My goal with this entry is to take what programmers and/or mathematicians might lead you to believe is a highly complex subject, password security and make it easier for you – the non programmer – the marketer, the CEO, the warehouse manager, or the inquisitive high school kid – to understand and utilize as you interact with your computers.
With that, I’m going to explain this through a story.
In 1982, I was 13 years old, and with my raging hormones I had just reached puberty. My parents had just obtained cable, and with that, they’d also gotten the “deluxe plan” which included HBO, SHOWTIME and CINEMAX.
For anyone who has watched late night SHOWTIME and CINEMAX, there’s a great deal of adult content.
Anticipating this, my parents had leveraged the “CHILD LOCK” feature on the set top box, which I figured out pretty quickly required the entry of a 4 digit code to watch any of these channels because it would blink a bright red LED for a second which had the writing “ERROR” inscribed boldly next to it when I entered anything more than four numbers.
The box looked something like this:
Over the course of one day – where my mom had gone grocery shopping, leaving us kids at home, I had my brother keep a lookout for me as I did what came easiest to my mind – patterns.
First, knowing my mom and dad – I was HOPING my mom and dad would opt for an easy pattern – something like a birthday or year, a portion of a telephone number or address. SO I started with birthdays and years, and then changed to last four of our phone numbers new and old – and lo and behold – JACKPOT!
So that day, and for the next week, my brother and I watched whatever we felt like on tv, and while both of us were constantly on alert for where mom was, we weren’t worried – in fact – when she did ultimately see a boob flash across the screen as we watched a rated ‘R’ movie on Showtime, she gasped and said, sternly “I didn’t turn it to this channel”
She demanded to know how we did it.
So I told her. I guessed it. I figured it would be something easy for them to remember. A birthday or year or addresses or phone numbers….
And I was right…
So moving forward with my story, my mom then created a new password, and again, within short order, I figured it out.
This time, I had found all the birthdays, phone numbers, and all that stuff didn’t work – so I tried different combinations and patterns, like the corners first, for instance 1,3,7,9 followed by 1,7,3,9 and so on, and wouldn’t you know it, I guessed right within a very short period of time, the code they’d chose was 9,7,3,1.
Here’s an image of a similar keypad configuration to demonstrate the patterns I am talking about…
She demanded to know how, exactly, I figured out her password.
So I told her I figured she’d use easy to remember patterns, so that’s all I did was try different patterns.
So when a programmer refers to something as a dictionary attack, to hack a computer system – what they’re doing is something similar to these two examples in order to gain entry into a system.
They’re taking a list of known words in the English Dictionary, we can analogize this to known patterns on the keypad, and the hacker moves forward with these words – as patterns – entering these patterns into a password field – hoping you and I have chosen a simplistic password that consists of a simple English word.
Fortunately, most computer systems have been hardened against theft leveraging dictionary attacks like this. American ATM machines, for instance, will keep your card after three failed attempts to enter the correct pin. Password rules on web sites require letters and numbers and often times special characters to prevent these simple pattern based attacks.
However, Most modern computers don’t reinforce strong password rules.
In 2009, someone accidentally swapped my computer for a computer that looked exactly like mine as I went through the XRay machine at the Guatemala airport.
Using a hacking tool I found on the internet – I used a dictionary attack to gain access to the computer, which I very quickly came across the password “ANIMAL” for the swapped computer and then used personal information I found on the computer to trace down the owner – who I contacted and we FedEx’ed each other our computers.
Now keep in mind the same hacking tools that I as a programmer have access to are one and the same tools that thieves who might steal a computer from you at Starbuck’s will use to get access to your machine and personal data.
And with that, they can start out with information gleaned from social media to obtain hints and ideas about your password, perhaps the name of a loved one, a birth date, or a favorite place of yours.
If that doesn’t work, they can move on to basic dictionary attacks
Moving back to my story though.
Frustrated, My father and mother had a discussion behind a closed bedroom door. At least that’s what my young mind thought was going on….
And that evening, I found the last code I had didn’t work.
I tried, quickly a few patterns, which didn’t work as well, and over the next few days I exhausted all patterns I could think of.
I was stumped, but not defeated.
I knew that the number of possibilities of possible codes they entered was 10,000. or more specifically – the range was “0000” to “9999”.
So over the course of a two weeks as my brother kept a lookout – I started with “0000”, the “0001”, then “0002”, and so on… Every time I stopped, I wrote the last number I tried in a book, and started again at the next number the next day.
That’s when I discovered the code. “1518”
Thankfully, the number wasn’t too high. But I had diligently put in one thousand five hundred and eighteen different variations before coming across the winning combination.
My mom discovered what I had accomplished that day as she caught us watching yet another rated “R” movie.
Frustrated, she threw down the gauntlet.
“Dammit, Brian, I don’t want you watching that without us. Please stop doing that!” she scolded.
This is what’s known as a BRUTE FORCE attack. Where every possible combination of numbers and letters (and special characters) are strung together to figure out what you created for a password.
Given a long enough time or computing power, ANY password can be brute force cracked. Here’s an example of how this would work with Amazon leveraging Amazon’s rules for passwords:
So what a hacker looks at are the rules here. Doing a brute force attack, we know that there are 26 letters in the English alphabet, and with Amazon – the password is case sensitive bringing the total numbers of letters up to 52. Add in special characters, 33 in total, and numbers, 10, that makes for 95 different possible characters in every position of the password.
Here’s a list of those special characters:
So if one were to brute force an Amazon password, one would start with ‘aaaaaaaa’ and cycle through every character, up to and including special characters in a fashion that looks like this: ‘aaaaaaa?’, ‘aaaaaaa@’, ‘aaaaaaa[‘, and so on, eventually exhausting every combination of the 95 characters in an 8 digit string of characters which is Amazon’s MINIMUM.
And if that didn’t work, then one would start over with 9 characters and repeat the entire thing, to 10 characters, to 11, and so on.
Over a long enough period of time, every password on Earth for every account, everywhere, could be figured out leveraging a brute force attack like this.
MANY companies have done a lot to prevent brute force attacks from happening.
Some will put a time lock on an account that has had too many failed attempts on it, which will lock the account for 15 minutes, an hour, a day – an arbitrary amount of time set by the administrator.
Some will lock the account entirely with too many failed attempts, requiring an email confirmation and sometimes voice authorization to reopen and other methods to reopen.