Would your password withstand 100 guesses from a hacker?

How many tries would a hacker need to guess your password?

Could it withstand 100,000,000,000,000 guesses, the kind of scrutiny it might face if it were stolen in a data breach and attacked offline on specialist hardware?

Too hard? How about 1,000,000 guesses? That’s the sort of resilience a password needs in order to fend off a much slower online attack against a website’s login page.

Still too hard? What about 100 guesses? That’s the number of failed attempts that the very latest NIST (National Institute for Standards and Technology) guidelines suggest should trigger a lock-out:

Unless otherwise specified in the description of a given authenticator, the verifier SHALL effectively limit online attackers to 100 consecutive failed attempts on a single account in any 30 day period.

100 guesses is nothing. We can all make a password that withstands 100 attempts, right?

Maybe not.

According to recent research out of China and the UK, an attacker with a little of your PII (Personally Identifiable Information) has a one in five chance of guessing your password before they hit NIST’s 100-guess shutout.

The researchers from China’s Fujian Normal and Peking Universities, and the UK’s Lancaster University, have developed TarGuess, a framework that intelligently targets individual users based on personal information that an attacker might reasonably have access to.

TarGuess-I uses PII such as your name and birthday. According to the researchers it can:

…achieve about 20% success rates against normal users with just 100 guesses, 25% with 10³ guesses, and 50% with 10⁶ guesses. This suggests that the majority of normal users’ passwords are prone to a small number of targeted online guesses (eg 100 as allowed by NIST)

If you’re one of the hundreds of millions of people whose details have been stolen in attacks on Adobe, Yahoo, LinkedIn and others, then your publicly available PII could include another of your passwords, a so-called “sister password”.

Those “sister passwords” can give clues about how you create passwords – add them to TarGuess and the chances of beating the NIST shutout are even higher:

TarGuess-III and IV [which use sister passwords] can gain success rates as high as 73% with just 100 guesses against normal users and 32% against security-savvy users

A widening chasm?

A few years ago Microsoft Research conducted a detailed study into real-world password protection (you can read all about it in my article Do we really need strong passwords?) and highlighted what they called the online-offline chasm.

The chasm is the difference between how many guesses your password needs to withstand to deal with an online attack (about 1 million guesses) and how strong it needs to be to deal with an offline attack (about 100 trillion guesses).

Online attacks occur when someone attempts to log in to a website by guessing the password (they wouldn’t type the password themselves of course, they’d use software that types far, far faster and doesn’t get bored).

Offline attacks occur when someone steals, buys or otherwise finds themselves in possession of a website’s password database and can crack them directly using specialist software and hardware.

The researchers concluded that there was little to be gained by making passwords that sit in the vast ‘chasm’ between the two thresholds; if your password is good enough to withstand 1 million guesses it won’t get substantially better until it can withstand 100 trillion.

The paper was part of a broader change in thinking about passwords (of which the latest NIST guidelines are also a good example) that’s attempting to shift the burden of password security away from users and back onto system owners and administrators.

Funky password formulas and arbitrary resets are out, throttling and proper password storage is in.

In effect the authors were telling system administrators to take the strain; you worry about the offline attacks they said, and leave users the simple job of making passwords that can handle 1 million guesses – just six characters chosen at random should be enough.

TarGuess and its developers show us that even that might be too much to ask:

…normal users’ passwords are even not strong enough to resist online guessing and still far away from the “online-offline chasm”

Many of us remain wedded to our truly terrible passwords.

The researchers used password databases from nine massive breaches including CSDN, Yahoo and RockYou most of which occurred within the last six years.

In seven of the nine databases 123456 was the most popular password, and none of the top 10 passwords in any of the breaches would surprise readers of the annual most popular passwordlists published by SplashData.

It’s as if they all read our foolproof guide to choosing terrible passwords.

The bottom line

If you’re a website owner or operator, follow the latest NIST guidelines (you might like to start with our NIST password rules primer) and read our guide on how to store passwords safely.

Don’t allow users to use 123456, password, or any other known bad passwords, and use a reputable password strength meter to ensure they can’t pick other passwords that might be easy to crack.

Use rate limiting and lock-outs to bolster poor passwords and use two-factor authentication so that when a password is cracked it’s not enough by itself to give an attacker access.

If you’re a website user arm yourself with a password manager. It’ll do the job of creating and remembering passwords for you which means you can create as many incredibly strong passwords as you need.

Of your course you’ll need to create and remember at least one really strong password to protect the password manager itself. For that we suggest you watch our video on how to pick a proper password: