-
If you would like to post, please check out the MrExcel Message Board FAQ and register here. If you forgot your password, you can reset your password.
Are your passwords as "secure" as you think?
- Thread starter MrKowz
- Start date
Excel Facts
Select a hidden cell
Somehide hide payroll data in column G? Press F5. Type G1. Enter. Look in formula bar while you arrow down through G.
Andrew Fergus
MrExcel MVP
- Joined
- Sep 9, 2004
- Messages
- 5,462
- Office Version
- 365
- 2021
- 2016
- Platform
- Windows
I agree with Norie on this. Merely adding a space to the list of available characters does little for password security. The number of password combinations to test using brute force is n^x where n is the number of characters being tested and x is the number of characters in the character set. An 8 character password (using numbers and letters in both cases) has 8^62 combinations, adding a space increases this to 8^63. If my maths serves me correctly there are 8 times as many combinations that require brute force testing by the inclusion of a space in this example (in other words the combinations are increased by a factor of n where n is the number of characters).
However, this theoretical maximum ignores the fact that very few people (if any) would have a password that consisted of all "z"s - so the brute force method never needs to test all n^x combinations. Assuming an equal distribution of first position characters throughout the alphabet, the brute force method would on average only need to test half of all possible combinations. Furthermore, the time taken to brute force the password could be further reduced by splitting the task across multiple threads and/or processors and/or computers. Each processor would only ever test 1/xth of the total combinations (again on average half of the theoretcial maximum assuming an even distribution of 2nd position characters across the alphabet) - this could be further reduced by using a network of computers i.e. continually breaking the task down into smaller chunks.
So keep in mind the time taken to brute force something is a theoretical constraint. In addition, as other posters have mentioned, the weakness does not usually reside with the password itself.
Andrew
P.S. Plus I reckon most systems will trim a password such that trailing and leading spaces will be ignored. This would reduce the number of combinations to test by (n-1)^63 for leading spaces and the same again for a final trailing space and even less again for multiple trailing spaces.
However, this theoretical maximum ignores the fact that very few people (if any) would have a password that consisted of all "z"s - so the brute force method never needs to test all n^x combinations. Assuming an equal distribution of first position characters throughout the alphabet, the brute force method would on average only need to test half of all possible combinations. Furthermore, the time taken to brute force the password could be further reduced by splitting the task across multiple threads and/or processors and/or computers. Each processor would only ever test 1/xth of the total combinations (again on average half of the theoretcial maximum assuming an even distribution of 2nd position characters across the alphabet) - this could be further reduced by using a network of computers i.e. continually breaking the task down into smaller chunks.
So keep in mind the time taken to brute force something is a theoretical constraint. In addition, as other posters have mentioned, the weakness does not usually reside with the password itself.
Andrew
P.S. Plus I reckon most systems will trim a password such that trailing and leading spaces will be ignored. This would reduce the number of combinations to test by (n-1)^63 for leading spaces and the same again for a final trailing space and even less again for multiple trailing spaces.
Last edited:
Andrew Fergus
MrExcel MVP
- Joined
- Sep 9, 2004
- Messages
- 5,462
- Office Version
- 365
- 2021
- 2016
- Platform
- Windows
Whoops. MAJOR FAIL on my part. I got my x's and n's the wrong way round. Sorry for any confusion!
RESTATED:
The number of password combinations to test using brute force is x^n where n is the number of characters being tested and x is the number of characters in the character set. An 8 character password (using numbers and letters in both cases) has 62^8 combinations, adding a space increases this to 63^8. There are 14% more combinations that require brute force testing by the inclusion of a space in this example.
The reduction for leading and trailing spaces would be 2 x (63^7).
The reason for the increased brute force times is a function of the number of characters in the password, not the inclusion of spaces (which is a consequence of the proposed password method).
Andrew
RESTATED:
The number of password combinations to test using brute force is x^n where n is the number of characters being tested and x is the number of characters in the character set. An 8 character password (using numbers and letters in both cases) has 62^8 combinations, adding a space increases this to 63^8. There are 14% more combinations that require brute force testing by the inclusion of a space in this example.
The reduction for leading and trailing spaces would be 2 x (63^7).
The reason for the increased brute force times is a function of the number of characters in the password, not the inclusion of spaces (which is a consequence of the proposed password method).
Andrew
Last edited:
Norie
Well-known Member
- Joined
- Apr 28, 2004
- Messages
- 76,377
- Office Version
- 365
- Platform
- Windows
I've got a fail-safe method of creating passwords - just pick random objects in your line of sight, add the first thought that comes into your mind and think up a number.
Combine all that in a random order and bingo!!!.
The perfect password you can't even break yourself.
Or remember.
Combine all that in a random order and bingo!!!.
The perfect password you can't even break yourself.
Or remember.
Andrew Fergus
MrExcel MVP
- Joined
- Sep 9, 2004
- Messages
- 5,462
- Office Version
- 365
- 2021
- 2016
- Platform
- Windows
Haha! Very true. I've done that before.......funnily enough an admin at one of my former clients used the acronym method which I never forgot but it also told me :
a) his wife's name;
b) their new electrical appliance, and
c) that his grammar wasn't the best!
Most importantly I never forgot it so that was a good thing for when he was away, except I was a contractor and not officially part of the organisation.....
The forced capitalisation is actually an issue I face with an online server. I always forget that I am required to use an uppercase letter so they constantly have to reset my password - there's increased security for you! New password notification via e-mail is about as secure as a postcard....
a) his wife's name;
b) their new electrical appliance, and
c) that his grammar wasn't the best!
Most importantly I never forgot it so that was a good thing for when he was away, except I was a contractor and not officially part of the organisation.....
The forced capitalisation is actually an issue I face with an online server. I always forget that I am required to use an uppercase letter so they constantly have to reset my password - there's increased security for you! New password notification via e-mail is about as secure as a postcard....
Domski
Well-known Member
- Joined
- Jan 18, 2005
- Messages
- 7,292
I've got a fail-safe method of creating passwords - just pick random objects in your line of sight, add the first thought that comes into your mind and think up a number.
Combine all that in a random order and bingo!!!.
The perfect password you can't even break yourself.
Or remember.
That sounds like my method
. The number of times I sit staring blankly at my logon screen on a Monday morning looking for inspiration as to what password I'd chosen on Friday is unreal.Dom
Which is even more possible since the advent of cloud computing which creates a very affordable 'super-computer' for this type of number crunching.
I consider a password of 10 characters with mixed upper, lower, numbers and symbols as secure enough. If someone was cracking a database of password hashes I believe they'd come up with enough others before they broke mine. If anyone cares enough to put the effort into breaking it they'll get there regardless of length and entropy.
Nick
That's 219 years based on today's computing power.
In 10 years time when you have an optical processor capable of trillions of operations per second, you will scoff at the ease at which you can brute force a 64 bit or 128 bit password.
In any case, passwords are only as secure as the person that knows them, and actually forcing them to be more complex by requiring a mixture of upper / lower case and a number, and forcing the user to change them every so often has the opposite effect than is intended.
My boss cannot remember his password month to month, so he writes his password on a post-it note which is stuck to the bottom of his keyboard. Secure!
Whereas everyone knows their 4-digit bank card PIN number off by heart, so it's more secure since there's no need to ever write it down. The systems that accept PIN numbers only ever allow 3-5 attempts before locking you out, so there's no danger of them being cracked.
That wouldn't work with passworded files of course, which are at the mercy of the software that's trying to crack them... The difficulty there is how long do can you make the password before it becomes impossible to remember, forcing you to write it down, which instantly makes it less secure!
I think at least 8 characters with at least 1 capital letter and at least one number is what the world has settled for. As computing power moves ever onwards, we will be able to crack such short passwords with ease, but for now it's enough!
MrKowz
Well-known Member
- Joined
- Jun 30, 2008
- Messages
- 6,653
- Office Version
- 365
- 2016
- Platform
- Windows
Keep in mind that no matter how fast your computer is, no matter how many threads or processors it has, you are STILL limited to both the speed of your internet connection (Kinda like driving a Bugatti Veyron in Chicago, IL downtown rush hour), and the speed at which the receiving server can process your requests. What the article states is that most servers and internet connections can handle only approx 100 requests per second.
But if you have a list of the password hashes from the server database then you only need the raw processing power. This is, I believe, the more likely form of attack since brute-forcing through a normal site login script would (should) raise too many alarms to the site admin.
Nick
