I've been laboring under the delusion that passwords composed of words and numbers are relatively effective. Adding numbers to passphrases was recommended in order to defeat the dictionary search algorithm. But, upon reflection, I thought of a variant algorithm to tease out probable words in passphrases.
It goes like this:
Step 1. Search all words, common names and short phrases of length L, which is the length of the passphrase, if known. Even if not known, the maximum password length normally is known, and L can be set to Lmax
Step 2. If Step 1 fails, begin at character 1 and search all words of length L-1 and check all 10 numerals for the last space.
Step 3. If that fails, do the same for L-2, checking all 100 two-digit numbers for the last two spaces.
If need be, proceed to perhaps L-n = 3 (a three-letter word) and check the number combinations to the right, a not unreasonable computer task for six numerals (a million possibilities).
Then reverse the process, checking numbers of m digits followed by words of length n, where m+n = L.
If need be, check all possibilities such as
xx(dictionary word of length L-5)xxx
That is, we check all 100 numbers followed by all dictionary words followed by all 1000 numbers. Here, the number of possibilities rises to 5 x 1010 or 10 billion, which is a bit much. But, that's estimating 500,000 English words. The set of most common words is perhaps 5,000, yielding 500 million combinations. This may be doable, but still, if you must use a word-number combination in your password: break it up! That is, jack77351 is much more vulnerable that 77jack351. In the former case, there are 50 million possibilities. In the latter, 500 million.
Then there are the very long passphrases, such as those recommended by Hushmail.com. The idea is that, with 47 character keys, and 47n goes way beyond computing power for n > about 10.
However, long passphrases may be susceptible to statistical methods. First, we do a regression analysis to separate the dummies from the words and also to separate the random component(s) from the words. We then run a frequency analysis on the word component(s) and voila!, the remainder follows swiftly.
But who can remember long randomly generated strings, which are the best passwords? Well, what about the next best thing? Pseudorandom strings generated by your pocket scientific calculator (but beware, there are pseudorandom techniques that are no good).
That is, it may be better to remember a specific function or two rather than some phrase.
A shorter Yahoo password:
3.7(7.33/7) yields a decimal extension: 26851482. And we can always toss in some non-numerals, as in: b26851482n
A longer Hushmail password:
7.1(171/7 union 3.5(533/5)
we write as +]6423310989950748'+
A bit of "false" symmetry with the plus signs might slow some kind of numeral hunt.
The numerical symmetries in the functions are meant as memory aides. Yet I doubt they would show up very easily.
No comments:
Post a Comment