LinkedIn
Facebook
TwitterOne Man’s Blog
Specialization is for Insects.
Posted on Mar 26, 2007 - 2:17am by John P. in Computing, Security
If you invited me to try and crack your password, you know the one that you use over and over for like every web page you visit, how many guesses would it take before I got it?
Let’s see… here is my top 10 list. I can obtain most of this information much easier than you think, then I might just be able to get into your e-mail, computer, or online banking. After all, if I get into one I’ll probably get into all of them.
Statistically speaking that should probably cover about 20% of you. But don’t worry. If I didn’t get it yet it will probably only take a few more minutes before I do…
Hackers, and I’m not talking about the ethical kind, have developed a whole range of tools to get at your personal data. And the main impediment standing between your information remaining safe, or leaking out, is the password you choose. (Ironically, the best protection people have is usually the one they take least seriously.)
One of the simplest ways to gain access to your information is through the use of a Brute Force Attack. This is accomplished when a hacker uses a specially written piece of software to attempt to log into a site using your credentials. Insecure.org has a list of the Top 10 FREE Password Crackers right here.
So, how would one use this process to actually breach your personal security? Simple. Follow my logic:
And how fast could this be done? Well, that depends on three main things, the length and complexity of your password, the speed of the hacker’s computer, and the speed of the hacker’s Internet connection.
Assuming the hacker has a reasonably fast connection and PC here is an estimate of the amount of time it would take to generate every possible combination of passwords for a given number of characters. After generating the list it’s just a matter of time before the computer runs through all the possibilities - or gets shut down trying.
Pay particular attention to the difference between using only lowercase characters and using all possible characters (uppercase, lowercase, and special characters - like @#$%^&*). Adding just one capital letter and one asterisk would change the processing time for an 8 character password from 2.4 days to 2.1 centuries.
| Password Length | All Characters | Only Lowercase |
|---|---|---|
|
3 characters 4 characters 5 characters 6 characters 7 characters 8 characters 9 characters 10 characters 11 characters 12 characters 13 characters 14 characters |
0.86 seconds 1.36 minutes 2.15 hours 8.51 days 2.21 years 2.10 centuries 20 millennia 1,899 millennia 180,365 millennia 17,184,705 millennia 1,627,797,068 millennia 154,640,721,434 millennia |
0.02 seconds .046 seconds 11.9 seconds 5.15 minutes 2.23 hours 2.42 days 2.07 months 4.48 years 1.16 centuries 3.03 millennia 78.7 millennia 2,046 millennia |
Remember, these are just for an average computer, and these assume you aren’t using any word in the dictionary. If Google put their computer to work on it they’d finish about 1,000 times faster.
Now, I could go on for hours and hours more about all sorts of ways to compromise your security and generally make your life miserable - but 95% of those methods begin with compromising your weak password. So, why not just protect yourself from the start and sleep better at night?
Believe me, I understand the need to choose passwords that are memorable. But if you’re going to do that how about using something that no one is ever going to guess AND doesn’t contain any common word or phrase in it.
Here are some password tips:
EDIT: By request I’ve created a short RoboForm Demonstration video. It ain’t great, but I guess it’s better than nothing. Hope it helps…
Another thing to keep in mind is that some of the passwords you think matter least actually matter most. For example, some people think that the password to their e-mail box isn’t important because “I don’t get anything sensitive there.” Well, that e-mail box is probably connected to your online banking account. If I can compromise it then I can log into the Bank’s Web site and tell it I’ve forgotten my password to have it e-mailed to me. Now, what were you saying about it not being important?
Often times people also reason that all of their passwords and logins are stored on their computer at home, which is save behind a router or firewall device. Of course, they’ve never bothered to change the default password on that device, so someone could drive up and park near the house, use a laptop to breach the wireless network and then try passwords from this list until they gain control of your network - after which time they will own you!
Now I realize that every day we encounter people who over-exaggerate points in order to move us to action, but trust me this is not one of those times. There are 50 other ways you can be compromised and punished for using weak passwords that I haven’t even mentioned.
I also realize that most people just don’t care about all this until it’s too late and they’ve learned a very hard lesson. But why don’t you do me, and yourself, a favor and take a little action to strengthen your passwords and let me know that all the time I spent on this article wasn’t completely in vain.
Please, be safe. It’s a jungle out there.
EDIT: You might also want to listen to my interview on Connecticut Public Radio about password security.
I use the "No Adverts for Friends" plugin by Donncha O Caoimh
Pages: « 1 2 3 4 5 6 7 [8] Show All
One thing I’ve been wanting to try but haven’t done yet is, for websites, making the password something like “自分を信じて”, or some other phrase in non-Latin characters.
Main reason I’ve not yet tried it: What if the password changing field and the login field somehow don’t record/send/store data on the server in a way that only works with ASCII?
NEVER USE L33T passwords, I’m sure every hacker knows to use a L33T dictionary, just because you’re using m0d3ltf0rd instead of modelTford doesn’t mean you are any safer, L33T can still be dictionary attacked by the right person. Just use a decent random password. Start out small, use something like 3E*m@ remember that small password, once you got it down and know it by heart, add to it 3E*m@D7?x (remember this one and add to it, try to get a 20 character password for highly secure things like banks etc) by the time the password is full sized you’ll be typing it like it’s part of you, trust me. Also try not to use the same character twice, and don’t use letters or numbers sequentially (don’t use 53f8J use 5#f8J, spread the numbers and character types apart using unique characters each time)
It does matter, actually, whether you use “m0d3ltf0rd” instead of “modelTford”. If a password is case sensitive, as any good software source should be, it effectively doubles the amount of time necessary to crack that password by putting a capital letter in. Throwing a number in adds another layer of complexity. Consider it this way:
Let’s suppose every keyboard had only capital and lower case letters, and numbers, but only A, B, C, and 1.
If your password had only one lower case letter, in this fictional world: a, b, c. That’s a 1 in 3 chance of cracking.
If your password had three lower case letters: aaa, aab, aac, aba, abb, abc, aca, acb, acc; baa, bab, bac, bba, bbb, bbc, bca, bcb, bcc; caa, cab, cac, cba, cbb, cbc, cca, ccb, ccc. 1 in 27 chance of cracking.
So you see how quickly that ramps up, right? Supposing that there were only three valid characters in use, changing it from one to three in length added nine times the strength to the password (it’s still not good, but it’s comparatively good). Every time you add a character from a different series it adds a completely thread to test in the very same manner as outlined in the three-character example. So, if my password (given the rules above still) was “3Ab” think how combinations that is! Now expand this to the real world where we have 26 alphabet letters, 10 numerics, and about two dozen frequently used special characters (? , . # % \ etc). The way to make a password annoying to brute force, and extra long, is to think about how many kinds of characters you can put in, not merely the volume. Volume will work, in sufficient quantity, but remember how bruteforcing works and throw in a healthy amount of alternative series they’d have to test.
Short version: QED, leet can dramatically improve password quality.
Actually, adding case-sensitivity (far) more than doubles the potential complexity of the password. A short (6-character) password with all lower-case would be 26^6th possibilities. Adding case-sensitivity and the rest of the capitol letters to the possible choices in your permutation (password) will make this 52^6th possibilities.
So:
non case-sensitive = 308,915,776 possible passwords
case sensitive = 19,770,609,664 possible passwords
Assuming that the characters chosen are random, the mixed-case password is going to be about 64 times as complex (for a 6 character password). As password length increases, so does the difference in complexity of the mixed-case password. When you get to a password length of 10 characters, a mixed-case password is about 1,000 times more complex than a single-case password of the same length. Assuming that the characters are chosen at random, a single-case password that would have taken a single day to brute-force will take almost 3 years as mixed case on the same hardware.
I dont know why, my link in the top commentors automatically changed to someone’s link. May be there is a bug in your plugin. I found the bug info here - http://www.thewwwblog.com/top-commentators-plugin-bug-found.html , hope john you can read that out and make sure others are not taking any advantage of genuine commentors!
ic nes te ubavi hhhmmm vednas da se izbrise ovaa slika zosto ke ve prijavam vo policija
Woo! My basic password would take 210 years! Awesome! And my “Really Important Stuff” password would take 180,365 millennia. Although I really should start alternating passwords again - I used to, but lately I haven’t.
A pwd that only takes 210 years might take 3 seconds by some new method you haven’t heard about. Always opt for the maximum security
Wow, I do use “letmein” but only for things that dont matter! And here i was thinking i was so clever…
This is called as Guess attack :).
and much better that brute force and other stuff..
I also use the method of adding onto my password as time passes, that way it changes as well as grows over time.
What about webmasters reading on the passwords people use while signing up on there websites ? …
usually its good to develop a pattern
and then keep your mouth shut once u have made something up .. let suppose yunky12 is your password you add “e23″ on .com domains and domain character less then 5 get 2 alpha numeric “i1″ and more then 5 gets 3 “p0@” so in thsi example password for onemansblog will be “yunky12e23p0@” .. lots wierd but getting use to it makes things look geeky
Thanks
Several of my sites got hacked via cpanel because I was using a keyboard pattern password which I suppose was not all that difficult however the usernames were all different so who knows.
Now I use a generator where possible so it will look like: 1a8akg3 still maybe we should switch to md5 hash passwords, not the word but the 15+ character encrypted string
What some of our banks are doing now for internet banking is a 3 field login:
1. username
2. numeric password
3. character based password
-Mark
I don’t think brute force cracking is the main threat these days. In fact, I would bet that practically no one ever uses that technique to crack passwords over the internet. Brute force password cracking is done locally to get into password-encrypted files or volumes on the same computer that is running the cracking program.
Long, complex passwords will protect you from rainbow table cracking but that is only relevant if the attacker can get hold of your hashed password. (The Sysadmin at your work can find out your hashed password but normal users can’t.) Rainbow tables are pretty cool but they are not generally a practical attack technique.
Most passwords are compromised these days through phishing and keyloggers. It doesn’t matter how long or complex your password is if you type it into the wrong website or get infected with a keylogging virus.
What is much more important is that you don’t use the same password for sites that require different levels of security. i.e Your MySpace/Facebook password should be different from your banking password. This is the important bit. You should also treat your email password as the same security level as the highest site that sends password reset requests to it.