15 January 2012

"Brute force attacks" on website security

Wired has an article this week asking "Do You Really Need a Password You Can Barely Remember?"
To researchers Cormac Herley and Paul C. van Oorschot, the computer industry’s non-stop campaign to force us to to strengthen our passwords is misguided — demanding too much work from users for the benefits it delivers...

...“brute force” attacks [have] become very effective. A modern computer can quickly generate billions and billions of password combinations until one of them finally works. This is the attack that you’re repelling with that long, complicated, hard-to-remember password.

But, for websites, there’s an easier way. They can just pop up a captcha page, or force the user to wait a few minutes after a handful of failed login attempts. This type of login throttling is enough to thwart a brute force attack on the website’s login page.

It seems to work. Many heavily trafficked websites — including sites that get targeted by fraudsters all the time — let you set up accounts with mind-numbingly simple passwords. You can set up an Amazon.com account with the password “aaaaaa.” That would be guessed in seconds using a brute-force attack, but Amazon allows it...

Some even say that it’s perfectly fine to use weaker passwords in some cases. Sure, you want a unique and extremely strong password for online banking, but do you really need to go iron-clad when you’re coming up for a login to PBS Kids?..

It’s a controversial topic in the computer security field. After spending 20 years hammering home the message that complex passwords are important, who would want to admit that the whole thing might be a little overblown?
According to Wikipedia, a brute force attack may involve testing 2^56 permutations per second.  How can a host site allow such to occur?  Anyway, further details at Wired (which is the via for the xkcd cartoon)

Addendum:  Tx to readers for comments, including pointing out that the numbers above re brute force attacks are theoretical.  Read the comments for additional insights.


  1. And the computer instructs you to change your password so often you have to write it down to remember all your passwords, and put it in your wallet or in your desk.

  2. I use car registration numbers from my childhood. They're locked firmly in that area of my memory that does early years and boys tend to remember that kind of thing.
    I guess I could also use phone numbers of childhood friends, which are ten digits or so.

  3. The proposed brute force computation speed (7.2057594 × 10^16) at Wikipedia is prefaced by "if a device existed that could ..."

    Improving password security may make users feel more secure, however, doing so simply shifts attackers' focus - as illustrated in yet another security XKCD.

  4. Modifying your email address is also a good one. Usually plenty of characters and includes a special character for the websites that require them (annoying!), and it's easy to add a number if one is not already in it.


    or something of that ilk.

  5. For reasons I cannot comprehend, Charles Schwab actually limits passwords to eight characters and allows no special characters. The one account (after my email) that I would want the absolute most secure.

  6. The Canada pension site requires such complex passwords, that it's almost certain the old dears have written it down on a piece of paper.

  7. I agree with Z. Constantine on this one. The Wikipedia example is just an extrapolation so they don't have to update the article each time computers get faster.

    It is similar to those solar system dioramas made in school "Suppose the Sun is the size of a ping pong ball. Then Mercury is a speck of dust here and Neptune is a pinhead in the next state."

    Similarly this example assumes a machine that can break a 56-bit key in 1 sec and extrapolates how quickly it could break larger/smaller keys from there.

    In reality the fastest known system for brute forcing a 56-bit key (SciEngines GmbH, COPACOBANA RIVYERA) still takes a significant fraction of a day. And it does not connect over a network to a remote system or incur other costs that an attacker trying to brute force a password would incur.

    In reality hosts do not allow full brute force attacks to occur and attackers don't want to make them because it is high cost to low value.

    For instance brute forcing a 56-bit password would require at minimum the transmission of 2^56 * packet_size number of bytes. For packet_size assume a minimum size ip packet of 38 bytes (18 bytes ethernet header + 20 bytes ip header). Working that out, it comes to about 2,738,000,000 *Gigabytes* (= 2.738 Exabytes) that the attacker would have to send just to break into a single account. (On average he will only have to send half of that before he guesses the right password). This isn't practical for him.

    Instead, he has a dictionary of a few thousand of the most common passwords and he tries them all against lots of accounts and relies on the law of large numbers and human predictability to reasonably expect that this will net him a good number of accounts.

    Poorly written host sites do allow this kind of attack, but as your article mentions most important sites simply throw up a captcha or reduce the password retry rate to a crawl after 3-5 failed logins.

  8. Thank you. I appreciate having readers who actually understand these things.

    Addendum added to the post. :.)

  9. Is there a way to get into a page that has been session jacked and locked out of? My lastfm band page was hacked and taken from me, I cannot figure out how to get back in and it has been used for years by other people.


Related Posts Plugin for WordPress, Blogger...