INVITATION TO CYBERSECURITY 236 It is true that not all user passwords following NIST’s old guidance fit this simple structure—some combine two short words, modify capitalization in other ways, insert symbols in multiple places, and are a little longer. For example, p@ssw0rd11, #passWORD23, !PA55word1, etc. These examples probably look more like the passwords a typical reader of this book might use, but the main point still applies. Any formulaic password around the length of eight to ten characters is likely to be cracked quickly with a dictionary attack. A dictionary attack is a password hashing attack that draws base words from a wordlist (e.g., a dictionary) and applies string mangling. String mangling is modifying base words in formulaic ways by changing capitalization, using character substitutions, and adding prefixes and postfixes. Free password cracking programs such as John the Ripper make these attacks easy to perform. Figure 9.8 The difference between random and user-selected passwords for an eight character password (not drawn to scale). The password math for the old-style approach works in a hacker’s favor. To turn the math in the user’s favor, passwords should be long and complex. They should not be built upon a single base word and then modified in a predictable way—passwords need to have some randomness. The problem with randomness is that it is difficult to remember. However, there are tricks to make it easier to remember a password while it still appears to be random. One way is to take parts of letters in a phrase to build a quasi-acronym. Here are a couple of strong passwords that look random but are still relatively easy to remember because they are based on a memorable phrase: cyIZ4ull0f$+@dv (phrase: “cybersecurity is full of fun and adventure”) @L&B0bRbstfr1D$ (phrase: “alice and bob are best friends”) The letter selections and character substitutions to build the quasi-acronym are chosen arbitrarily, but after typing them a few times, they start to feel natural and become memorable. For fifteen character passwords, the number of passwords in this space is 9515 and this equals approximately 4 × 1029 ≈ 298 possible combinations. Importantly, because of their semi-randomness, they are relatively well distributed throughout the entire space as op-
RkJQdWJsaXNoZXIy MTM4ODY=