Passfault: Redefining Password Strength and Creation
Added by Brandy Courtade on Jun 8, 2012
It's no secret that passwords seem to be a continual security problem without any real resolution. But one developer for defense contractor Partnet believes that the only way to truly measure the strength of the password is by determining how long it would take to crack. As such, he created Passfault, an open-source tool that will tell you how long it will take to crack a given password. As an IT professional at a midsize business, you deal with the fallout of the less tech-savvy members of the business being careless with passwords. This new tool might ease some of the pain and make users more aware of how a truly secure password is made.
Redefining Password Creation
Instead of basing strength off of numerical and special characters, Passfault uses patterns. In brief, the more combinations that could be made from your password, the longer it would take to crack that one password and thus the stronger it is. The tools include the Analyzer, which assesses your current password and a Password Creation Slide-Tool, according to ZDNet. The creation tool allows you to set a policy where a password is only acceptable if it takes, say, a month to crack. Then, perhaps that password expires in a month.
Morris put up the Open Web Application Security Project, a nonprofit organization, with the intention of the software being built upon. Morris's claims about password strength are backed by a study done at Carnegie Mellon University in 2011 showing how the average password policy makes it more difficult to create a truly strong password, and that length is the only meaningful variable in the equation of strength.
The Password Formula
The tool examines mixed-case words, keyboard patterns, backwards spellings, misspellings, or special character substitutions. It calculates the number of passwords that could be created using that same pattern, thus determining the password's complexity.
In this, Morris hopes to help users understand password strength more clearly. With users consistently using weak passwords, and cracking a constant issue, this may be a more effective way to approach password creation. Even recently, a study showed how simple the most common passwords are. You know the consequences of a compromised password; you know that nothing seems to keep them from being cracked. Perhaps a new approach, similar to Morris' or otherwise, is what's needed.
On the critical side, this approach only addresses the issue of mechanical hacking--that is, strength is determined by how many different combinations you can get out of one password's pattern, which is only meaningful to a password cracking program. Even the Password Creation Slide-Tool allows you to choose what password protection level you want, indicating that these are based on mechanical hacking versus organic hacking. You're certainly aware there are ways people can crack passwords that algorithms can't--gathering personal information and analyzing probabilities. However, if a password satisfies the constraints of say, a password that will take four months to crack, it likely doesn't contain easily gathered personal information. That being said, it seems a more effective policy than current standards and is at least worth consideration from IT professionals.
This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. Like us on Facebook. Follow us on Twitter.