Tuesday, November 19, 2013

Password length and time to brute-force

The Password length will be a big  factor in the strength against a brute force attacks.

It's not uncommon to see attempts against a server or other systems & via a brute-force or dictionary based password attack. In a lot of scenarios, a combination of the two (  aka hybrid attacks ) , is most likely deployed.

In this quick short blog, we will look at  a common unix hash crack tool know as john the ripper.


I've load a unix password file  and attempted to crack 3 hashes. The tool has ran for nearly a year and I've only managed to cracked one account that consisted of a 3 letter password ( yeap , a very weak password on a major backbone router, btw  ),  and that was done probably in the first minutes of running john. If not the within 1st few seconds.

btw: I had a vm-server crashed,  so I've probably  have been cracking this password file , for over 1 year for sure now.

The Google  minutes to days calculator,  shows this  has been running uninterrupted for 321+ days now.

Now let's look at what password length does for protection from brute forces attacks. I'm referencing the following site,  to give you an ideal of the average times. YMMV based on hardware  type and if you deploy and GPU based password cracking technologies.

( please see my arrow below  )

The  common practice has been; " a minimum of  8 character password,  a-z with at least one # and symbol & uppercase letter  ". That would take  approx 8-10years of continual computing power to break a password, or that's what they say.

Other ( tinfoil hat types ) believe NSA can hack this in 2 mins & all ciphers and hashes can be cracked with a  D-Wave.  But who really knows what the US biggest intelligence community could really do & I'm sure they will not disclose what they can and can't do  :)

So remember to use a 8 character password and a good strong one at that. Just as  important to the password length, & strength, you should change that good strong password on a regular schedule. Password strength and expiration is a must in today's world, & for securing systems.

And lastly, another favorite reference of mine. Passwords of all types needs to be evaluated and reviewed. We commonly forget about static data ( files ) ,  and simple passwords that we commonly use with regards to them. Read this link below on some very useful tips when it comes to passwords and hacking around.

 I just did some work over the weekend & with retrieval of a  zip file password,  using a crack tool.  And this particular  file, had a list of other systems username/passwords. In this case, I was helping a colleague retrieve an old systems account from a unix server that they didn't changed the password on for nearly 4 years.

Oh btw here's a hash you can try to crack if your bored :)


Ken Felix
Freelance Network / Security Engineer
kfelix  ----a---t---socpuppets ---d---o---t---com

     ^      ^
=(  @   @ )=
       /     \

No comments:

Post a Comment