9. The Application of Cybersecurity: Principles and Practices 235 percase letters [A-Z], twenty-six lowercase letters [a-z], ten digits [0-9], and thirty-three other typable non-alphabetic characters (e.g., !, @, #, $, etc.). Therefore, for every place in a password there are ninety-five possible choices. This means that for an eight character password, the total number of possible passwords is: 95 x 95 x 95 x 95 x 95 x 95 x 95 x 95 = 958 ≈ 6 x 1015 Converted to a power of two, this number is approximately 253 (see Section 2.1.3 for the base two-base ten conversion rule). If we assume that a sophisticated hacker could compute 240 hashes per second (one trillion per second), to crack any password in this space would take: 253 passwords / 240 hashes per second / 2 = 212 seconds This is a little over an hour to crack any one of these passwords (see Section 7.1.1 for the brute-force keyspace attack math).1 If we assume a common hacker could compute 230 hashes per second (one billion per second), it would take: 253 passwords / 230 hashes per second / 2 = 222 seconds This is around 48 days—still not very much time. Clearly an eight digit password is not long enough. But the reality is actually much worse than this. Users have adopted NIST’s guidance in predictable ways. For example, typical passwords following these guidelines have a structure similar to this: base word + digit or symbol. Examples of passwords matching this structure are Password1 and Password! In other words, passwords are not drawn randomly from the password space—instead they occupy only a tiny fraction of the potential passwords (see Figure 9.8). The password math for passwords matching this structure is the number of base words times the number of digits and symbols. If we assume there are one million English words and forty-three digits and non-alphabetic characters, this means there are forty-three million passwords in this space, or around 226 passwords—far fewer than the possible 253. If a common hacker can compute 230 hashes per second (one billion per second), then a formulaic password like this could be cracked in: 226 passwords / 230 hashes per second / 2 = .03125 seconds This equals just three hundredths of a second! It is true that not all user passwords following NIST’s old guidance fit this simple structure—some combine two short words, modify capitalization in other ways, insert symbols in multiple places, and are a little longer. For example, p@ssw0rd11, #passWORD23, !PA55word1, etc. These examples probably look more like the passwords a typical reader of this book might use, but the main point still applies. Any formulaic password around the length of eight to ten characters is likely to be cracked quickly with a dictionary at- 1 The password cracking math in this section assumes salt is used but not key stretching (see Section 7.2.3.3).
RkJQdWJsaXNoZXIy MTM4ODY=