Does using a certain kind of numbers make a good password?

2

1

Do special numbers (transcendental number, first few elements of a certain sequences and so on ...) make good passwords in terms of brute force breaking ?

EDIT: Why am I asking this ?

A friend of mine is composing a list of few recommendations on how people in his workplace should choose passwords. From what he told me, he used a "standard" one at first (you know, "choose your password from one to six letters and two numbers ...") and came to a conclusion that most people just ignore those recommendations and just uses passwords like "password", "date of birth", ...

So he decided to invent a list of more interesting recommendations, hoping it will motivate people to at least give it some thought. And so we started thinking on what to put on the list that could prove useful.

Rook

Posted 2009-10-27T03:33:56.027

Reputation: 21 622

2

Try boring numbers: http://www.nathanieljohnston.com/index.php/2009/06/11630-is-the-first-uninteresting-number/

– liori – 2009-10-27T04:47:49.403

Answers

6

It shouldn't really make to much of a difference, in a typical brute force, someone will probably scan for - [a-z]+[A-Z]+[0-9], meaning that your number will be found.

Sorry, you haven't really given enough details on the number series you will be using, but here is some general advise -

When it comes to passwords, a long one is MUCH better and more importantly memorable, for example:

thisismyverylongbutcomplexpasswordphrasethaticanremember
(This is my very long but complex password phrase that i can remember)

This has 56 characters, and even only using [a-z] (lower case), it has (unless I have done my maths wrong) - 1.7318388839216286227999402745695e+79 combinations.

If you just had a normal password, lets say, 

myP@55w0rd123456
(my password 123456)

This has 16 characters, and there is a possibility you will forget - as for brute force- using [a-z][A-Z][0-9][Symbols], (saying an average of 170, which includes over 100 characters), giving a total of 4.8661191875666868481e+35

Obviously, having a combination of a very long but complex password is the best, but it is easy to forget and can take to long to type. whatever happens, it will take a hacker a seriously long time to brute force.

Anyway, this is just a general guide, but I hope it has helped you even though I haven't directly said about your actual question.

William Hilsum

Posted 2009-10-27T03:33:56.027

Reputation: 111 572

3It seems you're favouring a long password over a short more complex one? Your 26^56 = 1.73e+79 combinations are probably stored as some SHA1 hash, which has 2^160 = 1.46e+48 possible values. So, one might find another matching SHA1 long before the real password is being tried. – Arjan – 2009-10-27T09:08:08.973

If (like me) you tend to make lots of typing mistakes, a long password like that can really ruin your morning. – itsadok – 2009-11-01T08:27:14.890

@Arjan, yes, but it is likely the colliding password won't be in a rainbow table, mostly because it could contain "untypeable" characters, that usually are not taken into consideration when using brute force – R. Martinho Fernandes – 2009-11-01T11:42:12.017

I would not refer to rainbow tables as brute force, but maybe I'm wrong there. But for that very reason ("untypeable" characters [..] usually are not taken into consideration when using brute force) I would favour shorter, complex passwords over long simple passwords. – Arjan – 2009-11-01T17:58:20.780

Still, using rainbow tables or not, you're right about that not all colliding passwords might be tried by brute force. But even within that limited set of 26 characters there will be, on average, (26^56 / 2^160) = 1.18e+31 collisions. (But well, it actually is not only about what characters someone uses in a password, but also about what the system allows and enforces, how it stores passwords, and to what data an attacker has access.) – Arjan – 2009-11-02T09:11:56.800

6

In terms of brute force, there's no such thing as a "good" password, except to maximize the keyspace. Brute force will take on average just as long if you're using special numbers as it will otherwise.

In response to your edit: it sounds like you're trying to get people away from passwords that can be guessed easily with a dictionary attack or social engineering (e.g. birth date). You might consider providing some passwords that are easy to remember that won't fall to these attacks easily. One website I've seen provides passwords made up of two small words separated by a number, e.g.: hair123car, pole18dog, etc... You could generate these easily with a list of small (3-5 character) words and a number generator. They might not be very strong passwords, but they'll fare better than "password" and they're nicer for the user than "$0mEh4rDP@sSw0rD".

Jimmy

Posted 2009-10-27T03:33:56.027

Reputation: 1 159

If that website has not been set up by some happy hacker to start with, then still any brute force implementation will probably come up with the same mechanism, in some stage of a brute force attack...? – Arjan – 2009-11-01T18:02:43.487

It is certainly less secure than a completely random password, but it won't fall to a simple dictionary attack. There's a trade off that has to be made between randomness and usability, especially considering the user base. – Jimmy – 2009-11-01T19:33:20.993

2

They key to making passwords hard to crack is to pick one outside of the 'search space' that might be used by a potential cracker. Picking the first 10 digits of pi might be a very bad choice if your login name is 'pi-lover' or 'geometry' or whatever.

Wil is right. All things being equal, a long password is harder to crack that a shorter one. But if I have special knowlegde - which might be knowledge you inadvertently provide through other channels - then I have a good chance of (eventually) hacking my way in. The person who hacked Sarah Palin's Yahoo account was able to find out the answer's to her security questions by researching them online.

If I have physical access to your machine, nothing will keep me out for long unless your entire harddrive is encrypted. I can walk up to 95% of computers on the planet with a live CD, boot from that & I have access to (nearly) every resource on the box, no password required.

DaveParillo

Posted 2009-10-27T03:33:56.027

Reputation: 13 402

2

Agreeing with everyone who posted before me, but also consider that using well-known transcendentals (e.g. e or sqrt(2)) is counterproductive, because they're likely to be in someone's dictionary.

CarlF

Posted 2009-10-27T03:33:56.027

Reputation: 8 576

2

Yes, some numbers make awesome passwords, if you hold down alt while typing them on the numpad.

130 = é 132 = ä

And so forth.

tsilb

Posted 2009-10-27T03:33:56.027

Reputation: 2 492

4This seems a bit dangerous. You cannot be sure that every system can handle non-ASCII passwords, and you probably cannot type them when faced with a different keyboard layout. You might lock yourself out of the system that way. – Thilo – 2009-10-27T05:39:17.740

2And you are stuck with a Windows machine. Have fun remembering all those characters for use on a OS X machine or from a mobile device. – Josh Hunt – 2009-10-27T06:41:31.110

On OS X, on many keyboard layouts one just needs to remember the Option key... – Arjan – 2009-10-27T09:11:20.743

Those are fair points, but if you do the math, my high-security 13-digit password with two of these would take so long to crack, it would be after the heat death of the universe. Until we get quantum computers... or if someone borrowed Pixar's render farm :) – tsilb – 2009-10-27T10:09:04.747

Why don't you just put a three digit number in your password instead of a special non-ASCII character? You would get the same effect anyway. – Chris Pietschmann – 2009-10-27T12:11:50.770

I'd rather have difficulty logging in on a mac than let somebody else have none! – Phoshi – 2009-10-27T12:13:24.357

@Chris, no, using digits does not have the same effect! Combinations of letters and digits are surely the first things tried during brute force attacks. For example: try every combination like a, b, c, .., z, 0, 1, .., 9, A, B, .. Z, aa, ab, .., az, a0, a1, .., .., A0, A1, .., ZZZZZZZZ (then including digits and some often used characters like spaces and dots). Using non-standard characters are much less likely to be tried in the first stages of a brute force attack. And the longer an attack takes, the higher the chance it's stopped. – Arjan – 2009-10-27T12:47:28.140

Arjan, what you're missing is that adding three digits, even in a smaller space of possible choices, adds an ENORMOUS amount of work for the decoder. – CarlF – 2009-10-27T15:50:26.023

@CarlF, that's true indeed (though I think "enormous" is not quite true for the standard characters). So maybe the Windows way of typing special characters is too cumbersome to get special symbols :-) To circumvent brute force, I'd rather add one special non-keyboard character than a few additional normal characters. – Arjan – 2009-10-27T16:03:12.580

1@Chris: Password crackers always scan 0-9 and usually !-), but rarely check these characters, especially when you use ones that aren't part of any language - ░▒▓█│┼ and so forth. – tsilb – 2009-10-28T03:12:27.087

2

Hey, I don't think that my password is very complicated (although I've been more creative than just using "password" ;). I made good experiences with using passwords from a foreign language i.e. french or spanish.

apresent

Posted 2009-10-27T03:33:56.027

Reputation: 21

1

One easy way to test this yourself would be to create a document in Word (or a new zipfile in Winzip) and password the file. Now download one of the many free password cracking programs and see how long it takes to crack the file. I've done a few of these lately (for legitimate work reasons, people leaving on short notice, leaving behind important files with unknown passwords).

Throwing a dictionary-based cracker at a file with a simple password takes milliseconds to crack. Brute-forcing a file with a six digit numeric password (especially when you know its numeric) takes a few seconds, it really doesn't matter how mathematically obscure your number is, a brute force cracker just tries them all.

Once you expand to non-dictionary words with more than six characters with a mix of character types (lower-case, upper-case, numbers, keyboard symbols, special characters) the time taken goes up exponentially.

GAThrawn

Posted 2009-10-27T03:33:56.027

Reputation: 4 176

1+1, but note that proper password cracking operations will use more efficient programs with greater parallel processing power. 1 million years is still too long regardless of power, right now, though :P – Phoshi – 2009-10-27T13:34:30.063

1In the mid nineties I downloaded 'crack' to confirm the password integrity of every user unix password in the office. In the first night I cracked 60% of the office passwords. It took less than 10 seconds to crack the first 15, because clues to the passwords were based on the user name. One guy was certain I didn't crack his. I just replied "It's your son's first name, change the 'i' to a '1'. He was blown away. Heat death of the universe or no, all passwords are by their very nature vulnerable. – DaveParillo – 2009-10-27T17:25:01.587

2Computing power is "only" relevant when someone has access to the hashed passwords, or (like in this answer) the password applies to some file. When using brute force in combination with actual trying to login, then I think the maximum speed is limited by the responsiveness of the server (which, hopefully, has implemented some failed-login-count thing as well). – Arjan – 2009-10-27T21:47:06.240

0

If you really want to be secure, you don't want to use any word from the dictionary in your password; even if you replace all "a" with "@", or "s" with "5", or "e" with "3", etc. If it's a word from the dictionary it can be guessed, and most people choose a word that means something to them any which would make it easier for someone who knows them to guess.

What you really want to do is pick a completely random combination of letters, numbers and symbols. This way the only way to brute force attack the password is to guess all combinations possible, instead of doing what is called a "Dictionary Attack". A "Dictionary Attack" is when the attacker guesses passwords based on going through the dictionary.

Chris Pietschmann

Posted 2009-10-27T03:33:56.027

Reputation: 1 241

Asked: 2009-10-27T03:33:56.027

Viewed: 743 times

Active: 2009-11-01T17:53:16.280