Brute force attacks

- [Instructor] We want passwords to be strong and resistant to attempts to discover or guess them. Understanding password strength first requires learning about some common attacks, beginning with brute-force attacks. Brute-force attacks are when software systematically generates rapid-fire input, trying to guess the correct value of a password. Imagine a three-wheeled combination lock, like a small luggage lock or the lock that might be on a briefcase. We know that with enough time, someone could figure out what the combination is through trial and error. You might approach it systematically, starting with 000, then 001, 002 until you finally get to 999. If you try every combination, then one of them has to be the right one to open the lock. This is a brute-force attack. Passwords are longer and use letters, numbers, and symbols not just numbers. A similar brute-force attack might try AAA, AAB, AAC, and so on for every combination. We know it can be done but we also know that it would take a longer time. The time required has increased 'cause there's more possibilities to try in each of those positions. And if it was a longer password, then there would be more positions to try with each of those combinations. There's a formula we can use to estimate the total number of combinations we would need to try, to try every single one. We call this the key space. Key is frequently a word used synonymously with password. The formula is the key space is the number of possibilities for each position raised to the power of the length or the number of total positions. And our combination lock example, each wheel has numbers zero through nine which is 10 possible values, and the three wheels are the key length. So the key space is 10 to the third power or 10 times 10 times 10, which is 1,000 possible combinations total. If we were to make 1,000 attempts, we're guaranteed to find the right combination along the way. Measuring the key space is a useful way to compare the strength of different passwords and their resistance to brute-force attacks. For example, if we modify the number of possibilities, then we increase the key space. The lock on my high school locker had a combination lock that had three numbers, but there was a dial that let me pick numbers from zero through 39. The key space formula would be 40 to the third power, which is 64,000. So on average, we can expect it to take 64 times longer to brute-force the combination to one of these locks, than to the three wheeled lock we put on our luggage. Or we can increase the length of the password to increase the key space. If our combination lock had four wheels, the formula would be 10 to the fourth power, or 10,000 combinations. A fifth wheel would increase it to 100,000 combinations. The key space contains all of the combinations. Of course, we likely would not need to search the whole key space to stumble on the correct password. If we're really lucky, the correct password could be the very first one that we try. So the actual number of combinations we must try is almost certainly lower. But using the total key space, which represents the worst case scenario for a brute-force attack, is useful to allow us to make comparisons. For example, the key space formula shows that the password length is more important than the range of characters allowed in each position. Both will increase the key space but the password length provides an exponential increase in the combinations. Let's consider several locks and ask ourselves which lock will be the most difficult to brute force. First, we have three luggage locks with single digits on each wheel, zero through nine. The first has three wheels, the second has four wheels and the third has five wheels. Next, we have two locks with dials. The first one has a dial with numbers and a few letters added for 20 different possibilities total. And you rotate it three times to find the combination. The next one is the kind like I had in my high school locker with 40 possibilities and three turns of the dial. Which lock do you think would be the most difficult to brute force? Pause the movie if you want to take a moment to consider. Let's walk through them. The three wheel lock we already know is 10 to the third power for 1,000 combinations. Adding a fourth wheel increases it exponentially to 10,000 combinations, and adding a fifth wheel will increase it exponentially to 100,000 combinations. How do those compare to the dial locks? The first lock has 20 possibilities and three turns of the dial, which is 20 to the third power, or 8,000 combinations. It's quite a bit stronger than the three wheel lock but not as strong as the four wheel block. The final lock has 40 numbers and three turns of the dial. 40 raised to the third power is 64,000. So it's stronger than the four wheel lock but still weaker than the lock with five wheels. Are you surprised? Allowing a variety of characters in a password is important but even more important is the length of the password. A longer password is exponentially more resistant to brute force attacks.