Password Cracking Stats

Well, I was wandering around with an 80% dictionary attack number stuck in my head (too many l0phtcrack reports, perhaps), when I decided to see if I could actually find some published data.

There are a few minor articles that say a 30% dictionary attack is typical, with 5-10% username attack, but they never produce a breakdown to make their numbers compelling, let alone convincing.

Then I happened to find a paper by Daniel Klein originally for the United Kingdom Unix User’s Group in 1990 called “Foiling the Cracker: A Survey of, and Improvements to, Password Security“:

13,797 accounts were tested from around the world. Page seven and eight give a breakdown on length and type of passwords:

“The results are quite disheartening. The total size of the dictionary was only 62,727 words (not counting various permutations). This is much smaller than the 250,000 word dictionary postulated at the beginning of this paper, yet armed even with this small dictionary, nearly 25% of the passwords were cracked!”

User name 2.7%
Common name 4.0%
Female names 1.2%
Phrases and patterns 1.8%
Dictionary words 7.4%

And so on…

6 characters 1160 34.7%
7 characters 813 24.4%
8 characters 780 23.4%

I find the numbers on character length surprising since they seem very similar to what I encounter today. Best practices have struggled to get beyond the six characters mark for years (partly due to system limitations, but mostly due to user resistance to an eight character minimum).

Thus, before we can draw too many conclusions about length we have to consider the relationship between the age of the systems, the experience of the administrators, and the skill of the users.

An excellent paper. I highly recommend it, especially since it underscores the extant body of knowledge regarding password cracking. And yes, I am serious about the 80% number I mentioned, but my data is much more recent than 1990. People are usually so embarrassed/scared by their own data that I will have to be extremely careful with how/where/when I present detailed findings, but I also feel that someone has to step up and try to establish a new baseline. What should be considered “reasonable”?

Hidden Spyware Removal

Just a quick note to say that during a recent incident I found spyware that seemed to repeatedly re-infect a Windows XPSP2 system with all the latest, greatest antivirus and antispyware utilities. It would reappear a few seconds after I had removed it with the Spybot S&D utility. I ran Mark’s RootkitRevealer and it reported that the Firefox cache had numerous hidden items in its cache as well discrepancies in the cookie.txt file itself. That was all I needed to realize that clearing the Firefox cache would prevent the re-infection, but it raises the issue of how the browser cache/cookies are set to reinfect a system with malware, yet the anti-spyware doesn’t pick them up in the scan(s). My objective was to get the system to a stable/clean state, but if I have more time and see another case I will dissect the code and see if I can get the spyware utilities to clean more thoroughly.

The 419 Attack

It always bothered me that the 419 scams in Nigeria seem to be linked to people who say that they are just playing the game of open markets. In other words, attackers ask why they should be blamed if they simply prey on others’ greed.

A new story appeared last Thursday in the Guardian that reinforces much of what was reported a few years ago:

The email scammers here prefer hitting Americans, whom they see as rich and easy to fool: maghas [slang from a Yoruba word meaning fool] are avaricious and complicit. To them, the scams – known as 419 after the Nigerian criminal statute against fraud – are a game.

A “game” that has victims rather than players, hardly can be called a game at all. Instead, it is an example of carefully crafted social engineering that allows attackers to transfer value (from victims to themselves) without proper authorization. The interesting thing about the attack, in this case, is how it uses political or even cultural prejudice to establish credibility.

I presented a report on this with Harriet Ottenheimer at the Central States Anthropological Society’s meetings in 2004. It was called “Urgent/Confidential — An Appeal for your Serious and Religious Assistance” and provided details on the attack taxonomy and social engineering methodologies.

Might be time to publish the paper to help clarify how people remain susceptible and what can be done to reduce the risk.

Fashion before justice

The Register reports that a teenage girl in England apparently convinced a judge that an ankle-tag would look odd with her choice of clothing, and she therefore was able to easily circumvent the curfew conditions of her bail. One must wonder whether the judge also called for a more effective/discrete tag (is their purpose to be obvious to others?) or just did not really think the teen would recitivate for “grievous bodily harm against another woman”.

The BBC report mentions that the girl said she did not answer the door during her curfew because “she was asleep at the time”, which presents an interesting value map for security:

Fashion > IDTag > Sleep