Tag Archives: haystack theory

Password Theory, Explained

I saw an article a couple of days ago by a journalist asking, basically, “when you attack a target, how do you do it?”  I wrote the journalist a reply explaining my basic modus operandi.

There isn’t anything particularly special about how I go about attacking a target, except one thing: where I get my password lists.  That is, when I’m using a brute-force attack on a target service, where I draw my usernames and passwords becomes highly relevant to the success or failure of my efforts.

It should be noted at this point that I do not make it a habit to attack systems that I do not have legitimate access to (e.g. through either permission or ownership).  That said, password cracking can be a time-consuming effort.

So, how do I attack passwords?  I use a utility called “hydra.” Long-story short, hydra is only as good as the passwords you feed into it.  For example, if you’re attacking a server in a foreign country, it’s not very useful to use a password list based on American slang. But the lists I use I have gleaned from published password breaches and other dumps.  Over the past several years, I have amassed a large collection of passwords that I use for brute-forcing systems.

You might wonder then, “How do I prevent my password from being cracked?”  The short answer is to avoid passwords that appear in those lists and further to use permutations of passwords that employ so-called “haystack theory” for your passwords.  “Haystack Theory” says that is the LENGTH of the password is the only thing that matters.

Accordingly, you want to make sure your passwords are long, but memorable.  So how does this play out practically?  Ask yourself, “Which of the following passwords are more secure?”  s3crEtp@ss or password………

If you said “password………,” you are right.  The first example has a possible password space of 96^10 possible passwords.  The second has a possible space of 96^20 possible passwords.  So, we’re talking about an exponential difference.

Now, unfortunately, a lot of password policies don’t permit passwords like this, but that shouldn’t stop you from being able to employ “haystack theory” in your passwords.

If you want to read more about “haystack theory,” you can at https://www.grc.com/haystack.htm.

Corey Steele, Network and Security Engineer