FSU technology cracks, fixes passwords
Inside the E-Crime Investigative Technologies Laboratory at Florida State University, researchers are focused on one mission — to develop the most sophisticated software possible to crack passwords.
“We rely on passwords for many activities – online shopping, banking, and storing medical information,” said Sudhir Aggarwal, a professor in the FSU Department of Computer Science. “With credit card and social security numbers at risk, a stronger technology is needed to ensure we are creating passwords that will actually protect our information.”
Aggarwal has long been focused on this issue of password cracking and other computer security issues during his tenure at Florida State. He has published extensively in academic journals on using probability to develop a context-free, grammar-based password cracking system.
Now, he’s taken that work and turned it into patented technology.
“Our technology evaluates password strength by trying to break it,” Aggarwal said. “Our system takes the proposed password and generates guesses in the highest probability order. The more guesses it takes, the longer the time it will take an attacker to crack the password.”
According to the 11th Annual Cost of Data Breach Study conducted by IBM Security, there is a 26 percent change of a material data breach involving 10,000 lost or stolen records in the next 24 months. The study also reports that the average consolidated total cost of a data breach grew from $3.8 million to $4 million.
Currently, the most common password generation method is based on a set of rules. For example, existing technology advises users to create passwords with a minimum of eight characters and contain a capital letter and/or special symbol.
This method may seem effective; however, these rules can make passwords difficult to remember.
“Two components to a strong password are to make it easy to remember and hard to crack,” Aggarwal said. “If our system can successfully crack a password, it will propose a password similar to the one submitted but with slight format variations, making it easier to remember.”
Aggarwal hopes this technology can provide major support in a number of different areas, but particularly for law enforcement trying to crack encrypted files or hard drives.
“Since law enforcement officers have a limited amount of time and resources that can be devoted to a password cracking session, it is important for them to make the best guesses possible,” he said. “Our program uses a more precise mathematical background compared to other applications, providing a more efficient process by generating password structures in highest probability order.”
It will also help companies and scientists learn how to better secure private information.
“By understanding how to break passwords, we can continue to gain an even better understanding on how to make them stronger and keep private information secure,” Aggarwal said.