How secure is your password?
So you follow the usual advice and have a password which includes capital and small letters, some digits and special characters such as “$” or “%”? You substitute “3” for “e” and “1” for “i” in a word and add a numerical suffix, such as a ZIP-code to it?
Not good enough, says Bruce Schneier in Wired. It might work where you only get three guesses at an ATM, but it isn’t going to save your bacon if someone is trying to get access to a password protected file or account, where they can try thousands or hundreds of thousands of passwords each second.
He quotes Eric Thompson of AccessData, a company which sells the Password Recovery Toolkit, or PRTK - password cracking software:
...a typical password consists of a root plus an appendage. A root isn’t necessarily a dictionary word, but it’s something pronounceable. An appendage is either a suffix (90 percent of the time) or a prefix (10 percent of the time).I don’t want to quote the whole interview and the information about what weaknesses in passwords PRTK exploits – you should read the article yourself. Just don’t assume your password is safe unless you’ve read the article and implemented the suggestions.
So the first attack PRTK performs is to test a dictionary of about 1,000 common passwords, things like “letmein,” “password1,” “123456” and so on. Then it tests them each with about 100 common suffix appendages: “1,” “4u,” “69,” “abc,” “!” and so on. Believe it or not, it recovers about 24 percent of all passwords with these 100,000 combinations.
Then, PRTK goes through a series of increasingly complex root dictionaries and appendage dictionaries…
...Eric Thompson estimates that with a couple of weeks’ to a month’s worth of time, his software breaks 55 percent to 65 percent of all passwords. (This depends, of course, very heavily on the application.) Those results are good, but not great.
But that assumes no biographical data. Whenever it can, AccessData collects whatever personal information it can on the subject before beginning. If it can see other passwords, it can make guesses about what types of passwords the subject uses. How big a root is used? What kind of root? Does he put appendages at the end or the beginning? Does he use substitutions? ZIP codes are common appendages, so those go into the file. So do addresses, names from the address book, other passwords and any other personal information. This data ups PRTK’s success rate a bit, but more importantly it reduces the time from weeks to days or even hours…
(Via Boing Boing)