What is a Password?
Assume a house has a lock to restrict strangers from entering the house. Anyone who is having the key can enter the house. In the same way any web/desktop application requires a password to give access to a application. Anyone who knows the password can enter into the application and it may not be the legitimate user always.
How passwords are stored in DB?
Generally all the passwords are stored in DB using a cryptographic function called hashing. A hash function simply converts variable length text into alpha numeric text with fixed length. Example, hashing algorithms are sha1, sha256, md5.. etc. This is how it works.When a user inputs his user-name and password, the web application converts that string into hash value using any one of the algorithm. Then passes that hash to database to store. When user login into the application, credentials are converted into hashes, matches the value with the one stored in the database and authorize the user.
If a website has a vulnerability, any hacker can run arbitrary code into that application and then dumps all the password hashes into his local storage. Consider if a password has 4 letter numeric value then the number of possible permutations with repetitions are
P(n,r) Permutations(10,4) = 10 power 4 = 10000
Which means that all the ten numerics are selected and arranged 4 each at once. So total number of 4 digit passwords are 10000. A computer which can hold good processing power i.e number of threads, uses each thread to convert all the numbers into hashes on parallel. Which means to covert 10000 values to hashes using dual core processor it takes not more than 1 minute. Now lets save this 10000 words as a dictionary.
Now the attacker takes all the dumped hashes and write a code to compare each hash with the 10000 word dictionary which again takes less than a minute to execute. Finally if he found any hashes matching with the dictionary, then the password is said to be cracked.
What is a strong Password.?
Now you are clear that cracking a 4 digit numeric password is easy. Let's think about what is a good strong password. Any suggestions? let me ask you one more time "Whatisagoodstrongpassword?" (Yeah exactly that string is OK to consider as a strong password). While choosing passwords just keep in mind that there are lot of GPU's in the market which can iterate 10000 strings in 1 sec. So the password "Whatisagoodstrongpassword?" has length of 26 characters.
So the dictionary needs to crack this password is derived as follows:
Total = 26+26+10+33 (Alphabets small & capital , numbers, special characters)
Then total permutations(password dictionary) = 3.45981e+51 ...
Look at the number! for storing, parsing these many values can be done only on super computers. So in what time you think this password can be cracked? In Days? Months? Years? or a Decade.
Misc: While considering password make sure you consider the maximum length with minimum complexity and easy to remember. Henceforth there is no secure website in the world which cannot be breached. But the strong passwords can always save us when the website is breached and it is has your password hash. Maintaining different passwords for different portals can also save us from known password attacks.
I have planned this blog to express my view on Information security and will try to learn/help from/for other security minds. All views expressed here are strictly from personal view. This blog is neither an organization nor affiliated to any organization with respect to the blog posts.
Hi.. Myself Varun Kondagadapa and I am Information Security Specialist having 2+ years of experience in Securing organizations. From startups to MNC I have work experience in all scales of Infra.
Be the first one to comment