Reputation: 6483
Is this password generating algorithm vulnerable to brute force attack?
I think I have a new way of creating very hard to hack passwords. Assume you have your password, some simple word, like "security" or phrase "cantHackMe". Sure these passwords are easy to bruteforce. So if you left it somewhere and they are only md5 hashed it's easy to crack them with bruteforce, using the dictionary.
If you are thinking a longer password, like 20 letters - oh God it's so hard to remember. What if you had a random password that is easy to remember and you can combine your security with it?
I think I found an easy way to get a random password of any length: just look at your keyboard and think of some algorithm to go through the letters. The simplest way is to go all top row from "q" to "p", next row, from "a" to "l" and next one, from "z" to "b". As the result you will get qwertyuiopasdfghjklzxcvbsecurity. If the attacker is going to use a dictionary, he will doubtless guess, that what figure you decided to use on a keyboard and how many times. And then he'd have to put the dictionary word. Do you see any vulnerabilities in this approach?
I'm not talking about only going keyboard letters one by one from left to right. You can go in any path you are easy to remember. And start and finish at any point. This is an easy way to remember really meaningless sequence of random letters. So you can make something like qazxswedcvfrtgbnhyujmsecurity - it's a sequence of letters pressed from top to bottom. Very easy to remember, hard to bruteforce.
Gumbo pointed out that there's a strategy of cracking passwords, using such paterns like this. But as you can see it works only if amount of letters is relatively small and you are not using your password. If it's quite big(more that 20 letters is enough) and you are adding your real password somewhere inside, it's almost unbreakable.
Upvotes: 2
Views: 464
Answers (2)
Reputation: 16223
I see a simple problem in this approach, the keyboard layout may change between keyboards making the method difficult to implement for example when moving from a desktop computer to a laptop, or even a mobile device, making the secuence potentially different...
Upvotes: 1
Reputation:
What you're considering is similar to the pass phrase, which is a bunch of easy to remember words. It makes it exponentially more difficult to brute force your password.
However, the state of the art in password protection on the server end is pretty darn good. Using a modern hash like Blowfish makes it very, very expensive to brute force even relatively short passwords.
Also, simply using different passwords for different systems makes it much less meaningful if someone does crack a system you have an account on, and is probably an easier system to implement for humans.
Upvotes: 1
Related Questions
- Java Brute Force Password Cracker
- Can anyone fix a logic problem in my password generator in python
- Java - Password Generator
- howsecureismypassword.com algorithm
- Error with my brute force password generator(Java)
- Just how much (or little) entropy passwords generated in this way have
- Why does my Password generation code not work as expected?
- What types of attacks are possible against this password generation scheme?
- Random password generation with conditions
- Very simple password generation scheme; is this secure?