How secure is that password? - A demonstration

When I tell people that a four character or 5-character password is just not effective against infiltration there are always a few people that give me a sideways look that always seems to me to be saying "prove it".  OK, we'll I've decided to do just that.  

Let me set the scene here - The focus of attention of the would-be cracker is series of compressed ZIP files, each containing a single 1Mb file and each password protected using a different password.  The attack carried out of these ZIP files is going to be a brute-force attack, that is, I will run a program that will try passwords as fast as it can.  This will start with single characters and work up.  The attacks will be run on a machine of moderate power (1000MHz).

The zip files will be password protected using a series of increasingly more complex passwords.

File Password
ZIP1 aaa
ZIP2 fred
ZIP3 fre$
ZIP4 fred@
ZIP5 fredfred
ZIP6 fred@fred
ZIP7 Fred#Fred
ZIP8 f0rgetIt!This is To0Long@!@!@!

And the joker in the pack:

File Password
ZIP0 9632

OK.  Quick question - I you were trying passwords manually, how many could you try every minute?  

How many do you think that a brute-force cracker application trying could cycle through each second?
One hundred?
Ten thousand?

Try millions!  Going at a reasonable pelt a password cracker for ZIP files on a system like I described above can process nearly 4.5 million passwords every second - a LOT of passwords!

With that level of processing you might think that no password, no matter how robust, could withstand that kind of attack.  Not true, but some passwords are stronger than others.

Trying every possible password, starting at "a" and and working all the way through until finding the right one is a numbers game - the more passwords you can try per second, the faster it can be discovered.  If I'm trying 4.5 million passwords a second here and you are doing 9 million then you will find it in half the time that it will take me to.  Similarly, if you are only processing at 2.25 million passwords per second the I'll find it in half the time you take.

However, password busting isn't all in the numbers.  If you know the approximate layout of the password you are searching for, the job is much easier.

What do I mean by that?  Well, a password can consist of a lot of different types of characters.  Upper case and lower case characters are the most commonly used but to those you can add numbers, symbols and spaces.  Remember, a password should consist of all or as many of these of these elements as possible.

If we take ZIP2 and attack it in different ways with the Advanced Archive Password Recovery utility you'll see what I mean.

First, let's just search for lower case characters ...

In order to find the password "fred" the utility had to search through over 118,000 characters but it only took 241 milliseconds.

Looks what happens when we choose to search through all types of all character types:

Now the utility had to search through nearly 29 million passwords before finding the right one, taking just over 7 seconds.  Fast, but a lot slower than last time.  

Does ZIP3 have a more complex password?  It contains a symbol but the password busting utility breaks it in about the same time:

ZIP4 has a longer password - 5- characters as opposed to four, how much of a difference does that make?

A huge difference!  To do a complete search just through all the possible characters and symbols that could go into making a 5-character password means that the application would need to search through a whopping 7.7 billion password combinations.  And remember, these are just permutations of a five character password!  It didn't need to search through all 7.7 billion possible passwords, only a fraction over 2.5 billion, which took 12 minutes.

ZIP5 is encrypted with a password 8 characters long.  Let's pretend that the person trying to get into this knows that it's an 8-character password and also that it's all lowercase letters - how long would it take to bust knowing that?

A long time!  To search just through the lowercase letters would take about 15 hours.  Of course, it wouldn't take that long because the time estimate is for searching all the way from aaaaaaaa to zzzzzzzz sequentially and the password isn't at the end.


If you think that's crazy, take a look at what happens when a symbol is added, making it a 9-character password:

More than a year!  Doing a full search of all possible combinations of lowercase letters and symbols involves the application having to scan through 7.4 quadrillion (or 7,400 trillion) possible passwords - 7,427,658,739,644,928 passwords!  However, by modern cryptography terms, this isn't many combinations - breaking a 56-bit encryption key (which is weak, so weak that it's considered not worth using) would involve checking through 72 quadrillion possible combinations!

What about ZIP7?  Let's again assume that the attacker knows that the password is 9 characters but has to search through all symbols.

630 quadrillion combinations!

Now you see why ZIP8 is nigh on impossible with the technology that we have here:


As you can see, the longer the password and the more complex it is (upper and lower case letters, numbers, symbols and spaces) the more difficult it is to brute-force break it.  

Remember though, a password only protects you if the application making use of it is secure.  If there are backdoors in the program or poor implementation of encryption then the whole thing might be on shaky ground.  This is why I always recommend good quality, well recommended encryption tools because poor encryption is like a poor door lock - it might look good but be rubbish!

Just for a joke - how long to break ZIP0 when we know it's digits ... ?

41 milliseconds!

Bear that in mind the next time something asks you to enter a four digit number and tells you it's secure!

Adrian Kingsley-Hughes
Last updated: March 1st 2005
Print This Page   |   Email me when this page changes    |  Search This Site System Scanner does the work for you!

Contact Us