Jump to content

Munged password

From Wikipedia, the free encyclopedia

This is an old revision of this page, as edited by Hashlash (talk | contribs) at 10:04, 11 June 2022 (Remove duplicated 0). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

In computing, the term munge /ˈmʌn/ means to attempt to create a strong, secure password through character substitution.[citation needed] "Munge" is sometimes backronymmed as Modify Until Not Guessed Easily. The usage differs significantly from Mung (Mash Until No Good), because munging implies destruction of data, while mungeing implies creation of strong protection for data.

Rationale

Passwords are used to gain access to computer resources, and computer users generally choose passwords that are easy to remember, but therefore insecure. Simple passwords are easily hacked by dictionary attacking software.

If a network administrator supplies a password that is too difficult to remember, or requires that passwords be changed frequently, users tend to write their passwords down to help them remember. Many times passwords can be found on sticky notes under keyboards, behind pictures, or hidden among other desktop items—another security risk.[citation needed]

Mungeing helps to create a strong password that the user can remember easily. The user may choose any word he or she likes, then modifies it to make it stronger.

Implementation

A strong password is often thought to require characters from at least 3 of the following 4 character sets. In addition to including characters from different sets, the password length is also a metric used to determine its strength.[1]

Lower case abcdefghijklmnopqrstuvwxyz
Upper case ABCDEFGHIJKLMNOPQRSTUVWXYZ
Numbers 0123456789
Special !@#$%^&*()-=_+<>?

Adding a number and/or special character to a password might thwart some simple dictionary attacks. However, common words should still be avoided to the simplicity of automated brute force testing of well known munged variations of the words. For example, the password "butterfly" could be munged in the following ways:

8uttErfly The b becomes an eight (B8), and any other letter can be capitalized
butt3rfl? The e becomes a three (E3), and the Y becomes a question mark (Y = Why?)
bu2Terfly The two Ts become 2T
8u2T3RfL? a combination of all the above

The substitutions can be anything the user finds easy to remember, and which may increase an attacker's difficulties, such as:

a=@ b=8 c=( d=6 e=3 f=# g=9 h=# i=1 i=! k=< l=1
l=i o=0 q=9 s=5 s=$ t=+ v=> v=< w=uu w=2u x=% y=?

For high-security applications, mungeing may not be very effective, because it only adds 2-3 bits of entropy, thus increasing the time needed to perform a brute force dictionary attack by a factor of 4–8. The increase in search space obtained by mungeing a few characters of a known word is easily matched by the continuous increase in processing power (which is more or less equivalent to "cracking speed") computers have been experiencing for some decades as a result of Moore's Law, although this can be countered for some applications by limiting password attempts to either one per few seconds or 5 per longer period of time, usually 5 minutes to 1 hour. [citation needed]

As a rule of thumb, use of single well known words, including after commonly used munged substitutions, should be avoided. Instead, combinations of multiple random words should be used, which can be remembered easily by forming a mental story from them.

See also

References

  1. ^ Brodkin, Jon (2014-03-27). "Diceware passwords now need six random words to thwart hackers". Ars Technica.