Munge
Encyclopedia
In computing, the term munge ˈmʌndʒ means to attempt to create a strong, secure password
through character substitution. "Munge" is sometimes backronym
med as Modify Until Not Guessed Easily. The usage differs significantly from Mung (Mash Until No Good), because munging implies destruction of data, while mungeing implies creation of strong protection for data.
ing software.
If a network administrator supplies a password that is too difficult to remember, or requires that passwords be changed frequently, users tend to write their passwords down to help them remember. Many times passwords can be found on sticky notes under keyboards, behind pictures, or hidden among other desktop items—another security risk.
Mungeing helps to create a strong password that the user can remember easily. The user may choose any word he or she likes, then modifies it to make it stronger.
Adding a number and/or special character to a password may thwart simple dictionary attack
s. For example, the password "butterfly" could be munged in the following ways:
The substitutions can be anything the user finds easy to remember, such as:
|-
| a=@
| b=8
| c=(
| d=6
| e=3
| f=#
| g=9
| h=#
| i=1
| i=!
| k=<
| l=1
|-
| l=i
| o=0
| q=9
| s=5
| s=$
| t=+
| v=>
| v=<
| w=uu
| w=2u
| x=%
| y=?
|}>
For high-security applications, mungeing may not be very effective, because it only adds 2-3 bits of entropy , increasing the time needed to perform a dictionary attack by a factor of 4-8. The increase in search space obtained by mungeing a few characters of a known word is easily matched by the continuous increase in processing power (ie, cracking speed), although this can be countered for some applications by limiting password attempts to either one per few seconds or 5 per longer period of time, usually 5 minutes to an hour.
Password
A password is a secret word or string of characters that is used for authentication, to prove identity or gain access to a resource . The password should be kept secret from those not allowed access....
through character substitution. "Munge" is sometimes backronym
Backronym
A backronym or bacronym is a phrase constructed purposely, such that an acronym can be formed to a specific desired word. Backronyms may be invented with serious or humorous intent, or may be a type of false or folk etymology....
med as Modify Until Not Guessed Easily. The usage differs significantly from Mung (Mash Until No Good), because munging implies destruction of data, while mungeing implies creation of strong protection for data.
Rationale
Passwords are used to gain access to computer resources, and computer users generally choose passwords that are easy to remember, but therefore insecure. Simple passwords are easily hacked by dictionary attackDictionary attack
In cryptanalysis and computer security, a dictionary attack is a technique for defeating a cipher or authentication mechanism by trying to determine its decryption key or passphrase by searching likely possibilities.-Technique:...
ing software.
If a network administrator supplies a password that is too difficult to remember, or requires that passwords be changed frequently, users tend to write their passwords down to help them remember. Many times passwords can be found on sticky notes under keyboards, behind pictures, or hidden among other desktop items—another security risk.
Mungeing helps to create a strong password that the user can remember easily. The user may choose any word he or she likes, then modifies it to make it stronger.
Implementation
A strong password contains characters from at least 3 of these 4 character sets:| Lower case | abcdefghijklmnopqrstuvwxyz |
| Upper case | ABCDEFGHIJKLMNOPQRSTUVWXYZ |
| Numbers | 01234567890 |
| Special | !@#$%^&*-=_+<>? |
Adding a number and/or special character to a password may thwart simple dictionary attack
Dictionary attack
In cryptanalysis and computer security, a dictionary attack is a technique for defeating a cipher or authentication mechanism by trying to determine its decryption key or passphrase by searching likely possibilities.-Technique:...
s. For example, the password "butterfly" could be munged in the following ways:
| 8uttErfly | The b becomes an eight (B8), and any other letter can be capitalized |
| butt3rfl? | The e becomes a three (E3), and the Y becomes a question mark (Y = Why?) |
| bu2Terfly | The two Ts become 2T |
| 8u2T3RfL? | a combination of all the above |
The substitutions can be anything the user finds easy to remember, such as:
| a=@
| b=8
| c=(
| d=6
| e=3
| f=#
| g=9
| h=#
| i=1
| i=!
| k=<
| l=1
|-
| l=i
| o=0
| q=9
| s=5
| s=$
| t=+
| v=>
| v=<
| w=uu
| w=2u
| x=%
| y=?
|}>
For high-security applications, mungeing may not be very effective, because it only adds 2-3 bits of entropy , increasing the time needed to perform a dictionary attack by a factor of 4-8. The increase in search space obtained by mungeing a few characters of a known word is easily matched by the continuous increase in processing power (ie, cracking speed), although this can be countered for some applications by limiting password attempts to either one per few seconds or 5 per longer period of time, usually 5 minutes to an hour.