I have had the benefit of visiting a number of customers to understand how they use our products. Specifically, how they use the breach password dictionary in StealthINTERCEPT Enterprise Password Enforcer. Many actively manage their breach password database to prevent breached passwords from use. In reviewing these password databases, I noticed many contained entries with multiple variations of a single word. Essentially, they were manually adding character substitution or “leetspeak.”
For example, the word ‘password’ would have the following entries:
I quickly realized that customers had thousands and thousands of passwords that were nothing more than various combinations of dictionary words with various character substitutions. The problem this creates is the potential for millions of word combinations that could be expressed simply as the base or origin word like ‘password’. While minimal, this bloat does impact lookup speed as the list grows exponentially.
The example above uses the most basic character substitution map and resulted in 15 new combinations of the word ‘password’.
- a = @
- s = $
- o = 0
Big deal. It’s only 15 combinations, right? What if we added an option for case sensitivity? Simply adding case sensitivity to our example above, you now have 1,295 new combinations of the word “password”.
If we expanded our character substitution map to include two additional substitutions (see bolded items below), the result jumps to 3,455 new combinations of the word “password”.
- S = $ or 5
- P = 9
Manually inputting character substitutions result in bloated password databases that over time become unmanageable. Think if you decide to make a single change to a character substitution, everything you previously manually added would need to be updated. That is an unnecessary drain on human and IT resources.
By adding support for a dynamic character substitution checker, you can massively reduce the number of passwords users need to manage and improve the efficiency to perform evaluations.
Let me take a moment to explain the math behind how character substitutions exponentially expand possible password combinations, then I’ll explain how we simplify the issue with StealthINTERCEPT Enterprise Password Enforcer. In our first example, each letter is assigned a value based on the possible combinations. Keep in mind we ignored case in our first example:
|Case sensitive||Case insensitive|
|– P – 1 |
– A – 2 (A or @)
– S – 2 (S or $)
– S – 2 (S or $)
– W – 1
– O – 2 (O or 0)
– R – 1
– D – 1
|– P – 2 (P or p)|
– A – 3 (A or a or @)
– S – 3 (S or s or $)
– S – 3 (S or s or $)
– W – 2 (W or w)
– O – 3 (O or o or 0)
– R – 2 (R or r)
– D – 2 (D or d)
|Answer: 16||Answer: 1,296|
If you multiple all those values in the ‘Case sensitive’ column you get 1 x 2 x 2 x 2 x 1 x 2 x 1 x 1 = 16.
Wait a minute, above you said 15 so why the difference?
Remember, I said 15 new combinations. The math includes our starting combination or seed word of “password.” If we add case insensitivity, the value for each character increases to 2 x 3 x 3 x 3 x 2 x 3 x 2 x 2 = 1,296 minus our seed word or 1,295.
Hopefully, you made it this far. Now let’s explain how StealthINTERCEPT Enterprise Password Enforcer does character substitution.
As you can imagine if we did forward substitutions, we are adding thousands to billions of word combinations depending on how many substitutions we do. To reduce this, the solution is simple. If a user enters ‘P@s$w0RD’, all we do is apply the character replacement based on the character map in reverse. Essentially, it changes @ to a, $ to s and 0 to o creating ‘PasswoRD’. Basically, we don’t need to know there are 1,296 or more combinations of ‘password’ with our character map, rather how to convert entered data for comparison. Simple, efficient and easy to understand.
I hope this helps you understand the value of character substitution and why you should use it. Character substitution checking is one of the new features of StealthINTERCEPT Enterprise Password Enforcer. There are a number of other new features that help prevent breached passwords as well, like support for the Have I Been Pwned (HiBP) password breach database.
Let me leave you on this note. How many possible combinations are there for iiiiiiiiiiiiiiiiiiii (20 i’s)?
Assume a character substitution map of:
- i – ! or |
What is the number of combinations both case sensitive and case insensitive?
SEE ANSWER BELOW
|Case insensitive can be expressed as multiplication or an exponent 20 “i’s” by 3 combinations ‘i’, !, or ||
|3 x 3 x 3 x 3 x 3 x 3 x 3 x 3 x 3 x 3 x3 x 3 x 3 x 3 x 3 x3 x 3 x 3 x 3 x 3 or 320|
|Case sensitive can be expressed as multiplication or an exponent 20 “i’s” by 4 combinations ‘i’, ‘I’, !, or ||
|4 x 4 x 4 x 4 x 4 x 4 x 4 x 4 x 4 x 4 x 4 x 4 x 4 x 4 x 4 x 4 x 4 x 4 x 4 x 4 or 420|
And yes subtract 1 for our seed word to see new combinations. 🙂
Rod Simmons is VP of Product Strategy at STEALTHbits Technologies responsible for the vision and strategy of their Active Directory Management and Security solutions. Rod has been in the technology space for over 20 years.
Prior to joining STEALTHbits, he served as Director of Product Management at BeyondTrust responsible for the Privileged Access Management products. He has also held positions leading Solution Architects and Product Managers at Quest Software and Netpro Computing Inc.