilities!!!
69,833,729,609,375 ÷ 2,310,000 = 30,231,051.78 seconds
30,231,051.78 ÷ 86,400 = 349.90 days
And an 8 character long password would take just over 91 years to finish with my current (very fast) hardware.
Needless to say, I didn’t let it finish trying to find the 7 (or more) character long password. I did, however manage to try every possible password through 5 characters in the first day, and after letting it run over a long weekend, it got through 6 characters. So after all that, all I can say about this file is it’s secured by a password that is at least 7 characters long.
WHAT ABOUT DISTRIBUTED ATTACKS?
Elcomsoft also makes the same software in a “Distributed” version, which I didn’t try, but it allows up to 64 CPUs/cores to all work together on a single project, across a LAN, or across the internet! Some people might point to this and say “Ah HA! This is how hackers will get me! I’m at a university and what if someone takes over a computer lab for a weekend and uses all the computers at once to hack my password?!?” Well, there are a few reasons this won’t change the equation much. First of all, we’re assuming that our hacker has access to 8-core (or more) machines running at 3.9GHz (or better) which the owner for some reason spent thousands of $$$ on, but now has no use for and can let sit idle for weeks on end (and wouldn’t have a problem with what you’re doing if he discovered it). The machines become nearly unusable while the cracking routine is running, since it’s consuming all available resources, so unless you have a computer lab filled with cutting edge machines, that nobody has any use for, and no authority figures ever check in, then it’s unlikely you’ll even have the resources to even TRY this.
But if you did, the math is still against you: Someone using 8 copies of my 8 core PC would use all 64 possible cores allowed by the Distributed version of the software (assuming they aren’t counting the GPU as a core). So, taking into account the speed previously calculated on my single cutting-edge PC (about 2.31M pps), if you divide that by 8 (again, ignoring the GPU/assuming all PCs have my (relatively fast GPU)), you find that I could crunch 288,750 passwords per second per core. Multiply that by 64 possible cores, and do the additional math, and you’ll find that you could now crack a 7 character password in 44 days, and an 8 character password is done in 11.4 years. Sure, that’s a huge improvement from my single machine alone (almost 1 year and 91 years), but it’s still so prohibitively long as to make it highly impractical, and thus 7 characters and above is still effectively unhackable.
Keep in mind also, that 8 separate machines communicating via LAN (or worse, WAN) aren’t going to go quite as fast as a single machine, since there’s going to be a delay in time required for the machines to communicate. Worried about an internet hacker? Then add a LOT more latency to the time calculations.
THERE ARE A FEW CAVEATS OF COURSE
These calculations tell you how long it takes to try ALL POSSIBLE combinations of a 7 character password. The software starts with aaaaaaa and ends with punctuation or ZZZZZZZ (or something similar). So if your 7 character password starts with a letter in the first half of the alphabet, you can therefore cut those time estimates in half. If it starts with “a” then you might as well assume the time it takes to try all 6 character lengths applies to your 7 character long password too. So realistically, will it take my single machine 349 days to crack a 7 character password? Not likely. Probably quite a bit less, unless the password’s author started the password with a letter toward the end of the alphabet. If you’re worried about a hacker anticipating this and taking the opposite approach, then start your password with something toward the end of the alphabet, instead of AT the end – like an R or S maybe. I say this, because in all likelihood they won’t start with Z, but if they do, you’ll still give them a lot of days of trying before they stumble on your password.
And of course, this is a story about banging away on a file that I have a local copy of. If I’m hacking via the internet it’ll be slower, and if I’m trying to hack a password to log on to the LAN, chances are I’ll never get to even try my brute force attempt if the administrator has a maximum logon attempts value set. So, for instance, where I work you can try someone’s password 5 times before it’ll lock you (and the account) out for a period of time. Obviously this dramatically slows down brute force attempts, making even a 6 character password more than sufficient. If you really want to be fancy you can use a 7 character password, and if it’s a password for a file (or similar), which a hacker can attempt to hack into endlessly at his leisure, then you’d want to go with a 7 character password with a letter late in the alphabet, or an 8 character password, which is effectively unhackable.
PRACTICAL SECURE PASSWORDS
Notice that I did not say that you have to use password complexity for a strong password. I believe that the math above demonstrates that this is not necessary. All you have to do is allow the hacker to assume you COULD have used a complex password (i.e. all possible characters employed, and not just use lower case letters). So the following two 8 character passwords are equally unhackable via straight brute-force attempts:
If they’re not in the dictionary file, then they’re almost uncrackable at this length. And if you have account lockout turned on for your LAN, then half that length is still probably more than enough. Of course, you’ll want to read (“Active Directory: Account Lockout Policy – Think Twice Before Applying“) before turning that on though… 😉
NOTE: I want to make it clear I’m talking about thwarting the average or novice hacker. If someone really knows what they’re doing and is motivated, they could potentially use more advanced methods & algorithms, allowing them to make “educated guesses,” potentially chipping away at the perceived strength of your password. This would be more of a hybrid approach between dictionary & brute-force. But this is still time consuming and requires advanced knowledge and skills, so for the vast majority of people the above info is adequate. However, as alluded to in (“Secure Passwords: What You’ve Been Taught Is Wrong“), the best password is still just a string of words that cannot be guessed, even by an educated guess, but at the same time is easy for you to remember, such as “mousefloorskytable.”