INVITATION TO CYBERSECURITY 236 tack. A dictionary attack is a password hashing attack that draws base words from a wordlist (e.g., a dictionary) and applies string mangling. String mangling is modifying base words in formulaic ways by changing capitalization, using character substitutions, and adding prefixes and postfixes. Free password cracking programs such as John the Ripper make these attacks easy to perform. Figure 9.8 The difference between random and user-selected passwords (not drawn to scale). The password math for the old-style approach works in a hacker’s favor. To turn the math in the user’s favor, passwords should be long and complex. They should not be built upon a single base word and then modified in a predictable way—passwords need to have some randomness. The problem with randomness is that it is difficult to remember. However, there are tricks to make it easier to remember a password while it still appears to be random. One way is to take parts of letters in a phrase to build a quasi-acronym. Here are a couple of strong passwords that look random but are still relatively easy to remember because they are based on a memorable phrase: cyIZ4ull0f$+@dv (phrase: “cybersecurity is full of fun and adventure”) @L&B0bRbstfr1D$ (phrase: “alice and bob are best friends”) The letter selections and character substitutions to build the quasi-acronym are chosen arbitrarily, but after typing them a few times, they start to feel natural and become memorable. For fifteen character passwords, the number of passwords in this space is 9515 and this equals approximately 4 × 1029 ≈ 298 possible combinations. Importantly, because of their semi-randomness, they are relatively well distributed throughout the entire space as opposed to being concentrated in a small area like in Figure 9.8. If we assume that a nation-state hacker could compute 250 hashes per second (one quadrillion per second), it would take: 298 passwords / 250 hashes per second / 2 = 247 seconds This many seconds is more than four million years, and this assumes a highly advanced adversary.
RkJQdWJsaXNoZXIy MTM4ODY=