{"id":1314,"date":"2024-09-22T16:57:57","date_gmt":"2024-09-22T16:57:57","guid":{"rendered":"https:\/\/xdr-mdr.lmntrix.com\/main_web\/?p=1314"},"modified":"2024-10-18T17:25:03","modified_gmt":"2024-10-18T17:25:03","slug":"how-math-and-doctor-who-can-beat-brute-force-attacks","status":"publish","type":"post","link":"https:\/\/lmntrix.com\/blog\/how-math-and-doctor-who-can-beat-brute-force-attacks\/","title":{"rendered":"How math and Doctor Who can beat brute-force attacks"},"content":{"rendered":"
\n
\"Password_hacking_illustration\"<\/figure>\n<\/div>\n\n\n

When it comes to protecting yourself online, the first line of defence is your password. In fact, creating a strong password might be the simplest method of securing your online accounts. Time<\/a>, and time <\/a>again, we see eye-wateringly weak passwords lead to devastating data breaches \u2013 but what exactly makes a password \u201cstrong\u201d?  

To answer this question, we first need to look at how passwords are breached. The first, low-tech attack is simply guessing. If an attacker wants to access your accounts, they\u2019ll probably attempt several guesses before mounting a more sophisticated attack.  The reason for this is simple; most people are just too lazy to remember a strong password, much less several strong passwords, so they opt for convenience over security. For reference, according to password manager Keeper,  the 10 most common passwords<\/a> used online include \u201c12346\u201d, \u201cqwerty\u201d, \u201c111111\u201d, \u201c123123\u201d, and \u201cpassword\u201d.

If you use one of these passwords, stop reading and change it now! Any attacker could \u201chack\u201d (although this hardly counts) into your accounts in about a minute, just by guessing.

If this initial \u2018guess and check\u2019 attack fails, the next step is some simple social engineering. By using information you\u2019ve made public online (pet names, children\u2019s names, birthdays, street names, etc.) a nefarious netizen could use combinations of this information to continue trying to crack your password.  

Assuming this attacker is hellbent on accessing your accounts, and has to this point failed to guess your password, they will move on to a more sophisticated \u201cdictionary\u201d or \u201cbrute-force attack\u201d. In these attacks, a dictionary (for the former) or a list of every possible character combination (for the latter) is used to attempt every possible password you could use.  

Generally, dictionary attacks are faster because they attempt only words, words followed by numbers, and personal information to guess your password.  A brute-force attack, on the other hand, just tries every possible combination: a, aa, ab, etc. 

Given enough time, a brute-force attack will eventually breach your password \u2013 always. 

So how does one defend against an attack that is guaranteed to work, given time?  Well, the situation isn\u2019t as bad as it sounds because you have a key advantage.  

This is where math comes in.

Common sense dictates a longer password takes longer to crack. This is because for each additional character in a password, many new password possibilities are created. Let\u2019s assume your password is case sensitive (\u2018A\u2019 and \u2018a\u2019 are different characters), and can use numbers 0-9. This means for one-character passwords, there are 62 possibilities (a-z is 26, A-Z is 26, and 0-9 is 10). Now, assuming the machine can check 1 billion passwords per second, your 1-character password will be cracked in:

\"\"

Or, no time at all. But here\u2019s your key advantage: you get to pick the numerator. Essentially, you can add characters to make this equation return as many seconds as you want. 

Let\u2019s look at what happens when you add a second character to your password.  Now you have 62 possibilities for the first character, and 62 for the second, for a total of:

\"\"

In this case, exponential functions are your best friend. Exponential functions grow fast, faster than nearly every other function. What this means is the longer your password, the longer it takes to solve. To see how powerful a few extra characters can be, let\u2019s reverse our previous formula to find a password length that makes you feel secure.

Let\u2019s use the equation to find a password length that would take one billion years to brute force.

First, find how many seconds are in a billion years:

\"\"

That\u2019s 31,540,000,000,000,000 seconds.  So

\"\"

To solve for x, we rearrange and use a logarithm:

\"\"

And there you have it, with a 14-character password, assuming you don\u2019t use full words or personal information that could be easily guessed, you are basically safe from brute-force attacks.

Now, best practice dictates you have a unique password for each service you use, but remembering several 14 character passwords can prove problematic. This is where password managers, mnemonic devices or variations on a theme can help.

For example, let\u2019s say your favourite show is Doctor Who. Including Jodi Whittaker who will become the first female Doctor later this year, the initials of past six Doctors are JWPCMSDTCEPM. That gives us 12 characters, so let\u2019s add \u201863\u2019 at the end for when the series first aired. All our characters are currently capital letters, so let\u2019s change our one vowel to lower case. 

Now, our 14 character password is \u2018JWPCMSDTCePM63\u2019. This could easily be modified for multiple sites by tweaking the variations slightly, for example by bookending the initials with our two numerals 6 and 3, \u20186JWPCMSDTCePM3\u2019, or singling out other characters to be lowercased, such as the multiple instances of \u2018M\u2019, \u2018C\u2019, or \u2018P\u2019.

There you have it. Strong passwords don\u2019t need to be rocket science. With a little creativity and at least 14 characters, you should be safe from brute force attacks for at least a billion years.<\/p>\n\n\n\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

When it comes to protecting yourself online, the first line of defence is your password. In fact, creating a strong password might be the simplest method of securing your online accounts. Time, and time again, we see eye-wateringly weak passwords lead to devastating data breaches – but what exactly makes a password “strong”?   To […]<\/p>\n","protected":false},"author":1,"featured_media":1315,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-1314","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog"],"_links":{"self":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/1314","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/comments?post=1314"}],"version-history":[{"count":2,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/1314\/revisions"}],"predecessor-version":[{"id":3575,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/1314\/revisions\/3575"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media\/1315"}],"wp:attachment":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media?parent=1314"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/categories?post=1314"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/tags?post=1314"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}