|
Password encryption.HTML password protect web page
How secure is password encryption
for html web pages?
Ultra strong html password encryption uses our javascript implementation
of the Blowfish algorithm. It is known to be extremely secure,
has no known weaknesses, and is immune to all known forms of cryptanalysis.
It is being examined since 1993 (the year it was created) and no method
to crack this protection has been found so far.
The original Blowfish algorithm accepts variable-length keys, from 32
bits to 448 bits. HTML Guardian's password encryption implementation
accepts 48 to 384 bit keys. Using keys longer than 384 bits is impractical,
actually using keys longer than 256 bit ensures that nobody, even governmental
agencies, will be able to see the protected content.
The only way to crack this protection is by performing the so called
brute-force
or dictionary attacks.
Brute-force attack simply means trying all the possible keys
until finding the right one. Hence the more possible keys there are, the
longer it takes to try them all (statistically the key is likely to be
found after trying about the half of all possible keys). Increasing the
password length exponentially increases the number of possible passwords
- and the time needed to test all of them. So longer password
= better protection !
Let's see some examples:
The number of all possible passwords for a given password length can be
calculated with the simple formula
n = NL where:
n is the number of all the possible passwords
N is the number of the characters which can be used in the
password
L is the password length
In our case N can vary, but let's say we will use only
a-z, A-Z, 0-9 and a reduced set of 26 special characters mentioned in
the previous section. So N will be 26+26+10+26 = 88.
For a password length of six characters, all possible passwords to try
will be 886 = 464 404 086 784, or more than 464 billion. If
we have a computer that can test 1 000 000 (one million) passwords per
second, it will need 464 404 seconds, or about 130 hours to test all possible
passwords. As we said it is likely to find the password after trying half
of the possibilities, or after approx. 65 hours.
Of course the above assumes we can test 1 000 000 passwords per second,
which can't be achieved in practice. As an additional security measure,
the protected file will not display alerts or whatever if the password
was incorrect - it will decode the protected content in all cases, just
if the password was incorrect the result will be a bunch of garbage characters.
So the cracking computer must spend some extra time to evaluate the result
after each password tested.
Now let's see what happens if we increase the password length:
Password length
[characters] |
Number of possible passwords |
Time needed to test all passwords
at rate 1 000 000
passwords per second |
Time needed to test all passwords
at rate 1 000 000 000 000
passwords per second |
| 7 |
40867559636992 |
1.3 years |
41 seconds |
| 8 |
3.59 x 1015 |
114 years |
1 hour |
| 10 |
2.78 x 1019 |
883120 years |
332 days |
| 15 |
1.47 x 1029 |
4.66 x 1015 years |
4 660 510 334 years |
| 25 |
4.09 x 1048 |
1.29 x 1035 years |
1.29 x 1029 years |
| 48 |
2.16 x 1093 |
6.86 x 1079 years |
6.86 x 1073 years |
The cracking rate of 1 000 000 000 000 tested passwords per second in
the last column definitely belongs to the science fiction, but it can
be achieved in the next 10-15 years by using hundreds of supercomputers
for distributed password cracking.
The above table clearly shows how increasing the password length increases
the security, it's up to you to decide what passwords to use.
Looking at the above values you may think a 15-20 characters password
can never be cracked - but this is true only in some cases - only
if you use a strong html password!!!.
So only to use password on web page/ web site is not enough - it should
be strong enough to ensure total security.
Most people use simple passwords like their pets names, date of birth
etc. A password like "Santa Claus is back in town" may look
extremely secure (that's 27 characters!!!) but in fact it may be cracked
in a few days by using a dictionary attack. This is
testing the password against a list of words, for example the entire
English(or some other language) dictionary. There are very sophisticated
dictionary attack algorithms which can test not only the words in the
list but also many combinations derived from them. Like if the word
"dog" is in the list, the cracking program will also try god(word
reversed) dogdog, ddoogg, ggoodd, gdo, d o g, d_o_g etc. Most programs
will also try combinations between words in the list, replacement of
letters with numbers that look or sound alike( like d0g), character
sequences in the order keys appear on the keyboard(like qwertyuiop or
qazwsxedc) etc.
Password cracking attempts usually start with a dictionary attack because
it's much faster than anything else and the chances to discover a weak
password are good. Then a cryptanalysis is performed. If the encryption
algorithm used has weaknesses, it can be relatively easily cracked by
using sophisticated cryptanalysis techniques. The Ultra - Strong protection
will resist all known cryptanalysis techniques. If the dictionary attack
and cryptanalysis fail, the only alternative is the brute force attack
which has no chances against the Ultra - Strong protection.
In conclusion:
Ultra - Strong password encryption can only be cracked by a dictionary
attack. So it's up to you to use a strong password which can't be discovered
by a dictionary attack - the password should not be derived from a
word or a phrase. It should contain randomly mixed upper and lower
case letters, numbers and special characters. A password like "Q#H3s
d$mf"
is much better than "Santa Claus is back in town", no matter the latter is longer .
Editing the template
As noted above, the ultra strong protection is not intended to protect
the source code but to protect a highly sensitive information stored
in html format in an extremely secure way. However most of the source
code protection options can be used for ultra strong protected files.
HTML Guardian uses a template file named se_template.htm
(it's in program's installation folder) for ultra strong password encryption.
By modifying this file, you can:
- use some of the source code protection options for ultra strong protected
files
- customize the layout of the page people will see before entering the
password
The template has the following structure:
<script>
.. information about source code protection options
to be used
</script>
<body>
.. here you can put your custom code which will be displayed before entering the password
</body>
To modify the source code protection options:
In the <script> ... </script>
section of the template, there are six lines that look like
use_disableRightClick=0;
......................................
Each line defines whether certain protection option should be used.
By default all are disabled. To enable some option change 0
to 1. For example if the first of those
lines looks like
use_disableRightClick=0;
the right click will not be disabled. If you change it like
use_disableRightClick=1;
it will be disabled.
Lines that start with //
are comments - do not touch them
Protection options not listed in the template can't be used.
In the <script> ... </script>
section of the template, you can only change some value from 0 to 1
and vice-versa to define whether certain option should be used. Do not
modify anything else.
To modify the way protected file looks before entering the password:
You can customize the page people will see before entering the password
by modifying the
<body> .... </body> section
of the template.
This will only have effect if the user is prompted for password with
a password box in the protected file. If you have configured HTML
Guardian to use a javascript prompt for entering the password, any changes
you make in the <body> ...... </body>
section of the template will have no effect.
You can add your own code in the body tag, for example to instruct users
how to obtain a password, what to do in case of a forgotten password
etc. You can also modify the page background colour, insert a background
image etc.
Do not put any custom code outside the <body>
...... </body> section of the template.
Please backup the template before making whatever changes.
Can I manage multiple users
and passwords with the Ultra Strong Password Encryption utility?
I want to have an individual password for each user.
No, this is not possible. Any program that claims it can protect a file
so that it can be decrypted by providing different usernames & passwords
is a home-made "protection" which can be cracked in minutes
and should be avoided.
There is no serious password encryption algorithm known that can encrypt
a file so that it can be decrypted by using more than one password.
If you come across a program that claims it can protect your data by
using an individual user login & password combination for each user,
DELETE IT ***IMMEDIATELY*** FROM YOUR HARDDISK AND ***NEVER*** EVER USE
IT !!!.
If you want to password encryption with an individual password
for each user, the only option is to use some server - side technology.
|
