9. The Application of Cybersecurity: Principles and Practices 235 it is still widely practiced and promoted. The guidance required that passwords be at least eight characters long and have at least one uppercase, one lowercase, and one non-alphabetic character. Password math (similar to keyspace math) can be used to determine the number of passwords in this space. Password math takes the length of the password and the character set to compute the total number of possibilities. There are twenty-six uppercase letters [A-Z], twenty-six lowercase letters [a-z], ten digits [0-9], and thirty-three other typable non-alphabetic characters (e.g., !, @, #, $, etc.). Therefore, for every place in a password there are ninety-five possible choices. This means that for an eight character password, the total number of possible passwords is: 95 × 95 × 95 × 95 × 95 × 95 × 95 × 95 = 958 ≈ 6 × 1015 Converted to a power of two, this number is approximately 253 (see Section 2.1.3 for the base two-base ten conversion rule). If we assume that a sophisticated hacker could compute 240 hashes per second (one trillion per second), to crack any password in this space would take: 253 passwords / 240 hashes per second / 2 = 212 seconds This is a little over an hour to crack any one of these passwords (see Section 7.1.1 for the brute-force keyspace attack math).1 If we assume a common hacker could compute 230 hashes per second (one billion per second), it would take: 253 passwords / 230 hashes per second / 2 = 222 seconds This is around 48 days—still not very much time. Clearly an eight digit password is not long enough. But the reality is actually much worse than this. Users have adopted NIST’s guidance in predictable ways. For example, typical passwords following these guidelines have a structure similar to this: base word + digit or symbol. Examples of passwords matching this structure are Password1 and Password! In other words, passwords are not drawn randomly from the password space—instead they occupy only a tiny fraction of the potential passwords (see Figure 9.8). The password math for passwords matching this structure is the number of base words times the number of digits and symbols. If we assume there are one million English words and forty-three digits and non-alphabetic characters, this means there are forty-three million passwords in this space, or around 226 passwords—far fewer than the possible 253. If a common hacker can compute 230 hashes per second (one billion per second), then a formulaic password like this could be cracked in: 226 passwords / 230 hashes per second / 2 = .03125 seconds This equals just three hundredths of a second! 1 The password cracking math in this section assumes salt is used but not key stretching (see Section 7.2.3.3).
RkJQdWJsaXNoZXIy MTM4ODY=