The Psychology of Password Allocation
Bruteforce attacks are often experienced attacks that can cause major reputation damage in addition to financial damage. Those who used to swim under the radar may have to expect attacks of various kinds today. For quite some time now, Criminals are no longer just after the big companies but use the attack areas of every company. It is essential to be equipped.
Bruteforce attacks attempt to get access to an account via different username-password combinations. As if someone turns on the wheel of a combination lock and tries out the most different number combinations until the combination lock is cracked.
Whereas the combination lock is turned manually on the wheels, the computer does a great job in a brute force attack. With more than 10,000 password combinations per second, the attacker can shoot at the login mask and try a so-called account takeover.
The logic behind the password strength
A password consisting of 6 lower case letters of the German alphabet gives 308,915,776 possible combinations.
This is calculated by determining the letters of the alphabet that can be used without äöü and ß, which in this case are 26 letters to the power of 6. The length of the password is 6.
If one assumes 1000 attempts per second, the password can be guessed in 3.5 days at the earliest.
This should be improved by password guidelines or password policies, which then say that 12 characters are required, upper and lower case letters must be included and a special character should be used.
This increases the number of possible characters from 26 to 72 and the exponent from 6 to 12, so that 19,408,409,961,765,342,806,016 passwords are possible. Thus, an attempted attack would already have reached 615,436,642,623 years.
This is the result is quite impressive.
Why are Bruteforce attacks impossible to defeat despite password policies
In IT one would say a layer 8 problem – this means the person in front of the screen.
The evolution of mankind is impressive so that today we speak of modern man. Unfortunately, we still have a big problem with remembering passwords.
The assumption behind the many different password combinations and the solution space is that a random combination of characters is chosen.
The human factor: The psychology of password assignment and password remembering
To make life a little easier, we tend to use patterns and apply logic to our passwords. These logics can be depicted. The solution space shrinks considerably as different probabilities are applied to the combinations. For example, the Duden is taken and an E is converted to a 3, with combinations of special characters and numbers appended at the end.
It becomes even more simple when password guidelines are not interpreted so strongly and particularly when users use the same passwords or choose one of the most popular passwords. For the latter, there are many lists and statistics which show that passwords such as 123456 are still used by up to 10% of users on some platforms.
It makes it very easy for a hacker to get access to accounts. A few more patterns in password assignment and password remembering behavior have been identified. Various psychological studies have dealt with these issues which among other things identified a connection to natural language. In concrete terms, the connection is which letters usually or very often follow each other. This frequency with which a letter follows another letter is known as a bigram. The TU Freiberg has published a statistic on this subject, which shows the ten most frequent double letters, the eighteen most frequent bigrams, among which ER, EN, and CH are among the top three candidates in German, and also further analyses of English language use.