Check password strength with explanation. Creating and checking a password for strength. Principles used in creating a password

In this lesson I will tell you how to check the strength of the entered password. For these purposes, we will use a special service from Kaspersky Lab called "Secure Password Check"

It is located at www.password.kaspersky.com/ru. If, when you open the site, everything is in English, then select "Russian" in the list in the upper right corner.

This service allows you to check how complex your password is and how quickly it can be cracked. To verify, enter your password in a special field.

After entering your password, a strength scale will appear below, recommendations for strengthening it, as well as information on how quickly it can be cracked.

This is how you can check your password before using it. Experiment and create your own unique strong password. As a recommendation from me, always use uppercase and lowercase letters, as well as numbers and special characters.

There are quite a lot of services on the Internet that allow you to combine several PDF files into one, but most of them have their drawbacks. Some services have restrictions on the size of uploaded files, while others do it crookedly. Therefore, today we will analyze the SmallPDF service, which does this as correctly as possible.

In previous lessons, I have already talked about two ways how to open blocked website using the turbo function in the Opera and Yandex browsers. Today we will continue to talk on this topic and next in line is a very interesting way that will allow you to get access to blocked sites.

Today I will tell you how to send a private message that will be deleted after reading. We are talking about a service called Privnote - this service allows you to send messages that can be destroyed immediately after reading.

From this video tutorial you will learn how you can check the Internet speed on your computer using a special service.

Most attackers don't bother with sophisticated methods to steal passwords. They take easily guessed combinations. About 1% of all currently existing passwords can be cracked in four attempts.

How is this possible? Very simple. You are trying the four most common combinations in the world: password, 123456, 12345678, qwerty. After such a passage, on average, 1% of all "caskets" are opened.

Let's say you fall into those 99% of users whose password is not so simple. Even so, the performance of modern hacking software must be reckoned with.

John the Ripper is a free and open source program that checks millions of passwords per second. Individual samples of specialized commercial software claim a capacity of 2.8 billion passwords per second.

Initially, cracking programs run through a list of the statistically most common combinations, and then access the full dictionary. User trends in password choices may change slightly over time, and these changes are taken into account when updating such lists.

Over time, all sorts of web services and applications decided to forcefully complicate the passwords created by users. Requirements have been added according to which the password must have a certain minimum length, contain numbers, upper case and special characters. Some services took this so seriously that it takes a really long and tedious time to come up with a password that the system would accept.

The key problem is that almost any user does not generate a truly brute-force password, but only tries to meet the minimum requirements of the system for the composition of the password.

The result is passwords in the style of password1, password123, Password, PaSsWoRd, password! and incredibly unpredictable [email protected] ssword.

Imagine that you need to change the spiderman password. With a high probability, it will take the form of $pider_Man1. Original? Thousands of people will change it according to the same or very similar algorithm.

If the cracker knows these minimum requirements, then the situation only gets worse. It is for this reason that the imposed requirement to complicate passwords does not always provide the best, and often creates a false sense of increased security.

The easier the password is to remember, the more likely it is to get into the dictionaries of cracking programs. As a result, it turns out that a really strong password is simply impossible to remember, which means that it needs to be somewhere.

According to experts, even in this digital age, people can still rely on a piece of paper with passwords written on it. It is convenient to keep such a sheet in a place hidden from prying eyes, for example, in a purse or wallet.

However, the password sheet does not solve the problem. Long passwords are hard not only to remember, but also to type. The situation is aggravated by the virtual keyboards of mobile devices.

Interacting with dozens of services and sites, many users leave behind a string of identical passwords. They try to use the same password for every site, completely ignoring the risks.

In this case, some sites act as a babysitter, forcing you to complicate the combination. As a result, the user simply cannot, in what way he had to modify his standard single password for this site.

The scale of the problem was fully realized in 2009. Then, due to a security hole, a hacker managed to steal the login and password database of RockYou.com, a company that publishes games on Facebook. The attacker placed the database in the public domain. In total, it contained 32.5 million records with usernames and passwords for accounts. Leaks have happened before, but the scale of this particular event showed the whole picture.

The most popular password on RockYou.com was 123456. Almost 291,000 people used it. Men under 30 preferred sexual themes and vulgarity more often. Older people of both sexes often turned to one or another area of ​​culture when choosing a password. For example, Epsilon793 doesn't seem like such a bad option, except that this combination was in Star Trek. The seven digit 8675309 came up a lot because that number was on one of the Tommy Tutone songs.

In fact, creating a strong password is a simple task, it is enough to make a combination of random characters.

You can't create a perfectly random combination in the mathematical sense in your head, but you don't have to. There are special services that generate truly random combinations. For example, random.org can create passwords like this:

• mvAWzbvf;
• 83cpzBgA;
• tn6kDB4T;
• 2T9UPPd4;
• BLJbsf6r.

This is a simple and elegant solution, especially for those who use password storage.

Unfortunately, most users continue to use simple weak passwords, even ignoring the “different passwords for each site” rule. For them, convenience is more important than safety.

Situations in which a password can be compromised can be divided into 3 broad categories:

• Random, in which a person you know is trying to find out the password, based on information known to him about you. Often, such a cracker just wants to play a joke, find out something about you, or play a dirty trick.
• Mass attacks when absolutely any user of certain services can become a victim. In this case, specialized software is used. The least secure sites are selected for the attack, allowing multiple password options to be entered in a short period of time.
• Targeted, combining the receipt of suggestive hints (as in the first case) and the use of specialized software (as in a mass attack). This is about trying to get really valuable information. Only a sufficiently long random password will help protect you, the selection of which will take time comparable to the duration of your password.

As you can see, absolutely anyone can become a victim. Statements like “my password will not be stolen because no one needs me” are not relevant, because you can get into a similar situation quite by accident, by coincidence, for no apparent reason.

Even more serious is the protection of passwords for those who have valuable information, are associated with a business, or are in conflict with someone on financial grounds (for example, the division of property in the process of divorce, competition in business).

In 2009, Twitter (in the sense of the whole service) was hacked just because the administrator used the word happiness as a password. A hacker picked it up and placed it on the Digital Gangster site, leading to the hijacking of Obama, Britney Spears, Facebook, and Fox News accounts.

Acronyms

As in any other aspect of life, we always have to find a compromise between maximum security and maximum convenience. How to find the golden mean? What password generation strategy will allow you to create strong combinations that you can easily remember?

At the moment, the best combination of reliability and convenience is the conversion of a phrase or phrase into a password.

A set of words that you always remember is selected, and a combination of the first letters from each word acts as a password. For example, May the force be with you becomes Mtfbwy.

However, since the most famous ones will be used as the initial ones, programs will eventually get these acronyms into their lists. In fact, an acronym contains only letters, and therefore is objectively less reliable than a random combination of characters.

The correct choice of phrase will help to get rid of the first problem. Why turn a world-famous expression into an acronym password? You probably remember some sayings that are relevant only among your close circle. Let's say you heard a very catchy phrase from a bartender at a local establishment. Use it.

And still, it is unlikely that the password-acronym generated by you will be unique. The problem with acronyms is that different phrases can consist of words that start with the same letters and are in the same sequence. Statistically, in various languages, there is an increased frequency of the appearance of certain letters as beginning words. Programs will take into account these factors, and the effectiveness of acronyms in the original version will decrease.

Reverse way

The output can be the reverse method of generation. You create a completely random password at random.org, and then turn its characters into a meaningful catchy phrase.

Often, services and sites give users temporary passwords, which are those perfectly random combinations. You'll want to change them because you won't be able to remember them, but if you take a closer look, it becomes obvious that you don't need to remember the password. For example, let's take another option from random.org - RPM8t4ka.

Although it seems meaningless, our brain is able to find some patterns and correspondences even in such chaos. To begin with, you can notice that the first three letters in it are uppercase, and the next three are lowercase. 8 is twice (in English twice - t) 4. Look a little at this password, and you will definitely find your own associations with the proposed set of letters and numbers.

If you can memorize nonsense word sets, then use that. Let the password turn into revolutions per minute 8 track 4 katty. Any conversion that your brain is better "sharpened" will do.

A random password is the gold standard in information technology. It is, by definition, better than any human-made password.

The disadvantage of acronyms is that over time, the spread of such a technique will reduce its effectiveness, and the reverse method will remain just as reliable, even if all the people of the earth use it for a thousand years.

A random password will not be included in the list of popular combinations, and an attacker using the mass attack method will pick up such a password only by brute force.

We take a simple random password that takes into account uppercase and numbers - these are 62 possible characters for each position. If we make the password only 8 digits, then we get 62 ^ 8 = 218 trillion options.

Even if the number of attempts within a certain time period is not limited, the most commercial specialized software with a capacity of 2.8 billion passwords per second will spend an average of 22 hours trying to guess the right combination. To be sure, we add only 1 additional character to such a password - and it will take many years to crack it.

A random password is not invulnerable, as it can be stolen. There are many options, ranging from reading input from the keyboard to a camera over your shoulder.

A hacker can hit the service itself and get data directly from its servers. In this scenario, nothing depends on the user.

One solid foundation

So, we got to the main point. What tactic using a random password to use in real life? From the point of view of balance and convenience, the “philosophy of one strong password” will show itself well.

The principle is that you use the same basis - a super-strong password (its variations) on the services and sites that are most important to you.

Memorize one long and complex combination within the power of everyone.

Nick Berry, an information security consultant, allows this principle to be applied, provided that the password is very well protected.

Malware must not be present on the computer from which you enter the password. It is not allowed to use the same password for less important and entertaining sites - simpler passwords will be enough for them, since hacking an account here will not entail any fatal consequences.

It is clear that a reliable basis needs to be somehow changed for each site. As a simple option, you can add one letter to the beginning, which ends the name of the site or service. If you go back to that random password RPM8t4ka, then for authorization in Facebook it will turn into kRPM8t4ka.

An attacker, seeing such a password, will not be able to understand how the password for your account is generated. Problems will start if someone gets access to two or more of your passwords generated in this way.

Secret Question

Some hijackers ignore passwords altogether. They act on behalf of the account owner and mimic the situation when you forgot your password and want it for a secret question. In this scenario, he can change the password at will, and the true owner will lose access to his account.

In 2008, someone gained access to the email of Sarah Palin, the governor of Alaska, and at that time also a US presidential candidate. The burglar answered the secret question, which sounded like this: "Where did you meet your husband?".

After 4 years, Mitt Romney, who was also a US presidential candidate at the time, lost several of his accounts on various services. Someone answered the security question about the name of Mitt Romney's pet.

You already guessed the point.

You cannot use public and easily guessed data as a secret question and answer.

The question is not even that this information can be carefully fished out on the Internet or from close associates of a person. Answers to questions like "animal name", "favorite hockey team" and so on are perfectly selected from the corresponding dictionaries of popular options.

As a temporary option, you can use the tactics of the absurdity of the answer. Simply put, the answer should have nothing to do with the security question. Mother's maiden name? Dimedrol. Name of the pet? 1991.

However, such a technique, if it becomes widespread, will be taken into account in the relevant programs. Absurd answers are often stereotyped, that is, some phrases will occur much more often than others.

In fact, there is nothing wrong with using real answers, you just need to choose the right question. If the question is non-standard, and the answer to it is known only to you and cannot be guessed from three attempts, then everything is in order. The advantage of a truthful answer is that you will not forget it over time.

PIN

Personal Identification Number (PIN) is a cheap lock that is trusted with our . No one bothers to create a more reliable combination of at least these four numbers.

Now stop. Right now. Right now, without reading the next paragraph, try to guess the most popular PIN code. Ready?

Nick Berry estimates that 11% of the US population uses the combination 1234 as a PIN code (where it is possible to change it yourself).

Hackers do not pay attention to PIN codes because without the physical presence of the card, the code is useless (this can partly justify the small length of the code).

Berry took lists of passwords that appeared after leaks on the network, which are combinations of four numbers. With a high probability, the person using the password 1967 chose it for a reason. The second most popular PIN is 1111 and 6% of people prefer this code. In third place is 0000 (2%).

Suppose that a person who knows this information has someone in his hands. Three attempts until the card is blocked. With some simple math, this person has a 19% chance of guessing the PIN if they enter 1234, 1111, and 0000 in sequence.

Probably, for this reason, the vast majority of banks set PIN codes for issued plastic cards themselves.

However, many people protect their smartphones with a PIN code, and the following popularity rating applies here: 2001, 1010.

Often the PIN represents a year (birth year or historical date).

Many people like to make PINs in the form of repeated pairs of digits (and pairs where the first and second digits differ by one are especially popular).

The numeric keypads of mobile devices bring combinations like 2580 to the top - to dial it, it is enough to make a direct pass from top to bottom in the center.

In Korea, the number 1004 is consonant with the word for "angel", which makes this combination quite popular there.

Outcome

1. Go to random.org and generate 5-10 candidate passwords there.
2. Choose a password that you can turn into a catchy phrase.
3. Use this phrase to remember your password.

Many sites try to help users set more complex passwords. To do this, set the basic rules, which usually require you to specify at least one uppercase letter, one lowercase letter, one number, and so on. The rules are usually primitive like this:

"password" => [ "required", "confirmed", "min:8", "regex:/^(?=\S*)(?=\S*)(?=\S*[\d]) \S*$/", ];
Unfortunately, such simple rules mean that the password Abcd1234 will be considered good and of high quality, just like Password1 . On the other hand, the password mu-icac-of-jaz-doad will fail validation.

Here are the first two passwords.

And here are two passwords that will not pass the strength test.

What to do? Maybe we should not force the use of special characters and introduce new rules, such as a ban on the repetition of several characters in a row, the use of not one, but two or three special characters and numbers, increasing the minimum password length, etc.

Instead of all this, it is enough to do a simple thing - just install minimum entropy constraint password and that's it! You can use the ready-made zxcvbn estimator for this.

There are other solutions besides zxcvbn. Just last week, at the ACM Computer and Communications Security security conference, a scientific paper (pdf) was presented by security experts from Symantec Research and the French research institute Eurecom. They have developed a new password strength tester that estimates the approximate number of brute force attempts required using a Monte Carlo method. The proposed method differs in that it requires a minimum amount of computing resources on the server, is suitable for a large number of probabilistic models and, at the same time, is quite accurate. The method was tested on passwords from the database of 10 million Xato passwords that are in the public domain (copy on Archive.org) - it showed a good result. True, this study by Symantec Research and Eurecom is more of a theoretical nature, at least they have not made their program publicly available in any acceptable form. Nevertheless, the meaning of the work is clear: instead of heuristic rules for checking passwords, it is desirable for websites to implement entropy checking.

Friends, today we have a very interesting topic and there are three equally interesting questions ahead. How strong is my password? How long does it take to crack it? How to make the password more or less secure?

These questions are answered by the “How Secure Is My Password?” service, which in translation sounds like this: “How secure is my password.”

Official site: http://www.howsecureismypassword.net/

This service looks like this:

We just need to enter the password and check its strength.

Let's add a combination of numbers 12345678 to the main window of the site, and see what this service "tells" us:

The system outputs the following:

• Password 12345678 is in the TOP 10 most common passwords and can be cracked instantly.
• It is undesirable to use a password in the form of a date of birth or a phone number.
• Our password contains only letters and numbers (only numbers in this case). The system recommends additional use of non-standard characters and spaces.

And now I'll try to enter a 20-digit password:

The result will be better:

• The password is more than 16 characters, so everything is fine.
• My password is non-standard because it contains non-standard characters (space).
• According to the system's calculations, my password will be cracked in 1 quintillion years (that's one followed by 18 zeros).

By the way, if we enter Russian characters, the service considers this a non-standard solution.

The service also offers to create a password automatically:

Greetings!
Despite the rapid development of technology and the emergence of alternative ways to recognize the owner, password protection does not give up its positions and remains very popular to this day.

The password has become commonplace and is used to access devices and Internet services. And over time, they only become more. The current situation eventually leads to the fact that users start using the same password on the devices and services they use.
This approach is very dangerous and threatens with serious consequences. Undoubtedly, a compromised password from a social network does not carry such consequences as a password from a payment system. But if they are identical, then the likelihood that access will be obtained to the rest of the services used is very high.
To prevent this from happening, passwords must be complex (brute force resistant) and different.

Principles used in creating a password

Most Internet resources have minimum rules for setting a password, which are often not enough to create a really complex password. It must also be remembered that:

• Username and password must not be identical
• The password must not contain personal information (date of birth, phone number, etc.)
• The password must not consist solely of words.

For example, to pick up a password consisting of 6 digits, you need to go through only 1 million combinations. A modern computer can handle this task in a matter of minutes. For the same reason, you should not rely on passwords consisting solely of words and their combinations. Such passwords are sorted out using dictionaries of popular words.

Do not rely on passwords that consist of words with the addition of numbers. They are just as susceptible to hacking, although it takes much more time. However, in the event of a successful hack and losses incurred in this regard, it will hardly matter.
For a better understanding of which password is strong and which is susceptible to hacking, you should refer to the examples. These figures were obtained using the password strength check service.

• Date of birth 12071996 - 0.003 seconds
• Name with a capital letter Maksim and lowercase maksim - no more than half a second
• A combination consisting of letters and numbers 7s3a8f1m2a - about a day
• To search for the next combination vSA-DFRLLz - 1 year
• iu2374NDHSA)DD combination - 204 million years

The last two passwords show a very high resistance to cracking. An attacker's work to crack a password of similar complexity is likely to end in nothing.

Correctly generating a password

We figured out the theoretical part, now let's move on to generating a strong and secure password.
When creating a complex and strong password, the human factor plays a significant role. Difficulties arise at the very initial stage - inventing a complex password, and after - remembering it. After all, the combination of disparate symbols hardly predisposes to quick memorization.
With the problem of generating a strong password, online services will help us. There are quite a few of them, from the popular Russian-language services it can be noted:
passwordist.com
Online-Generators.ru
PassGen.ru
The presented services work according to the same principle, you only need to specify which characters to use and choose the length of the generated password.
A separate feature of the Passwordist.com service is the ability to set the number of passwords to be created and generate options with better readability by excluding similar characters, for example, B and 8.

Password storage

Strong passwords have been generated, but that's half the battle. Passwords must be stored properly so that no one else can access them.
In this regard, options for writing to a text file or on a sticker with subsequent attachment to the monitor immediately disappear.
It is better and more correct to entrust confidential information to a password manager.

Among the popular solutions is the KeePass program. This program is free and at the same time very functional. Among other things, it has a password generator, thanks to which there is no need to use an online generator.
To access the database of saved passwords, you will need to set a master password. To create it, you can, for example, use the technique of typing words in a different layout in order to create a complex password, but at the same time not to forget it yourself.
A local database with passwords on your computer will a priori be less prone to hacking than public services on the Internet, so you should not overdo it with complexity here.

Checking the strength of passwords

If you want to check existing or newly generated passwords for resistance to hacking, then there are several online services for this:

1) How Secure Is My Password? After you enter the password in the appropriate form on the site, you will see how long it will take to crack by brute force. A period of several million years can be considered excellent.

2) Kaspersky Lab: Secure Password Check This service was created by a domestic developer of a popular anti-virus solution. It also shows the approximate time it takes to crack a password by brute force.

3) 2IP: Password strength The service categorically issues a verdict for the password being checked - it can either be strong or not.

When checking your passwords for strength, do not forget that the strength results displayed there are very arbitrary. They are calculated based on the average performance of a home computer, and are unlikely to be similar to a powerful laboratory supercomputer.
One thing is reassuring - people who have access to such equipment will hardly be interested in your password from an email or instant messenger service.

Summary

In this article, I tried to cover all aspects of password protection and explain why, at first glance, a strong password, in fact, is not such at all.
I hope that this information will be useful, and measures will be taken to protect against hacking and related consequences.