The Sound of Science - 'Password Math'

Dec 18, 2019

Sam: Welcome to The Sound of Science. I’m Sam from STEM Outreach. 

Jessica: And I’m Jessica from NIU Division of Information Technology. Last week we spoke about the technology behind passwords, and today we are going to dive into the math behind passwords.  To recap a little bit, the two major ways to secure passwords within a system is hashing and salting. Hashing uses an algorithm to destroy the password and turn it into an irreversible code. Salting is an extra code tacked onto your password to further increase the complexity. Together, they are designed to slow down attackers trying to crack your password.

NIU STEM Outreach

Sam: However, hashing and salting can only do so much. The first line of defense is the password you create. Unfortunately, the very common password requirements can end up weakening your password. 

Jessica: Right, if I tell someone they have to have eight characters they’re likely not going to do more than the bare minimum. With numbers, letters, and symbols, there are 96 characters to choose from. Mathematically, that’s 96 multiplied by 96 eight times, which turns out to be a very big number. A number with 15 zeros behind it. Even then, it might only take a computer a few days to crack that that password using a method called brute force

Sam: That’s if the computer started with 12345678 then 12345679 and so on. Attackers will also use a dictionary attack to try the most common passwords and their variations. Setting your password to “Password” is truly useless, but so is Pa$$word using dollar signs instead of S’s. A dictionary attack already accounts for those silly combinations. 

Jessica: If an attacker’s dictionary contains a quarter of a million words, the variety go from 96 to a quarter of a million. Using eight words is essentially infinitely stronger than eight characters. However, Dictionary attacks also look for patterns. So if one of the words in your password is “rocky” there might be a good chance the next word is “mountain” or “road” or “Bullwinkle”.

Sam: Next time we’ll talk about how those attackers actually get ahold of sensitive information. This has been the Sound of Science on WNIJ.

Jessica: Where you learn something new everyday.