Good and Bad Passwords How-To

Knowledge of Password Cracking Techniques Leads to a Single Rule for How NOT to Create Passwords

• Whose Side Am I On?
• Standard Password DONT's Revisited
• Personal Information and Focused Dictionaries

Whose Side Am I On?

By this point I suspect some readers may be asking whose side am I on. Haven't I just handed crackers instructions for improving their cracking dictionaries? Perhaps, but I expect the sharp crackers figured this out long before I did. Dictionaries can and should be made irrelevant. To understand why and how, it's important for those who want passwords that can't be cracked to understand how cracking tools work.

We know that now and for some time into the future, brute force attacks cannot reliably succeed against passwords of reasonable length and sufficient character set complexity. You can break dictionary attacks just as easily by not using "dictionary" words. We're going to restate the DONT's into one simple absolute rule regarding passwords.

Because the rule is so general, it should be supplemented with some of the standard advice identifying more tangible examples that users will more easily relate to. Without identifying keyboard sequences, not many are likely to realize lists of these have been made.

Standard Password DONT's Revisited

Reviewing the standard password do NOTs, every rule listed except 9 (personal information) and 14 (repeating characters) is actually a specific instance or example of the second rule which has now been generalized into the new rule above. Even the first rule about account names and personal information in the password file is another specific case of the general rule. It's been shown to be the single most productive source for cracking passwords available. As cracking tools evolve, they may start collecting information from other computerized information. If the more traditional sources of passwords (dictionaries and ordinary word lists) become less productive and other sources about the specific account can be shown to be more productive the cracking tools will acquire these abilities.

Rule 10, what you can imagine being collected into a list, is good advice for not using things that today aren't in the crackers' dictionaries but may be tomorrow. The great license plates is a specific example of this. I've searched and can't find such a list but it looks like a good candidate. I also haven't seen any lists of "good passwords" but wherever an example of one appears, it's probably worth the crackers efforts to add it to their dictionary. If someone shows an example of how to form a good password, you can pretty much count on someone else using the specific example and thinking they have a good password.

Not using personally related information is typically one of the first password DONT's. Except for that contained in the passwd file (or SAM, on Windows systems), this isn't relevant to password crackers as they exist and are used today. When looking at what constitutes personal information, you get names, words and numbers. Unless there is something very different about a specific individual, all the names and words that pertain to them, already exist in computer lists and should not be used for that reason. The numbers could easily exist as electronically accessible information.

Personal Information and Focused Dictionaries

Paul Bobby has proposed an approach to creating "Focused Dictionaries"¹ in which significant amounts of personal information is collected and manually added to the GECOS field of the passwd file being cracked. He then identifies a number of transformations including grammar changes (s, ed, ing), letter substitutions as already identified and numeric sequences of 00 through 99. He actually comes up with over 300,000 transformations per two word pair and provides John the Ripper rule syntax to implement these.

It's my personal opinion that not enough people make passwords from personal information to make this cost effective and that better returns would be achieved by optimizing the dictionaries and rule sets as discussed previously. At present there is no empirical evidence to support either position but a properly conducted study would show the relative merits of the different approaches. The "Focused Dictionaries" require a lot of labor for each target and thus must be highly productive to be worthwhile. Optimized dictionaries apply knowledge gained from one target to others.

One of the weaknesses with Paul Bobby's proposal is that not enough variations are identified. For birth date only one format is identified. Given the numerous ways that any date can be formatted, I think the suggested format would only account for a modest percent of those who did use their birth date as or in their password. mmddyy is the suggested format. I think mm-dd-yy, mm/dd/yy, yymmdd, mmddyyyy, and yyyymmdd are all as likely if they are the entire password. I also think all of the following may be used as part of a password: myy, mmyy, md, mdd, mmdd, mond (jan4, mar27, Jul9), dmon. Still more formats are plausible: mm.dd.yy, mondyy (dec765), dmonyy (11aug72), monyyyy, mmyyyy, monthd (April17). Also phone number, social security number, license plate number and addresses contain pieces that are 2 to 5 digit sequences all of which are easy to remember. Given the amount of labor required to collect personal information, all plausible transformations and combinations of that data should be tried.

Thus, there is at least one systematic method proposed for using personal information in password cracking. Further, it's hard to keep track of personal information entered into computers or to predict how inventive crackers might become in finding new sources of computer information that can automatically be applied to cracking efforts. Clearly the NT SAM has several large fields for each user record that are not being used by existing cracking tools. On NT systems, applications like Outlook and Exchange might have useful information that can be directly related to account names. Besides the personal information, the names of any site specific groups that a user is a member of might be a fruitful source of account targeted information on both Windows and Unix. On UNIX systems, users home directories are likely to present similar opportunities. The safe approach is to not use any personal information in forming passwords.

It's worth remembering that with today's systems, anyone who can obtain accounts and password hashes can likely obtain any other information on the computer, even if they do not yet have full interactive access.

Top of Page - Site Map

Copyright © 2000 - 2014 by George Shaffer. This material may be distributed only subject to the terms and conditions set forth in http://GeodSoft.com/terms.htm (or http://GeodSoft.com/cgi-bin/terms.pl). These terms are subject to change. Distribution is subject to the current terms, or at the choice of the distributor, those in an earlier, digitally signed electronic copy of http://GeodSoft.com/terms.htm (or cgi-bin/terms.pl) from the time of the distribution. Distribution of substantively modified versions of GeodSoft content is prohibited without the explicit written permission of George Shaffer. Distribution of the work or derivatives of the work, in whole or in part, for commercial purposes is prohibited unless prior written permission is obtained from George Shaffer. Distribution in accordance with these terms, for unrestricted and uncompensated public access, non profit, or internal company use is allowed.