FF-pwgen: basic theory

Why do I need strong passwords?

This is the result of Moore's law. Current generations of cheap desktop pcs are now very capable in doing a brute force attack on cryptographic targets. Especially high end graphic cards can compute several hundred millions of hashes within a second. As a result of this, the number space decreases because the faster machines can compute more within a second, but because cryptography is nothing more than make things "compute this a bazillion times if you don't know the key" for each new computer generation the save keys space shrinks (save means here: that portion a cracker can not reach in reasonable time with todays technology)

What does a secure password looks like?

A secure password is truly random. It must force the breaker, to try every possible key to get it (this is results in 50% of the key space in average). The "more" secure the password is, the nearer drives it the breaker against the 50% wall (which can be quite large, depending on the algorithm used)

How does "cracking the password" work?

A cracker must feed the cracking device (normally a computer or a modern graphics card) with the keys he wants to check (feed key, compute result, if the result is equal the value you search, you know a source with results into the searched result, so you have found the password by trial and error).

As of today it is still not feasible to just "try" the 50% key space and hoping to find the password by a brute force attack. To get a better chance, password crackers do not try random keys but use permutation rules, normally based on dictionary (such a rule might be: pick some word from dictionary and append every number from 1-65536). The crack program evaluate these rules and compute the results of these, trying to find your password. The more rules the cracking program knows the more key space it is able to generate (and as thus increasing the chance to hit the hash of your password by constructing it).

Wait - brute force attack does not seek total key space?

Correct - even a weak hash like MD5 *) still proves to be a enough high barrier to avoid a full search against the full key space, because 128 bit means 340,282,366,920,938,463,463,374,607,431,768,211,456 possibilities. This is the reason, why dictionary attacks and permutation rules are used. Let's look at the following picture:

keyspace graphic

Keyspace visualization

Please note, that sizes if the circles are actually not correct, I just made this to visualize something (and yes - they would not be even solid circles)

If you want a secure password, you must reach some how the "grey" zone, the stronger your password is, the nearer you are to the outer edge of the grey zone (this is important how long your password is resistant to moores law). Keep in mind, that the green circle is growing due Moore's law as computer gets stronger and can compute more hashes in a reasonable time.

If your password is in the red circle, it is normally an easy prey for a potential cracker most of the red ones will be cracked within seconds because they are directly hit by a simple rule every crack app will use (e.g. use known word/name and append some numbers).

"Reasonable time" here means: how long the cracker wants wait to find your password, if your passwords holds the first attack it is very likely that the cracker chooses to look somewhere else (depends on what your password protects but you get the clue).

So if you pick a true random password with a good entropy, the cracker is forced to use ALL his rules to get a chance to crack your password (this means: needs more time). If your password is strong enough (so that you hit the grey area) cracking the password is impossible with a reasonable amount of resources (which includes time).

*) weak here: there a know weaknesses of MD5 are were already exploited, maybe not ready to do on large scale but this is enough, that you should not trust MD5 absolutely.