How should ordinary people defend against brute force cracking?

Enterprise 2023-10-01 00:39:46 views: null

How should ordinary people defend against brute force cracking?

What is brute force cracking

Brute force cracking is a simple and straightforward attack method that requires constantly trying different password combinations to crack the password. This attack method typically uses automated tools and scripts to try passwords at an extremely high rate until a matching password is found.

For example, for a locked suitcase code, we can use a brute force method to try all possible combinations. For a 3-digit luggage combination, there are 1,000 combinations to try, and for a 4-digit combination, 10,000 combinations need to be tried. This attack method is based on exhaustive methods. Through patient attempts, it is possible to eventually find the correct password.

However, in practical applications, brute force cracking has some limitations and challenges. First, cracking time depends on the length and complexity of the password. As password length and complexity increase, the time required to crack increases significantly, especially for passwords that use combinations of letters, numbers, and special characters.

Second, many systems implement security measures to prevent brute force attacks by locking accounts for a period of time or pausing password attempts after multiple consecutive invalid password attempts. These security measures include setting login failure counters, delayed responses, and account lockouts.

In addition, developments in cryptography and security technology can increase the strength and security of passwords. Using security mechanisms such as encryption algorithms, key management, and multi-factor authentication can effectively prevent passwords from being cracked by brute force.

However, to ensure password security, there are some best practices individuals should follow in their daily lives:

  • Create a password that is complex enough, combining letters, numbers, and special characters, and avoid using common passwords (such as birthday, first name, etc.).
  • Change your passwords regularly and avoid using the same password for an extended period of time.
  • Use multi-factor authentication to increase the security of your login with a second factor (such as a token, fingerprint recognition, etc.).
  • Handle personal data with care and avoid disclosing personal information, passwords or answers to security questions.

In summary, although brute force cracking is a simple and direct attack method, by taking password security measures and using security technology, password security and the ability to defend against brute force cracking can be greatly improved.

Brute force method

Exhaustive method

The exhaustive method refers to generating a complete set of possible passwords based on the set length of the input password and the selected character set, and performing a blanket search. For example, a password that is known to be four digits and composed entirely of numbers may have a total of 10,000 combinations, so it can take up to 10,000 attempts to find the correct password. In theory, any password can be cracked using this method, but as the complexity of the password increases, the time to crack the password will increase exponentially.

dictionary attack

A dictionary attack saves the most frequently occurring passwords to a file. This file is a dictionary, and the passwords in the dictionary are used to guess the solution during the attack.

Dictionary attacks are suitable for guessing artificially set passwords, because artificially set passwords are affected by human convenience and the probability of occurrence of different passwords is different. The probability of 12345678 and password being used as passwords is much higher than the probability of fghtsaer being used as passwords. Compared with the exhaustive method, the dictionary attack loses a smaller hit rate but saves more time.

What is a weak password

In fact, the problem of weak passwords has been discussed in the previous chapter. For example, the suitcase in the previous section has only a 3-digit password. It only needs to be tried 1000 times at most to crack the password. But only this kind of password can be cracked. Is the password considered a weak password? Is my password composed of letters and numbers not a weak password? My answer is whether it is a weak password depends on the situation. For example, if your password is the pinyin of your name plus your birthday, then this is a proper weak password. If you say that I have added special symbols in the middle, it is not considered a weak password, right? ! Unfortunately, it is still a weak password. So what exactly does a weak password mean? Next let's discuss it together.

What exactly is a weak password?

A weak password refers to a password that is easy to guess, crack, or brute force. Such passwords usually lack sufficient complexity and strength to resist password cracking attacks. Weak passwords have the following characteristics:

  1. Simplicity: Weak passwords are often composed of common dictionary words, names, birthdays, consecutive numbers, and other elements that are easy to guess or guess. These passwords are often short, lack complexity, and are random.
  2. Easy to guess: Weak passwords are often tied to users' personal information, allowing attackers to guess passwords by analyzing users' social media, online profiles, etc.
  3. Lack of complexity: This type of password usually does not have enough complexity, such as missing combinations of letters, numbers, special characters, etc. They usually contain only one type of characters, such as only lowercase letters or only numbers.
  4. Common passwords: Weak passwords are usually some common and commonly used passwords, such as 123456, password, qwerty, etc. Because these passwords are widely used, attackers can attack through simple brute force or a rainbow table of common passwords.

Weak password defense

In my opinion, the strength of a password lies in whether it has obvious rules. For example, the name plus birthday we just mentioned is a typical weak password because it is easy to guess, but we can use certain methods to guess it. To enhance the strength of the cipher, what I recommend here is the classical cipher invented by Caesar the Great in ancient Rome. The Caesar cipher is a simple substitution encryption that moves each letter in the inscription of the cipher backwards and offsets them. The position is replaced. If the letter exceeds the boundary, it is returned to the beginning of the word.

For example: 'abc' is encrypted by Caesar cipher and becomes 'cde'. It is based on the alphabet. However, this method also has flaws. The plaintext password can be slowly deduced from the ciphertext, so it is also a regular encryption method. , but it is better than taking no measures.

But the method I recommend is more direct and violent. Based on the Caesar cipher, we change the comparison object from the alphabet to other comparison objects, such as keyboards, favorite books, etc. Take the keyboard as an example.

  • The first digit is shifted in the upward direction of the keyboard and lowercase,
    • For example: the upward displacement of 'w' is
  • The second digit is shifted downwards and capitalized,
    • For example: the downward displacement of 'j' is 'N',
  • If the third digit is a letter, it will be sorted according to the alphabetical order, corresponding to the special symbol bits 1 - + on the keyboard (a total of 13 digits starting from `), if it exceeds 13, it will start from 1 again.
    • For example: 't' is 20-13 = 7 corresponding to ^ on the keyboard,
  • The fourth digit is shifted one position to the left and capitalized,
  • The fifth digit is shifted one position to the right and lowercase,
  • The sixth digit is an alphabetical number,
  • The seventh position returns to the first position, and the uppercase and lowercase order rotates.

In this way we can get a very strong password. This is just a virtual rule I made. You can set your own rules. In fact, the rules I use are more complicated than this one. The original information is very simple. After After the rules are processed, no rules can be seen.
Let's take an example of "zhongguo" based on the above password rules. It has a total of 8 digits. Let's see what it will look like after being processed by the rules.

  • The first digit: "z" is converted to "a"
  • The second digit: "h" is converted to "N"
  • The third digit: "o" is converted to "!"
  • The fourth position: "n" is converted to "B"
  • Fifth position: "g" is converted to "h"
  • The sixth digit: "g" is converted to "7"
  • The seventh position: "u" is converted to "M" (the top of the keyboard for o is a numeric key, so go to the bottom letter key of the keyboard)
  • Eighth position: "o" is converted to "l"
  • Before conversion: "zhongguo" After conversion: "aN!Bh7Ml"

The password "aN!Bh7Ml" has a total of 8 characters, including uppercase letters, lowercase letters, numbers and special characters.
We can calculate the number of possible choices for each character:

  • Letters: 26 uppercase letters and 26 lowercase letters, 52 choices in total.
  • Number: 10 choices in total (0 to 9).
  • Special characters: for example! , @, #, $, etc., there are many special characters to choose from, assuming there are 30 different special character choices.

Therefore, the total combinations can be calculated as the product of the number of possible choices for each character:
Total combinations = (52 + 52 + 10 + 30)^8 = 194,764,248,740,860

If the computer can try 1000 combinations per second, we can estimate the time it would take to crack the password by dividing the total number of combinations by the number of attempts per second:

Time = total number of combinations / number of combinations attempted per second

Time = 194,764,248,740,860 / 1000 = 194,764,248,740.86 seconds

Convert seconds to a more readable unit:

Time ≈ 2,866,829,008 minutes
Time ≈ 47,780,483 hours
Time ≈ 1,991,686 days
Time ≈ 5,456 years

Therefore, assuming 1,000 combinations are tried per second, it would take approximately 5,456 years to crack the code.

The password strength converted from this cannot be attacked by a password dictionary. We can only use the brute force method to try to crack it. However, it takes a lot of time to crack the password brute force. We regularly change the rules or passwords to make brute force cracking basically possible. Unable to attack. To fundamentally solve the problem of weak passwords, this is just for how we generally defend against brute force cracking.

Guess you like

Origin blog.csdn.net/weixin_44369049/article/details/132073128
Recommended
Ranking
A quick primer on numpy basics
Two sister tease python project
Java | Multiple keywords in the replacement content are returned to the front end in red style
C ++: references
The string leetcood 1018 is a binary prefix divisible by 5
Flutter 布局组件
Java combat spingboot-redis
PMP pre-exam sprint and wrong questions sorting
ActiveMq C# Message Features: Delayed and Timed Message Delivery
DSP28377S_ copy a program from the RAM to FLASH portion DETAILS
Daily
More
2024-05-16(23)
2024-05-15(5)
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)

Code World

© 2018 codetd.com