Misplaced Pages

Munged password

Article snapshot taken from Wikipedia with creative commons attribution-sharealike license. Give it a read and then ask your questions in the chat. We can research this topic together.
Password created with common replacement strategies Not to be confused with Data munging or Mung.
This article has multiple issues. Please help improve it or discuss these issues on the talk page. (Learn how and when to remove these messages)
This article relies largely or entirely on a single source. Relevant discussion may be found on the talk page. Please help improve this article by introducing citations to additional sources.
Find sources: "Munged password" – news · newspapers · books · scholar · JSTOR (September 2012)
This article needs additional citations for verification. Please help improve this article by adding citations to reliable sources. Unsourced material may be challenged and removed.
Find sources: "Munged password" – news · newspapers · books · scholar · JSTOR (September 2012) (Learn how and when to remove this message)
(Learn how and when to remove this message)

A munged password (pronounced /ˈmʌndʒ/) refers to the practice of creating a password with common replacement strategies. For example, replacing 'S' with '$' or '5' in a password. Alternatively, it can be seen as an application of Leet speak. It can lead to creation of secure passwords which are easy to remember, although they are still susceptible to brute-force guessing.

"Munge" is sometimes backronymmed as Modify Until Not Guessed Easily. The usage differs significantly from "mung" (Mash Until No Good), because munging implies destruction of data, while mungeing implies creation of strong protection for data.

Rationale

Passwords are used to gain access to computer resources, and computer users generally choose passwords that are easy to remember but therefore insecure. Simple passwords are easily hacked by dictionary attacking software, and so having a munged password could be useful as a protection against hackers.

If a network administrator supplies a password that is too difficult to remember, or requires that passwords be changed frequently, users tend to write their passwords down to help them remember. Passwords can often be found on sticky notes under keyboards, behind pictures, or hidden among other desktop items—another security risk.

Mungeing helps to create a strong password that the user can remember easily. The user may choose any word that they like and is then able to modify it to make it stronger.

Implementation

This section's tone or style may not reflect the encyclopedic tone used on Misplaced Pages. See Misplaced Pages's guide to writing better articles for suggestions. (June 2009) (Learn how and when to remove this message)

A strong password is often thought to require characters from at least three of the following four character sets (In addition to including characters from different sets, the password length is also a metric used to determine its strength.):

Lower case abcdefghijklmnopqrstuvwxyz
Upper case ABCDEFGHIJKLMNOPQRSTUVWXYZ
Numbers 0123456789
Special !@#$%^&*()-=_+<>?

Adding a number and/or special character to a password might thwart some simple dictionary attacks. However, common words should still be avoided to the simplicity of automated brute force testing of well known munged variations of the words. For example, the password "Butterfly" could be munged in the following ways:

8uttErfly "B" gets replaced by 8, a similar looking number, and "e" gets capitalized
Butt3rfl? "e" gets replaced by 3, a similar looking number, and "y" gets replaced by ? (y, as in "why?")
Bu2Terfly 2 consecutive t's are replaced by "2T" (2 t's)
8u2T3RfL? A combination of all of the above

The substitutions can be anything the user finds easy to remember, and which may increase an attacker's difficulties, such as:

a=@ b=8 c=( d=6 e=3 f=# g=9 h=# i=1 i=! k=< l=1
l=i o=0 q=9 s=5 s=$ t=+ v=> v=< w=uu w=2u x=% y=?

For high-security applications, mungeing may not be very effective, because it only adds 2–3 bits of entropy, thus increasing the time needed to perform a brute force dictionary attack by a factor of 4–8. The increase in search space obtained by mungeing a few characters of a known word is easily matched by the continuous increase in processing power (which is more or less equivalent to "cracking speed") computers have been experiencing for some decades as a result of Moore's Law, although this can be countered for some applications by limiting password attempts to either one per few seconds or 5 per longer period of time, usually five minutes to one hour.

As a rule of thumb, use of single well-known words, including after commonly used munged substitutions, should be avoided. Instead, combinations of multiple random words should be used, which can be remembered easily by forming a mental story from them.

See also

References

  1. ^ Singh Walia, Kanwardeep; Shenoy, Shweta; Cheng, Yuan (August 2020). An Empirical Analysis on the Usability and Security of Passwords. 2020 IEEE 21st International Conference. IEEE. pp. 1–8. doi:10.1109/IRI49571.2020.00009. ISBN 978-1-7281-1054-7.
  2. Jakobsson, Markus; Dhiman, Mayank (2013), Jakobsson, Markus (ed.), "The Benefits of Understanding Passwords", Mobile Authentication: Problems and Solutions, New York, NY: Springer, pp. 5–24, doi:10.1007/978-1-4614-4878-5_2, ISBN 978-1-4614-4878-5, retrieved 2024-07-18
  3. Florencio, Dinei; Herley, Cormac (2007-05-08). "A large-scale study of web password habits". Proceedings of the 16th international conference on World Wide Web. WWW '07. New York, NY, USA: Association for Computing Machinery. pp. 657–666. doi:10.1145/1242572.1242661. ISBN 978-1-59593-654-7.
  4. Stobert, Elizabeth; Biddle, Robert (2018-04-16). "The Password Life Cycle". ACM Trans. Priv. Secur. 21 (3): 13:1–13:32. doi:10.1145/3183341. ISSN 2471-2566.
  5. Brodkin, Jon (2014-03-27). "Diceware passwords now need six random words to thwart hackers". Ars Technica.

External links

Categories:
or '5' in a password. Alternatively, it can be seen as an application of Leet speak. It can lead to creation of secure passwords which are easy to remember, although they are still susceptible to brute-force guessing."> Data munging or Mung.
This article has multiple issues. Please help improve it or discuss these issues on the talk page. (Learn how and when to remove these messages)
This article relies largely or entirely on a single source. Relevant discussion may be found on the talk page. Please help improve this article by introducing citations to additional sources.
Find sources: "Munged password" – news · newspapers · books · scholar · JSTOR (September 2012)
This article needs additional citations for verification. Please help improve this article by adding citations to reliable sources. Unsourced material may be challenged and removed.
Find sources: "Munged password" – news · newspapers · books · scholar · JSTOR (September 2012) (Learn how and when to remove this message)
(Learn how and when to remove this message)

A munged password (pronounced /ˈmʌndʒ/) refers to the practice of creating a password with common replacement strategies. For example, replacing 'S' with '$' or '5' in a password. Alternatively, it can be seen as an application of Leet speak. It can lead to creation of secure passwords which are easy to remember, although they are still susceptible to brute-force guessing.

"Munge" is sometimes backronymmed as Modify Until Not Guessed Easily. The usage differs significantly from "mung" (Mash Until No Good), because munging implies destruction of data, while mungeing implies creation of strong protection for data.

Rationale

Passwords are used to gain access to computer resources, and computer users generally choose passwords that are easy to remember but therefore insecure. Simple passwords are easily hacked by dictionary attacking software, and so having a munged password could be useful as a protection against hackers.

If a network administrator supplies a password that is too difficult to remember, or requires that passwords be changed frequently, users tend to write their passwords down to help them remember. Passwords can often be found on sticky notes under keyboards, behind pictures, or hidden among other desktop items—another security risk.

Mungeing helps to create a strong password that the user can remember easily. The user may choose any word that they like and is then able to modify it to make it stronger.

Implementation

This section's tone or style may not reflect the encyclopedic tone used on Misplaced Pages. See Misplaced Pages's guide to writing better articles for suggestions. (June 2009) (Learn how and when to remove this message)

A strong password is often thought to require characters from at least three of the following four character sets (In addition to including characters from different sets, the password length is also a metric used to determine its strength.):

Lower case abcdefghijklmnopqrstuvwxyz
Upper case ABCDEFGHIJKLMNOPQRSTUVWXYZ
Numbers 0123456789
Special !@#$%^&*()-=_+<>?

Adding a number and/or special character to a password might thwart some simple dictionary attacks. However, common words should still be avoided to the simplicity of automated brute force testing of well known munged variations of the words. For example, the password "Butterfly" could be munged in the following ways:

8uttErfly "B" gets replaced by 8, a similar looking number, and "e" gets capitalized
Butt3rfl? "e" gets replaced by 3, a similar looking number, and "y" gets replaced by ? (y, as in "why?")
Bu2Terfly 2 consecutive t's are replaced by "2T" (2 t's)
8u2T3RfL? A combination of all of the above

The substitutions can be anything the user finds easy to remember, and which may increase an attacker's difficulties, such as:

a=@ b=8 c=( d=6 e=3 f=# g=9 h=# i=1 i=! k=< l=1
l=i o=0 q=9 s=5 s=$ t=+ v=> v=< w=uu w=2u x=% y=?

For high-security applications, mungeing may not be very effective, because it only adds 2–3 bits of entropy, thus increasing the time needed to perform a brute force dictionary attack by a factor of 4–8. The increase in search space obtained by mungeing a few characters of a known word is easily matched by the continuous increase in processing power (which is more or less equivalent to "cracking speed") computers have been experiencing for some decades as a result of Moore's Law, although this can be countered for some applications by limiting password attempts to either one per few seconds or 5 per longer period of time, usually five minutes to one hour.

As a rule of thumb, use of single well-known words, including after commonly used munged substitutions, should be avoided. Instead, combinations of multiple random words should be used, which can be remembered easily by forming a mental story from them.

See also

References

  1. ^ Singh Walia, Kanwardeep; Shenoy, Shweta; Cheng, Yuan (August 2020). An Empirical Analysis on the Usability and Security of Passwords. 2020 IEEE 21st International Conference. IEEE. pp. 1–8. doi:10.1109/IRI49571.2020.00009. ISBN 978-1-7281-1054-7.
  2. Jakobsson, Markus; Dhiman, Mayank (2013), Jakobsson, Markus (ed.), "The Benefits of Understanding Passwords", Mobile Authentication: Problems and Solutions, New York, NY: Springer, pp. 5–24, doi:10.1007/978-1-4614-4878-5_2, ISBN 978-1-4614-4878-5, retrieved 2024-07-18
  3. Florencio, Dinei; Herley, Cormac (2007-05-08). "A large-scale study of web password habits". Proceedings of the 16th international conference on World Wide Web. WWW '07. New York, NY, USA: Association for Computing Machinery. pp. 657–666. doi:10.1145/1242572.1242661. ISBN 978-1-59593-654-7.
  4. Stobert, Elizabeth; Biddle, Robert (2018-04-16). "The Password Life Cycle". ACM Trans. Priv. Secur. 21 (3): 13:1–13:32. doi:10.1145/3183341. ISSN 2471-2566.
  5. Brodkin, Jon (2014-03-27). "Diceware passwords now need six random words to thwart hackers". Ars Technica.

External links

Categories: or '5' in a password. Alternatively, it can be seen as an application of Leet speak. It can lead to creation of secure passwords which are easy to remember, although they are still susceptible to brute-force guessing.">
Password created with common replacement strategies Not to be confused with Data munging or Mung.
This article has multiple issues. Please help improve it or discuss these issues on the talk page. (Learn how and when to remove these messages)
This article relies largely or entirely on a single source. Relevant discussion may be found on the talk page. Please help improve this article by introducing citations to additional sources.
Find sources: "Munged password" – news · newspapers · books · scholar · JSTOR (September 2012)
This article needs additional citations for verification. Please help improve this article by adding citations to reliable sources. Unsourced material may be challenged and removed.
Find sources: "Munged password" – news · newspapers · books · scholar · JSTOR (September 2012) (Learn how and when to remove this message)
(Learn how and when to remove this message)

A munged password (pronounced /ˈmʌndʒ/) refers to the practice of creating a password with common replacement strategies. For example, replacing 'S' with '$' or '5' in a password. Alternatively, it can be seen as an application of Leet speak. It can lead to creation of secure passwords which are easy to remember, although they are still susceptible to brute-force guessing.

"Munge" is sometimes backronymmed as Modify Until Not Guessed Easily. The usage differs significantly from "mung" (Mash Until No Good), because munging implies destruction of data, while mungeing implies creation of strong protection for data.

Rationale

Passwords are used to gain access to computer resources, and computer users generally choose passwords that are easy to remember but therefore insecure. Simple passwords are easily hacked by dictionary attacking software, and so having a munged password could be useful as a protection against hackers.

If a network administrator supplies a password that is too difficult to remember, or requires that passwords be changed frequently, users tend to write their passwords down to help them remember. Passwords can often be found on sticky notes under keyboards, behind pictures, or hidden among other desktop items—another security risk.

Mungeing helps to create a strong password that the user can remember easily. The user may choose any word that they like and is then able to modify it to make it stronger.

Implementation

This section's tone or style may not reflect the encyclopedic tone used on Misplaced Pages. See Misplaced Pages's guide to writing better articles for suggestions. (June 2009) (Learn how and when to remove this message)

A strong password is often thought to require characters from at least three of the following four character sets (In addition to including characters from different sets, the password length is also a metric used to determine its strength.):

Lower case abcdefghijklmnopqrstuvwxyz
Upper case ABCDEFGHIJKLMNOPQRSTUVWXYZ
Numbers 0123456789
Special !@#$%^&*()-=_+<>?

Adding a number and/or special character to a password might thwart some simple dictionary attacks. However, common words should still be avoided to the simplicity of automated brute force testing of well known munged variations of the words. For example, the password "Butterfly" could be munged in the following ways:

8uttErfly "B" gets replaced by 8, a similar looking number, and "e" gets capitalized
Butt3rfl? "e" gets replaced by 3, a similar looking number, and "y" gets replaced by ? (y, as in "why?")
Bu2Terfly 2 consecutive t's are replaced by "2T" (2 t's)
8u2T3RfL? A combination of all of the above

The substitutions can be anything the user finds easy to remember, and which may increase an attacker's difficulties, such as:

a=@ b=8 c=( d=6 e=3 f=# g=9 h=# i=1 i=! k=< l=1
l=i o=0 q=9 s=5 s=$ t=+ v=> v=< w=uu w=2u x=% y=?

For high-security applications, mungeing may not be very effective, because it only adds 2–3 bits of entropy, thus increasing the time needed to perform a brute force dictionary attack by a factor of 4–8. The increase in search space obtained by mungeing a few characters of a known word is easily matched by the continuous increase in processing power (which is more or less equivalent to "cracking speed") computers have been experiencing for some decades as a result of Moore's Law, although this can be countered for some applications by limiting password attempts to either one per few seconds or 5 per longer period of time, usually five minutes to one hour.

As a rule of thumb, use of single well-known words, including after commonly used munged substitutions, should be avoided. Instead, combinations of multiple random words should be used, which can be remembered easily by forming a mental story from them.

See also

References

  1. ^ Singh Walia, Kanwardeep; Shenoy, Shweta; Cheng, Yuan (August 2020). An Empirical Analysis on the Usability and Security of Passwords. 2020 IEEE 21st International Conference. IEEE. pp. 1–8. doi:10.1109/IRI49571.2020.00009. ISBN 978-1-7281-1054-7.
  2. Jakobsson, Markus; Dhiman, Mayank (2013), Jakobsson, Markus (ed.), "The Benefits of Understanding Passwords", Mobile Authentication: Problems and Solutions, New York, NY: Springer, pp. 5–24, doi:10.1007/978-1-4614-4878-5_2, ISBN 978-1-4614-4878-5, retrieved 2024-07-18
  3. Florencio, Dinei; Herley, Cormac (2007-05-08). "A large-scale study of web password habits". Proceedings of the 16th international conference on World Wide Web. WWW '07. New York, NY, USA: Association for Computing Machinery. pp. 657–666. doi:10.1145/1242572.1242661. ISBN 978-1-59593-654-7.
  4. Stobert, Elizabeth; Biddle, Robert (2018-04-16). "The Password Life Cycle". ACM Trans. Priv. Secur. 21 (3): 13:1–13:32. doi:10.1145/3183341. ISSN 2471-2566.
  5. Brodkin, Jon (2014-03-27). "Diceware passwords now need six random words to thwart hackers". Ars Technica.

External links

Categories: