If you invited me to try and crack your password, you know the one that you use over and over for like every web page you visit, how many guesses would it take before I got it?
Let’s see… here is my top 10 list. I can obtain most of this information much easier than you think, then I might just be able to get into your e-mail, computer, or online banking. After all, if I get into one I’ll probably get into all of them.
- Your partner, child, or pet’s name, possibly followed by a 0 or 1 (because they’re always making you use a number, aren’t they?)
- The last 4 digits of your social security number.
- 123 or 1234 or 123456.
- “password”
- Your city, or college, football team name.
- Date of birth – yours, your partner’s or your child’s.
- “god”
- “letmein”
- “money”
- “love”
Statistically speaking that should probably cover about 20% of you. But don’t worry. If I didn’t get it yet it will probably only take a few more minutes before I do…
Hackers, and I’m not talking about the ethical kind, have developed a whole range of tools to get at your personal data. And the main impediment standing between your information remaining safe, or leaking out, is the password you choose. (Ironically, the best protection people have is usually the one they take least seriously.)
One of the simplest ways to gain access to your information is through the use of a Brute Force Attack. This is accomplished when a hacker uses a specially written piece of software to attempt to log into a site using your credentials. Insecure.org has a list of the Top 10 FREE Password Crackers right here.
So, how would one use this process to actually breach your personal security? Simple. Follow my logic:
- You probably use the same password for lots of stuff right?
- Some sites you access such as your Bank or work VPN probably have pretty decent security, so I’m not going to attack them.
- However, other sites like the Hallmark e-mail greeting cards site, an online forum you frequent, or an e-commerce site you’ve shopped at might not be as well prepared. So those are the ones I’d work on.
- So, all we have to do now is unleash Brutus, wwwhack, or THC Hydra on their server with instructions to try say 10,000 (or 100,000 – whatever makes you happy) different usernames and passwords as fast as possible.
- Once we’ve got several login+password pairings we can then go back and test them on targeted sites.
- But wait… How do I know which bank you use and what your login ID is for the sites you frequent? All those cookies are simply stored, unencrypted and nicely named, in your Web browser’s cache. (Read this post to remedy that problem.)
And how fast could this be done? Well, that depends on three main things, the length and complexity of your password, the speed of the hacker’s computer, and the speed of the hacker’s Internet connection.
Assuming the hacker has a reasonably fast connection and PC here is an estimate of the amount of time it would take to generate every possible combination of passwords for a given number of characters. After generating the list it’s just a matter of time before the computer runs through all the possibilities – or gets shut down trying.
Pay particular attention to the difference between using only lowercase characters and using all possible characters (uppercase, lowercase, and special characters – like @#$%^&*). Adding just one capital letter and one asterisk would change the processing time for an 8 character password from 2.4 days to 2.1 centuries.
| Password Length | All Characters | Only Lowercase |
|---|---|---|
|
3 characters 4 characters 5 characters 6 characters 7 characters 8 characters 9 characters 10 characters 11 characters 12 characters 13 characters 14 characters |
0.86 seconds 1.36 minutes 2.15 hours 8.51 days 2.21 years 2.10 centuries 20 millennia 1,899 millennia 180,365 millennia 17,184,705 millennia 1,627,797,068 millennia 154,640,721,434 millennia |
0.02 seconds .046 seconds 11.9 seconds 5.15 minutes 2.23 hours 2.42 days 2.07 months 4.48 years 1.16 centuries 3.03 millennia 78.7 millennia 2,046 millennia |
Remember, these are just for an average computer, and these assume you aren’t using any word in the dictionary. If Google put their computer to work on it they’d finish about 1,000 times faster.
Now, I could go on for hours and hours more about all sorts of ways to compromise your security and generally make your life miserable – but 95% of those methods begin with compromising your weak password. So, why not just protect yourself from the start and sleep better at night?
Believe me, I understand the need to choose passwords that are memorable. But if you’re going to do that how about using something that no one is ever going to guess AND doesn’t contain any common word or phrase in it.
Here are some password tips:
- Randomly substitute numbers for letters that look similar. The letter ‘o’ becomes the number ’0′, or even better an ‘@’ or ‘*’. (i.e. – m0d3ltf0rd… like modelTford)
- Randomly throw in capital letters (i.e. – Mod3lTF0rd)
- Think of something you were attached to when you were younger, but DON’T CHOOSE A PERSON’S NAME! Every name plus every word in the dictionary will fail under a simple brute force attack.
- Maybe a place you loved, or a specific car, an attraction from a vacation, or a favorite restaurant?
- You really need to have different username / password combinations for everything. Remember, the technique is to break into anything you access just to figure out your standard password, then compromise everything else. This doesn’t work if you don’t use the same password everywhere.
- Since it can be difficult to remember a ton of passwords, I recommend using Roboform for Windows users. It will store all of your passwords in an encrypted format and allow you to use just one master password to access all of them. It will also automatically fill in forms on Web pages, and you can even get versions that allow you to take your password list with you on your PDA, phone or a USB key. If you’d like to download it without having to navigate their web site here is the direct download link.
- Mac users can use 1Password. It is essentially the same thing as Roboform, except for Mac, and they even have an iPhone application so you can take them with you too.
- Once you’ve thought of a password, try Microsoft’s password strength tester to find out how secure it is.
By request I also created a short RoboForm Tutorial. Hope it helps…
Another thing to keep in mind is that some of the passwords you think matter least actually matter most. For example, some people think that the password to their e-mail box isn’t important because “I don’t get anything sensitive there.” Well, that e-mail box is probably connected to your online banking account. If I can compromise it then I can log into the Bank’s Web site and tell it I’ve forgotten my password to have it e-mailed to me. Now, what were you saying about it not being important?
Often times people also reason that all of their passwords and logins are stored on their computer at home, which is save behind a router or firewall device. Of course, they’ve never bothered to change the default password on that device, so someone could drive up and park near the house, use a laptop to breach the wireless network and then try passwords from this list until they gain control of your network – after which time they will own you!
Now I realize that every day we encounter people who over-exaggerate points in order to move us to action, but trust me this is not one of those times. There are 50 other ways you can be compromised and punished for using weak passwords that I haven’t even mentioned.
I also realize that most people just don’t care about all this until it’s too late and they’ve learned a very hard lesson. But why don’t you do me, and yourself, a favor and take a little action to strengthen your passwords and let me know that all the time I spent on this article wasn’t completely in vain.
Please, be safe. It’s a jungle out there.
EDIT: You might also want to listen to my interview on Connecticut Public Radio about password security.
{ 402 comments… read them below or add one }
Next Comments →
Hi,
your advice to make strong passwords is certainly appropriate and useful. But it’s still better to never re-use the same password for multiple sites and devices.
And if you are going to use multiple strong and complex passwords you definitely need a password manager.
(I know, I’m a tad biased since I’m the co-founder of Clipperz , an online password manager …)
With Clipperz you can do much more than simply storing your passwords
- direct login to online services
- offline version
- bookmarklet for quick data entering
- …
Give it a try and let me know your impressions.
http://www.clipperz.com
Thanks,
Marco
Marco,
First of all, I applaud your concept. Anything that can be done to give people a simple secure alternative to having weak passwords is a good thing.
I read quite a bit of your information on the site and also established an account. If I understand correctly, the site is in open Beta currently and requires FireFox.
I’ve got a few other comments, but they would probably be more appropriate on your discussion board rather than here, so I’ll leave them on your site.
Thanks,
John
There are various Online Password Managers out there. Like Marco, I’m pushing my own service, but in the end, it’s best if you shop around, try out a few that inspire you and start using it.
I wrote a similar (though much more simplified) post on our blog:
http://passpack.wordpress.com/2007/01/19/why-you-must-use-a-password-manager/
Good article. Glad to see people being proactive. Cheers to you,
Tara
Tara,
First of all, thanks for stopping by and sharing.
The article you referenced is fantastic. I also like your articles about trust and the comparison between online and offline products.
On a technical note, I appreciate that your resulting code validates, but your site isn’t accessible to browsers with Javascript disabled. They only get a completely blank page.
I know quite a few people who typically leave scripting support off in their browser for security purposes and then only enable it on an as needed basis. So, if you don’t mind the recommendation, I would suggest finding a way to present a landing page for users without scripting enabled to let them at least know to turn it on.
Thanks again,
John
Isn’t another of the most commonly used passwords “password1″? I remember reading that somewhere. :-)
Nice!
I use the same passwords for sites or accounts that are not that important. But i maintain different passwords for important ones. So that you won’t be able to forget them or have a hard time remembering, just add a number or another character at the beginning or end of your passwords. =>
MiGs
migs.wordpress.com
Great article, and great advise. Congratulations and thank you.
Caution on Man in the Middle attacks
Mmm… too long… here the best way:
1) Go near the person you want to hack the password and wait for he or she to check his or her e-mail.
2) Take your mobile and do a video of he or she tiping the password.
3) Convert the video in .mpg format (usually nokia video are .3pg).
4) Drag the video in Windows Movie Maker and see it slowly.
5) It’s hard, I know, but not too much. I found 2 password in this way.
Chris :-)
pure fantasy.
to use any of that info, he’d need more than some anonymous name found in an email with an isp link.
ie: who’s he talking to ? If he doesn’t know that he sure doesn’t know any family names, dates, pets, birthdays etc.. the list goes on.
Then he’d have to be really pressed for something to do in trying to find out who he’s talking to. What’s he going to get out of it ? Woo Hoo, he can now post as someone else in some knee jerk fan forum, or chatter box. And it only took 4 months of constant beating at my passwords and login.
4 different logins, 5 or more different passwords. Even if you were handed this info, you’d still have to know where to apply it, and in what combination.
2nd He’d have to be EXTREMELY good. I can’t even get into my places on the 1st shot. and lots of those places only allow 5 chances [TODAY] I normally have to pull out my cheat sheet.
And without that cheat sheet Don Quixote, you won’t get into my info any simpler than I can.
Though the question still arises ? Why would anyone want access to someone else’s crap on the web ?
Actually, I wouldn’t even bother with trying to guess how many guesses it’d take, since I have no idea why you’d even want to waste that much time in the 1st place. But I would make one statement about it as it dawns on you that while trying to guess the passwords etc.., what’s in it for you. I’d guess you’d give up as easily I do or faster, when I think to myself do I really want to go look for the cheat sheet ? What is so important that I need to access this crap now ?
passwords and logins is an afterthought by many sites. It all started to stop kiddies that thought it’d be neat since they have semi anonymity [Total anonymity in their head] to post graffiti, and other obscenities on public forums. They started adding logins & passwords to know who was posting the crap.
To me that was a bad move. I have a delete key, a 97% accurate spam filter, and a page down key.
It’s like this if you ignore them, they eventually lose interest and move on to someone they can get a rise of.
This one, my mistake I replied.
But then I feel just fine in pointing out stupidity even if it is just a spammer in a fantasy world.
You want logins, and passwords ? Offer a web site with gold half price today only, don’t date it. initiate a login with password, and collect them.
you now have a list of logins and passwords with isp’s.
But here’s the monkey wrench in that plan.
1 you better have gold for half price = fraud possibly interstate fraud, and U.S. legal enforcement doesn’t need passwords to find you.
2 on sites like this that I have ZIP TRUST, they get some immediately thought up login and password that I’ve never used before, and will never use again. Stick that in your tried and true formula for guessing passwords. I could never get back into that site without customer support.
3 have them mail you the password info. again not going to happen. If you don’t have an account there, the only password info would be yours.
Any success at guessing someone’s password that you don’t know would be just luck. Any site worth visiting doesn’t respond to brute force attacks.
Yiou want to try brute force on something that will sit still while you pummel it with passwords for days, just password protect a RAR file. Maybe 6 months down the road assuming the password is less than 6 characters, not counting caps, or numbers you might find out whats in the file.
Only place that might have any value in taking a risk like that would be a billionaires account.
All the time spent trying to crack, you’re CONNECTED to the web. it only takes a minute to trace a phone call. And you’re talking about months online ? Not likely.
Plus login & password are needed not just 1 word.
Good one but it wouldn’t work anymore, I guess, as more and more Internet’s users are using stronger and stronger passwords. For instance, in websites that I am going to use only once or a few times and I don’t care about if somebody is going to find my password (some forums, for example or downloads), I always use some simple passwords (for such sites I have 5 different passwords), which you could hardly find in any word-list + I am using my trash-email address and some stupid nicknames that are also easy to remember.
And in accounts, which I really care about, I am using long meaningless passwords with lower and upper-case letter and number combinations that are usually 8-10 symbols length and can’t be found in ANY word-list because are random, as I mentioned.
And now THE MOST IMPORTANT!!!!!
—— If you want to be safe, like me, do like me: use different passwords in all accounts that you care about and DO NOT write them down anywhere – just keep them in your head where nobody can read them (so far) :)
Microsoft password checker is a PIECE OF GARBAGE. Demonstration:
Generate a completely random string of 32 lower-case characters:
$ pwgen -A0 32 1
bahhohliehielohreiraofaagaezaxoh
Paste it in the password checker and it’s … WEAK! Lol. Man, that is so weak, it’s only got 26^32 degrees of randomness. How lame.
Let’s pick a REALLY STRONG password, such as:
Screw Y0U
Come on, go ahead, copy and paste it and see for yourself.
Ever herd of encryption, private-public keys!?
Thank god, i don’t know any of my passwords but the master password since that I’ve started using to Roboform and Keepass combination. Now, most of my passwords are like..
B-YmzLh-3ccqW/tKmHL-
Of course, by using these i prevent some idiot to tape what i enter, don’t i?!
Zero Mostel,
I understand why many might think this article is implausable. And indeed you may personally be fairly secure. However, with a number of your assertions you are utterly mistaken:
Additionally, you should consider the fact that this article was written generically to demonstrate to everyone that password practices need to be improved. It was not intended as a primer for hacking. I assure you there are many more methods I could employ…
Finally, blanket assertions of denial are dangerous and misleading when it comes to security. You are just plain wrong when it comes to many of your points, and naive with others. I hope you were only playing Devil’s advocate and not that you actually believe much of what you’ve written.
John
PS – Did you call me “stupid” and a “spammer living in a fantasy world”? Huh?!?
NM,
Yeah, I noticed that it wasn’t always great, but it was the best I could find. If anyone knows of better ones please drop them in the comments…
By the way, sorry but I slightly edited your post. Trying to keep the board a little more “family” oriented. :-)
Using your methodology I discovered that the best password is actually:
Scr3w YOU Buddy!
John
First, good post man!
I disagree with this though:
“Randomly substitute numbers for letters that look similar. The letter ‘o’ becomes the number ‘0′, or even better an ‘@’ or ‘*’. (i.e. – m0d3ltf0rd… like modelTford)
Randomly throw in capital letters (i.e. – Mod3lTF0rd”
I’m very skeptical to this as advice to the general public since multiple such “weird” passwords are incredibly hard to remember and handle and so many people who don’t use some password helper application will give up after a while and go back to “password”.
A better advice is to go for lenght, not weirdness. The password “passwordpasswordpassword5password” is actually pretty secure and still much easier to remember than “2d$Rg/&()/%34″ or something like that. And quicker to type.
Jeremiah, Excellent point!
zero mostel, you’re an idiot. what you said has no bearing on this article.
John,
I see you took a little tour through the blog – thanks.
You’re right about the Javascript. PassPack is an Ajax application, so we do require Javascript.
I will have the landing page added though to warn people to turn JS on, in the event they have it switched off.
Thanks for the catch!
Cheers,
Tara
I found this article referenced in multiple places today, and then happened to find it through StumbleUpon just now.
About six months ago I switched from a password that, while absolutely connected to me in no obvious way, and a combination of two words that is unlikely to be obvious, was still a relatively simple, all-lowercase, all-alphabet password to one that fits in your 2.1 century bracket. It gets a “Strong” from Microsoft’s password tester (you apparently have to jump to 14 characters or more to get the highest rating, and not all services allow passwords anywhere near that length). The password I use is, obviously, eight characters long (I picked this length as it’s the minimum for many sites), and a combination of letters and numbers, both upper and lowercase, with absolutely no connection to anything. No letter or number has any basis in my life, my identity, my personality, my likes, my dislikes. I chose it simply by finding a combination of disparate characters that I could learn to type quickly. I memorized it and have since written it down nowhere.
Since then, though, and before your article I began to realize just how risky, even with how “uncrackable” this password is, to be using it everywhere as I do. How many simple, run-of-the-mill, fly-by-night web forums have I signed up for using this password? And how many financial institutions are hacked on an annual basis? Any one of these sites, and especially the simplistic ones, could be hacked at any time, and that’s not assuming that the person running the site might have less-than-honest intentions.
So now what I’m looking into is the best way to make variations of one standard password. I figure the easiest way, outside of a password manager (not only does that make me nervous, but it seems inconvenient, especially when I don’t have access to it), to have a different password for nearly everything is to have a base password and then modify it for each site based on the site’s name. Perhaps changing one or two characters in the password based on the name of each site. Are there any suggestions you might have on a smart way of handling this?
Also, I’m noticing more and more sites requiring a special character in the password. The reason I haven’t yet done this is because so many sites will NOT recognize a special character in the password. It’s the lack of standards like this that complicates matters (much like some sites allowing 14 characters and some sites stopping you at 9) even further. Any good ideas on working around this?
I also wanted to give you credit for the Lazarus Long quote. Seeing that’s what got me to stop and read the whole article, not to mention bookmarking your front page.
Jarrett,
Thanks very much for the kind words. Also, good catch on the quote. :-) Very, very few people know where that is from. If you look at my Who’s the Man page you’ll see it in its entirety. Words I try to live by…
Also, thanks for sharing your insight. More wisdom regarding the fact that we should really use multiple passwords. Also the reason that I personally use Roboform as I mentioned previously.
And thanks for bookmarking me. I’ll try to continue entertaining you. :-)
John
Take any site, yahoo.com for example. You want to make up your own system, but here is a suggestion. Take the first two letters of the site – “ya.” Add a letter to each making it “zb.” Now you need some numbers. The last letter is “o” – “o” is the 15th letter in the alphabet. Your password for yahoo is zb1515. Want one for eBay? fc2525. Make them even better by making the first letter caps and ending with shift+your number – yahoo is zB1515!%. Easy to make, hard to crack, impossible to forget!
jb,
That is a great example of a passwording scheme. Thanks for sharing. Hopefully it will give other people ideas…
John
Great post!
Thanks for sharing.
Next Comments →