Digital Identities

1. 00:00Now we consider the length of passwords and we will discuss the importance
2. 00:06of the large length of passwords in our openHPI
3. 00:10course about Digital Identities.
4. 00:12This password length really has a great influence (I will show later figures about that)
5. 00:21on the strength, on the security of a password and the efficiency
6. 00:25of possible password attacks. Reminder -
7. 00:31notes on generating secure passwords: we
8. 00:37recommended to use upper and lower case letters, we recommended different character classes
9. 00:43to use - when passwords are formed, character classes like letters, numbers, and
10. 00:49special characters. We proposed to have passwords at least of length
11. 00:5512 and we advised taking passwords - not from dictionaries and
12. 01:04also not from the user context, and we warned that password should never be used,
13. 01:11that the same password should never be used for different services.
14. 01:17Now we want to consider,
15. 01:19why we give such advices, and what are the reasons for these indications.
16. 01:28Let's remember the brute force attacks. Brute-force attacks are
17. 01:32the simplest and most straight forward attacks to crack a password. And the idea
18. 01:38we already discuss this, is the systematic test of all possible character combinations
19. 01:45for a selected character class at a given length.
20. 01:50So with sufficient time and resources, brute force always leads to
21. 01:57the goal, because the password is a concrete combination and
22. 02:03when we check all possible combinations, we also find this combination.
23. 02:08So the trick for this brute force attack not to be successful
24. 02:16is to provide, to use long passwords, so that it's no more possible,
25. 02:23that the time that's available for the attack is not enough
26. 02:26to perform such brute force attacks.
27. 02:29So the formula which explains why each of a digital letter helps is the following:
28. 02:38If we compute the number of password candidates from all the
29. 02:43combinations of the character, then we have to take the number
30. 02:48of the characters that are available
31. 02:52and then to the password length, have to take this number
32. 02:55to the password length.
33. 02:58(Number_of_password_candidates = (range_of_characters) to the power of Password Length)
34. 02:59So the larger this range is,
35. 03:04the more possibilities
36. 03:06are available to check this. For example, if we have only 0 and 1,
37. 03:11then the number of the password candidates is
38. 03:152 to the power of the length of the password: 2^8 if the
39. 03:20password has length 8, but if we take the letters of our
40. 03:25alphabet then we have 26 letters, then we have 26
41. 03:32to the power of 8, if the password has the length 8.
42. 03:35But if we are case-sensitive, so we've distinguished between
43. 03:39a lower case and an upper case letter,
44. 03:43then we have 2 times 26 and that is 52 to
45. 03:48the power of 8. You see the more character we use,
46. 03:52the larger is the number of the available password candidates,
47. 03:58and it grows with each additional thing, it grows exponentially.
48. 04:05So the idea of the systematic testing is all possible character combinations
49. 04:10are used and then by means of this formula we just
50. 04:16discussed, one can expect that after half
51. 04:22of all the tries, we have found in the meanwhile, the password.
52. 04:28So from all the possibilities if we check randomly,
53. 04:32the expected time to find the right password is half
54. 04:40of the number of password candidates.
55. 04:42So to protect our passwords against brute-force attacks, the
56. 04:47number of password candidates needs to be as long as possible.
57. 04:52To understand this, let's have a closer look and consider a password consists
58. 04:58only of lower case letters.
59. 05:01These are the letters of our alphabet with our 26 possible characters,
60. 05:06and when we also take numbers
61. 05:10in our password forming, then we get 10
62. 05:16additional characters - the numbers 0 to 9.
63. 05:21So the number of possible characters when we work with these
64. 05:25two groups, letters and numbers is 26 + 10 = 36.
65. 05:31So now let's try and check and see how many seconds it costs
66. 05:38to prove all the possibilities,
67. 05:42to take each of the possible
68. 05:47character, to check this. So if we have our password of length 1,
69. 05:52we have to check 36,
70. 05:58different characters - 26 from the alphabet and 10 from the numbers.
71. 06:03And then if we think, if we assume that we can do 100 billion
72. 06:11password check generation
73. 06:15in 1 second, then we need 0.001
74. 06:21second to check all 36 passwords consisting of 1
75. 06:26character. If we have to check all sequences of two different characters,
76. 06:32then we have 36 times 36 possibilities or the number of our possible
77. 06:38password candidates is: 36 * 36 = 1296,
78. 06:42and the time we need is even smaller than
79. 06:490.001 sec.
80. 06:54If we check passwords with three different characters
81. 06:58we get 36 times 36 times 36 candidates,
82. 07:03these are 46 thousand candidates which we need to check and time is,
83. 07:09with our assumption that we can check, that we can generate
84. 07:12100 billion passwords in a second, what's possible with modern machines - is the same i.e. 0.001 sec.
85. 07:17Now with 4 letters, there are 1,679,616 -
86. 07:26different candidates and it's also
87. 07:29immediately computed. For 5 letters, we have 60 Million
88. 07:34and then for 6 letters we have 2 billion, and now you see, now we start to need more time.
89. 07:39More time, but it can be done in a
90. 07:43small fraction of a second. Again so all passwords that have length 6,
91. 07:48it can be done in less than a second. All passwords that
92. 07:54have length 7 can be checked in time of less
93. 07:59then 1 second. And now if we have passwords of length 8,
94. 08:04then it becomes more than a second, which is needed to test all combinations -
95. 08:10this takes 28 seconds, it's also no problem for the attacker.
96. 08:17Then we come from seconds to minutes, and if we consider passwords here
97. 08:24in our example of the length 10 then we need to check for all the combinations
98. 08:32of 10 different characters, we would need more than 10 hours.
99. 08:4110 hours is also not too much if an attacker wants to really
100. 08:45know our password to misuse
101. 08:48our account. So what can be done? We can work with case sensitive characters,
102. 08:56work with lower case and upper case letters - it
103. 09:00doubles the number of characters, and we can additionally take special characters.
104. 09:06So even then for passwords with length 10, we are in a time frame
105. 09:13that it's possible for the attackers to get it.
106. 09:17This is the reason that we proposed to have length-12,
107. 09:21because with the exponential time to check
108. 09:26passwords with length 12, this would need years. I will show you a table later.
109. 09:32So brute-force attacks are often performed against password hash,
110. 09:37because the attacker does not know the password, so the possible password candidate
111. 09:44need to be hashed and then the attacker is able to check if this hash,
112. 09:49if it doesn't agree with the hash from the database - the customer database.
113. 09:56So the generated password hash is
114. 10:01compared with the hash the attacker
115. 10:04has in hand, and if they match,
116. 10:07the password candidate is the password
117. 10:10the attacker is looking for, and it's the password that the attacker can use
118. 10:14to misuse the account of that user.
119. 10:21The speed of the brute force attacks,
120. 10:25of course, depends on the calculation
121. 10:29speed, it depends on the machines that are available to the attacker,
122. 10:33and it depends on the hash functions that are used. So for example,
123. 10:37with MD5 hashes, one can calculate or
124. 10:42compute a hash and perform the combination faster than with the
125. 10:49SHA-512 hash. The SHA-512
126. 10:54hash is much more secure than the MD5 hash.
127. 10:58Here is a table which shows this cracking complexity,
128. 11:02so we have here listed the length of a password,
129. 11:07and we have a list of the time that is needed
130. 11:11to check all the password candidates. We have the
131. 11:16differences, when one only uses the lower case and letters, as
132. 11:22we did in our example. If one uses
133. 11:26the lower and upper case of the
134. 11:29letters together with the numbers, and if one additionally uses the special
135. 11:35characters then the number of
136. 11:39letters that can be placed in each position is increased. So
137. 11:44in the cracking process, in the brute force method more
138. 11:47combinations have to be checked.
139. 11:49Here, with our length of the password, the machine we already assumed that 100 billion passwords
140. 11:58can be generated per second, and you see if one uses a password of length 12,
141. 12:04which is considered long, only with these letters,
142. 12:10only with the lower case and numbers, then already we need one and a half year
143. 12:17for checking the password of length 10. This was our example,
144. 12:25one needs about 10, about 11 hours. So with each additional number this
145. 12:34exponential increasing shows that waiting years
146. 12:38to find out the password.
147. 12:40This is for the attacker too costly and too time-intensive.
148. 12:47So password length and the
149. 12:51characters, the group of characters you are using really
150. 12:57play great importance for the security of passwords.

To enable the transcript, please select a language in the video player settings menu.