Brute-Forcing My Way In

I’ve decided to write about passwords today. So what made me decide to do so? Because yesterday, I locked my keys inside my room. You know what sucked even more? The fact that my landlord didn’t have a spare key. So how did I get back into my room? I brute-forced it. Here’s a few pictures to illustrate my point.

This is what my door knob looks like. Its just a regular one, insert key, turn, open. Simple. Except, I forgot the key, which meant I had to either elegantly pick the lock, or brutishly break it. Since I hadn’t leveled up my lock-picking skills high enough, I decided to go with the latter. Here’s the aftermath.

Notice the lack of a door knob? Yes. I ripped it off with my bare hands (a saw)! In case any of you thieves are planning to rob me this weekend, just remember, the black market value of all my stuff is probably less then the clothes you are wearing, so not worth the effort.

The whole experience got me thinking about passwords. If the lock isn’t strong enough (think bank vault), people like me can brute-force it and break in without knowing the password.

So you gotta really choose a strong password to make sure your stuff is safe. Too many people have simple and easy to remember passwords. Because of this, it is easy to brute-force and break in. Here’s how to calculate how many different possibilities exist for your passwords (how strong it is):

1. First, you look at the letters you’ve used
   Lowercase: 26 possible combinations per letter
   Uppercase: 26 possible combinations per letter
   Numbers: 10 possible combinations per letter
   Punctuation: 30 possible combinations per letter

   Add the possible combinations together.

2. Then you count how many letters are in your password
3. Then take the “possible combinations per letter” and multiply it by itself [numletters] times.

I wanted to say something like “to the power num letters”, but I still havn’t figured out how to express that in wordpress. Damn.

So, for example, IF my password was “anton”, I see that there’s 5 letters, but only lowercase. So that’s 26 to the power 5 possible combinations, which is about 11,881,376 possible combinations. That SEEMS like a lot, but you have to remember we’ve got very powerful computers available. Apparently, this site claims it can do 1 billion passwords per second. So 26 to the power 5? 11 seconds and your account is compromised. Now lets try a password with punctuation, lower case, uppercase, and numbers that has 8 characters. That’ll be 92^8, bringing us up to…

5.13218873 × 10^15 combinations

That’s ALOT of possible combinations.  1 billion passwords per second? That’s about 5,000,000 BILLION combinations! That’s 57 days of crunching.

But not everyone will brute-force. There’s dictionary attacks, which try every word in the dictionary, which is actually quite effective, mainly because people like passwords that are easy to remember. There’s even smart brute-forcing, which means doing things like going through a dictionary, and making variations of the word, changing  a to @, i to !, o to 0, etc… until it finds a combination that works.

So how to find a good password? Leah Culver has a pretty cool technique. Think of a lyric or phrase that’s easy for you to remember. I’ll use Jason Mraz’s song, “Butterfly”:

Let me feel you upside down, slide in, slide out

So the password is, “LmFyUdSiSo” (notice the alternating uppecase?). But that’s not good enough. Its got uppercase and lower case, seemingly random (so no dictionary attacks), but we gotta add numbers or punctuation to make it even harder.

Lets try this:

Let “Upside” be  ^

Let “Slide in” be =>0

Let “Slide out” be <=0

Which transforms our password into “LmFy^d=>0<=0″

It has numbers, punctuation, uppercase, lowercase. It has it all! 57 days? Psft! I’ll be waiting!

Note: please don’t try that password, its my only one… I don’t know what I would do if I ever lost it..