[EAS] Password Cracking Basics

John Willkie johnwillkie at hotmail.com
Thu Feb 14 15:39:13 CST 2013 

It occurs to me that there are a variety of experience bases represented on this list, so I figure that some basics on the current reality of passwords is in order. 
 
I'm a broadcast engineer and programmer.  I write and sell systems that create dynamic PSIP, and my systems, which are all based on Windows, are exposed to the world, with and without an interceding firewall or hardware-based firewall.  One way to create havoc for a broadcast station is to transmit erroneous EAS messages.  Another way is to put out PSIP EPG messages with one or more of the "seven deadly words."  $275,000 per instance.  Imagine if your EAS messages contained one 'dem words.  We know who the FCC is going to "go after."  Who are you going to "go after?" 
 
There is much ancient hooey floating about, based on voodoo and the like.  First off, do we know if there was a virus on any of the computers at the station where the problem first surfaced?  Do we know if a password was compromised?  Do we know if the attack came from within or without?  Answering each of those questions leads you down various paths and significantly alters what can be learned about these recent EAS issues.  The easiest way to know a password is to know another of that person's passwords, or to steal the password.
 
Also, I am not a hacker; the last time I attemped unauthorized entry was one day in the summer of 1974.  I somewhat follow hacker trends due to an interest in counter-measures, which informs my approach to protecting my systems against outside attacks. 
 
Cracking passwords is a matter of probability.  All passwords can be guessed, given enough attempts during the lifetime of a particular password.  The only way of protecting passwords is to use the "law of big numbers" to your advantage.
 
Let's say that I need to guess a password that is a single ASCII character, one byte.  A byte can represent one of 256 facets (or possible values).  That password can absolutely be determined in 256 guesses.  For the purposes of later calculations, we're more interested in the average number of attempts before a password can be guessed, not the absolute number.  With a single-byte password, on average the password will be guessed in 128 tries.  Half the time, the succesful attempt will be in the range 128 to 256. 
 
Make that password 16 bytes in length, and the number of possibilities grows expoentially: 79.228,162,514,264,300,0000,000,000,000.  If you make that password 100 characters (minimum) that's 1,267,650,600,228, 230,000,000,000,000,000 possibile values.
 
Let's reduce this to average time to start of hacking attempt until successful entry.  For the sake of argument, we'll specify a system on which the time from the login attempt until sending the rejection message takes up 100 milliseconds on the device, and let's assume that the device can only process one login attempt during that same length of time. 
 
For a one character password, on average, the password will be guessed in 1.28 seconds.  For two characters, 328 seconds.  For three characters, 83,886 seconds [just under one day], for four characters, 249 days. 
 
Just under a year sounds good.  To make sure, you might want to see how long it takes that device to respond to a login attempt.  Most likely, that value is less than 100 milliseconds.  Then, check how many login attempts the device can process at the same time and how many login attempts the device will process per second.   For our purposes, I'm going to continue to use the 100 ms login attempt period.
 
This approach assumes a universe of all possible values: 256 per character.  But, the ASCII character set has about 96 or so characters that are easily typed on a keyboard.  Traditoinal password complexity algorithms are satisfied when a smaller "dictionary" of one character in 52 is used.  For the purposes of the next paragraph's calculations, I will use a slightly larger "number space" of 64 possible values.
 
For a one-character password, on average, the password will be guessed in 320 ms.  For a two-character password, 20.48 seconds.  For three characters, 1,310 seconds.  For four characters, 83,886 seconds (just under one day), for five characters, just under 63 days.   
 
Using the 1-in-52 paradigm behind most "password complexity" schemes actually speeds things up for crackers, because it limits the possible facets that need to be tested.
 
Were I trying to crack a system, I wouldn't use every opportunity to login that arose every second.  I would use a slightly smaller number that would also permit legitimate users to login without delay while I was doing misdeeds.
 
The only way to defeat such an approach and maintain access and security is to use passwords of such length (not complexity) that there is an i"mmeasurably" low probability of guessing the password using brute-force attacks during the lifetime of the password.  Changing passwords at least twice as often as the average time period in which a hacker could guess it is a good place to start.
 
And, change all passwords when anyone with access to any one of them leaves your employment, regardless of the reason for their departure. This has been the standard at McDonalds for physical keys for at least four decades. 
 
Beware of password snake-oil and "security theater."  Password complexity is just a variable managed by hackers attempting to crack a system.
 
Best;
 
John Willkie
johnwillkie at hotmail.com

More information about the EAS mailing list