If you invited me to try and crack your password, you know the one that you use over and over for like every web page you visit, how many guesses would it take before I got it?
Let’s see… here is my top 10 list. I can obtain most of this information much easier than you think, then I might just be able to get into your e-mail, computer, or online banking. After all, if I get into one I’ll probably get into all of them.
- Your partner, child, or pet’s name, possibly followed by a 0 or 1 (because they’re always making you use a number, aren’t they?)
- The last 4 digits of your social security number.
- 123 or 1234 or 123456.
- “password”
- Your city, or college, football team name.
- Date of birth – yours, your partner’s or your child’s.
- “god”
- “letmein”
- “money”
- “love”
Statistically speaking that should probably cover about 20% of you. But don’t worry. If I didn’t get it yet it will probably only take a few more minutes before I do…
Hackers, and I’m not talking about the ethical kind, have developed a whole range of tools to get at your personal data. And the main impediment standing between your information remaining safe, or leaking out, is the password you choose. (Ironically, the best protection people have is usually the one they take least seriously.)
One of the simplest ways to gain access to your information is through the use of a Brute Force Attack. This is accomplished when a hacker uses a specially written piece of software to attempt to log into a site using your credentials. Insecure.org has a list of the Top 10 FREE Password Crackers right here.
So, how would one use this process to actually breach your personal security? Simple. Follow my logic:
- You probably use the same password for lots of stuff right?
- Some sites you access such as your Bank or work VPN probably have pretty decent security, so I’m not going to attack them.
- However, other sites like the Hallmark e-mail greeting cards site, an online forum you frequent, or an e-commerce site you’ve shopped at might not be as well prepared. So those are the ones I’d work on.
- So, all we have to do now is unleash Brutus, wwwhack, or THC Hydra on their server with instructions to try say 10,000 (or 100,000 – whatever makes you happy) different usernames and passwords as fast as possible.
- Once we’ve got several login+password pairings we can then go back and test them on targeted sites.
- But wait… How do I know which bank you use and what your login ID is for the sites you frequent? All those cookies are simply stored, unencrypted and nicely named, in your Web browser’s cache. (Read this post to remedy that problem.)
And how fast could this be done? Well, that depends on three main things, the length and complexity of your password, the speed of the hacker’s computer, and the speed of the hacker’s Internet connection.
Assuming the hacker has a reasonably fast connection and PC here is an estimate of the amount of time it would take to generate every possible combination of passwords for a given number of characters. After generating the list it’s just a matter of time before the computer runs through all the possibilities – or gets shut down trying.
Pay particular attention to the difference between using only lowercase characters and using all possible characters (uppercase, lowercase, and special characters – like @#$%^&*). Adding just one capital letter and one asterisk would change the processing time for an 8 character password from 2.4 days to 2.1 centuries.
| Password Length | All Characters | Only Lowercase |
|---|---|---|
|
3 characters 4 characters 5 characters 6 characters 7 characters 8 characters 9 characters 10 characters 11 characters 12 characters 13 characters 14 characters |
0.86 seconds 1.36 minutes 2.15 hours 8.51 days 2.21 years 2.10 centuries 20 millennia 1,899 millennia 180,365 millennia 17,184,705 millennia 1,627,797,068 millennia 154,640,721,434 millennia |
0.02 seconds .046 seconds 11.9 seconds 5.15 minutes 2.23 hours 2.42 days 2.07 months 4.48 years 1.16 centuries 3.03 millennia 78.7 millennia 2,046 millennia |
Remember, these are just for an average computer, and these assume you aren’t using any word in the dictionary. If Google put their computer to work on it they’d finish about 1,000 times faster.
Now, I could go on for hours and hours more about all sorts of ways to compromise your security and generally make your life miserable – but 95% of those methods begin with compromising your weak password. So, why not just protect yourself from the start and sleep better at night?
Believe me, I understand the need to choose passwords that are memorable. But if you’re going to do that how about using something that no one is ever going to guess AND doesn’t contain any common word or phrase in it.
Here are some password tips:
- Randomly substitute numbers for letters that look similar. The letter ‘o’ becomes the number ’0′, or even better an ‘@’ or ‘*’. (i.e. – m0d3ltf0rd… like modelTford)
- Randomly throw in capital letters (i.e. – Mod3lTF0rd)
- Think of something you were attached to when you were younger, but DON’T CHOOSE A PERSON’S NAME! Every name plus every word in the dictionary will fail under a simple brute force attack.
- Maybe a place you loved, or a specific car, an attraction from a vacation, or a favorite restaurant?
- You really need to have different username / password combinations for everything. Remember, the technique is to break into anything you access just to figure out your standard password, then compromise everything else. This doesn’t work if you don’t use the same password everywhere.
- Since it can be difficult to remember a ton of passwords, I recommend using Roboform for Windows users. It will store all of your passwords in an encrypted format and allow you to use just one master password to access all of them. It will also automatically fill in forms on Web pages, and you can even get versions that allow you to take your password list with you on your PDA, phone or a USB key. If you’d like to download it without having to navigate their web site here is the direct download link.
- Mac users can use 1Password. It is essentially the same thing as Roboform, except for Mac, and they even have an iPhone application so you can take them with you too.
- Once you’ve thought of a password, try Microsoft’s password strength tester to find out how secure it is.
By request I also created a short RoboForm Tutorial. Hope it helps…
Another thing to keep in mind is that some of the passwords you think matter least actually matter most. For example, some people think that the password to their e-mail box isn’t important because “I don’t get anything sensitive there.” Well, that e-mail box is probably connected to your online banking account. If I can compromise it then I can log into the Bank’s Web site and tell it I’ve forgotten my password to have it e-mailed to me. Now, what were you saying about it not being important?
Often times people also reason that all of their passwords and logins are stored on their computer at home, which is save behind a router or firewall device. Of course, they’ve never bothered to change the default password on that device, so someone could drive up and park near the house, use a laptop to breach the wireless network and then try passwords from this list until they gain control of your network – after which time they will own you!
Now I realize that every day we encounter people who over-exaggerate points in order to move us to action, but trust me this is not one of those times. There are 50 other ways you can be compromised and punished for using weak passwords that I haven’t even mentioned.
I also realize that most people just don’t care about all this until it’s too late and they’ve learned a very hard lesson. But why don’t you do me, and yourself, a favor and take a little action to strengthen your passwords and let me know that all the time I spent on this article wasn’t completely in vain.
Please, be safe. It’s a jungle out there.
EDIT: You might also want to listen to my interview on Connecticut Public Radio about password security.
Related posts
- Hack Outlook Passwords in 10 Seconds FlatShare That’s right. I hate to tell you folks, but if you give me 10 seconds alone with your computer...
- Tutorial: How-to Recover Windows Login PasswordsShare Windows security is sad. Although most of you have probably already read my article about using strong passwords, even...
- John P on Connecticut Public RadioShareBruce Barber, from the Real Life Survival Guide, recently interviewed me via phone for a segment on Password Security. That...
- One Man’s RoboForm Demonstration VideoShareOK folks, before I head off to Alaska… As a result of multiple requests from my How I’d Hack Your...
{ 336 comments… read them below or add one }
← Previous Comments
This works well:
Take a secret word, 13 characters is convenient. Now pick a seed a word associated with the system you’re logging in to. Could be the website name, your user name (if it’s unique), the business, whatever.
Using the seed to modify your start point in the secret word, and to add additional numbers.
For example, say the seed was “lifehacker” and the secret word was mishmashables. Take the number of letters in ‘lifehacker’ (10) and start that many into mishmashables and type out, say, 8 characters, looping at the end of the word.
Lifehacker = esmishma
Now use the number of letters in the seed to further fuck it up
esmishma101890
(in this case the rule is num of letters in the seed, ‘number’ of the last letter of the seed (just counted out, b=2, z=26, etc.), num lttrs sqr – num letters) = 10 , 18 , 90
tons more rules are possible, but you get the picture.
there you go! nothing to write down so long as you’re disciplined in how you generate your seed words.
the problem is a LOT of seeds have 7 letters (who knew) and if you’re generating many passes for the same organization using the same user name it’s hard to get unique seeds. The latter is a serious issue, still working on a fix. Suggestions welcome!
share and enjoy
John,
I just stumbled across your blog and read your “How I’d Hack Your Weak Passwords” comments.
I have a Fidelity Investments account. The PIN for the account has a maximum length of 12 characters. The characters must consist of the numbers 0-9 and the letters a-z (both lower and upper case permitted), no special characters permitted. But…all of the letters are converted into numbers based upon the touch tone keypad on most any telephone. So the PIN basically consists of a maximum 12 character long value consisting of the numbers of 0 through 9. Based upon the assumptions contained in your password length/ # of characters table, how long would it take for a hacker to generate every possible combination of numbers?
I am guessing a couple of minutes.
The only recourse I have found thus far is to use a very long, weird and unique username, so the username is acting more as the password than the password is.
I am not happy with this situation.
I would appreciate any feedback you would give me.
Thanks for your consideration.
Doug
Doug,
Yes, this is a sad state of security indeed. I would suggest that the most effective means of getting something like this changes is actually to shed light on it. This is what ethical hackers do when they exploit a system in order to reveal the faults that a criminal would take advantage of.
How about writing a letter to the New York Times saying exactly what you said here and referencing this article just in case they need a little enlightement? But don’t stop there, send a duplicate letter to USAToday, and a couple of other publications.
If even one of them picks up the story you’ll see things change at Fidelity so fast it’s not funny. Of course, you could also always vote with your wallet by moving to another provider. I’m not a huge fan of Fidelity to start with…
Cheers,
John P.
i’m equally as bugged about the state of online banking.
i currently have an account that has a MAXIMUM of 8 characters long. EIGHT!
seriously? they can update the website to use all new .net code, but you stick with the same old ass database schema? >.<
This is the great information regarding how to hack the weak password. Security should be must.
bye
Great though scary article.
I am worried that someone may have delivered password hacking software to my PC via an executable in an email. I k now this person has done things like this before.
When I read the hacking software product descriptions they often claim to be virtually indetectable once they are on your PC. Is it true that say Norton would not pick them up?
How can I assure myself my PC is clean?
Thanks in Advance
@James:
The best way to be sure is to turn your firewall on and make programs ask to be let through. Be vigilant – only let things through that you know are legitimate. Oh, and read the executable names properly – a clever way is to replace some letters with other letters that look similar – such as replacing lower case Ls with upper case Is. “rundIl32″ in the default font looks suspiciously similar to “rundll32″ – in this font you see the difference, of course.
Anti-virus packages like Sophos and Norton may analyse the behavior of running programs and put a stopper to ones that are acting suspiciously. “Virtually indetectable” (well it’s undetectable actually, but I digress) is a very broad term, and is most likely just a insubstantial boast more than anything else. Nothing is undetectable if you know where to look, and what to look for.
If you want to be super sure of your system’s cleanliness, reformat your PC and reinstall your operating system. Better yet, replace your hard drive. If you want to be super pedantic, replace your entire computer. But we’re getting off track into sheer paranoia here.
If this malicious program is transmitting its findings over the Internet, turning your firewall on in the way that I have suggested would most likely stop that in its tracks as long as you’re not just clicking “Unblock” to everything.
Due diligence is all it takes to be safe. Don’t click on links you see in emails, especially if they claim to be from your bank. Be careful what you click on, and be sure before you accept any change to your system. And above all, BACKUP OFTEN. You never know when something will come along and wipe out everything on your computer.
My favorite technique to create a password is to just bang out some alpha-numeric spam on my keyboard (if some special symbols get in there, it’s just some extra spice, can get those by keeping a finger on the shift key and tapping it as you go). Usually I bang out a string that is too long, like 2dt82t[2t-g21=gr3484gvrhd9r64nrf*v5d7ge5. Many places have limits on password length, no problem, just delete some of the characters until you’re within the limit. The next step is to change some of the letters to upper-case which is easy to do in my text editor (highlight a couple chars, press the to-upper-case button). You could also use one of the many password generators that can be found online. The problem now is that you can’t remember your password. The solution is to save the password to a text file on your computer (and make sure no one can get at it, and don’t create a shortcut to it on the desktop or you’re as screwed as the guy who uses ‘god’ as all his passwords). You could store the text file on a pen drive, flash memory device or something that never leaves your personal desk (which no one has access to). Now you can copy and paste your crazy passwords into forms which will also always defeat keylogger hacks because you’re not pressing any keys aside from CTRL+C and CTRL+V. I’ve been using this method for almost ten years and have never had a password compromised (and for one example: I’ve been the envy in a couple video games I played, I’m sure people have tried). The only things I really have to worry about are non-encrypted data transfers which may be intercepted (always a possibility) or someone gaining access to my computer and locating the file (not likely but you’re welcome to try, I’m currently located here: 24.240.68.151 // USA, WI, Madison, Charter). Cheers everyone, best of results in keeping your accounts and data safe! =)
Great article, found this after hearing a story on NPR about password security and wanted to verify their numbers. I’m a tech support agent, so it’s handy to have stuff like this to show customers.
I heard Facebook is a social networking website that is operated and privately owned by Mark Zuckerberg, Eduardo Saverin, Dustin Moskovitz and Chris Hughes and others.. It’s pity Facebook does not actively enforce the age limit, resulting in children under the age of 13 using it.
Seriously LOVED this article. Thought I use many of the techniques, I would have never shared the information and let the HELPLESS stay HELPLESS with a weak password. LOL.
Good write up and topic, and the CHART was good information/great example.
Web Your Name®
Hi,
I don’t know if I wanted to know all of that but to late now.:)
good trik
I’ve seen applications like RoboForm, but then a hacker would just need to crack the 1 password, through any method, and get access to EVERYTHING.
No bank I know will just email you out your password. My bank requires a pin number AND a password and never requests the whole thing (just e.g. digits 1, 5 and 9). If you forget your password they send you one in the post for security reasons with a separate pin number.
Use an easy to rember sentence
“My brother David moved to No. 12 Pleasant Drive in 2001″
becomes
MbDmtN1PDi2
Interesting article, I have wrote an article about passwords in a new blog which links in with what you have wrote here, “Why ONE Unbreakable Password is not enough “.
http://is-hacked.com/2010/why-one-password-is-not-enough/
On Tuesday at 9pm, will also outline the dangers of such in a real world example, of hacking several websites including one or two known names. (Those effected, have been notified)
great article…just one thing..most password crackers hv 1337 mode nw..so usng 1337 tok is no good..nd i wd also hv mentiond nt falng prey to social engineering…nd to the wise guy hu uses copy..most if nt all keyloggers also log th clipboard…nd yeah u may hv hiddn ur txt file prety wel bt givng ur ip is THE most stupidest thng to do…u thnk gd no blackhat read ths script kiddie
That’s terrible, everyone can hack our password. Btw thank’s for your information
Great post, its shocking how easy people can hack in to things. One things i’m scared of is somebody hacking my Wordpress Blog… Any Tips how to prevent it?
Cheers
Stuart
Dark Helmet: So the combination is… one, two, three, four, five? That’s the stupidest combination I’ve ever heard in my life! The kind of thing an idiot would have on his luggage!
I *loved* this article! Really helped out a lot! And thx for all the links.
I realize a lot of other comments are from people who think they’ve got personalized passwords (diff. passwords for each site) covered, but I’d like to throw my technique out there:
I’ve used the same password phrase forever, but have changed it around enough and I’m really getting somewhere. My phrase has a lot of letter o’s. I used to change these to 0′s, which I realize was covered in your post! Now I just change the o’s or 0′s to the *second letter* in the domain name (ex: all o’s or 0′s would be changed to “n” if your site required a password). I’ve found that the first or last letter in the domain name can be too obvious sometimes (Facebook = k or Gmail = g).
Next, my original phrase has 3 words. Between the first and second word I enter the number of syllables in the domain name (“3″ for this site). Between the second and third word I enter the number of words in the domain name (“3″ again for this site). Lastly, I enter the number of vowels in the site name at the very end (“4″ for this site).
I have not integrated capitals…yet. Maybe I’ll change the number of vowels from a number (“4″) to capitalizing the corresponding letter in the password (the 4th letter in the password will be capitalized for this site).
Ex: If my phrase was originally, oh, i dunno… “cop on pot”
Step 1: cnpnnpnt (the second letter of this site is “n”)
Step 2: cnp3nn3pnt4 (3 syllables, 3 words, 4 vowels)
Ex (for Facebook): cap2an1pat4
Ex (for Gmail): cmp2mn2pmt2
It’s about that time to change up *all* of my passwords yet again! I think I might change the second letter thing to the letter on my qwerty keyword directly to the right of that letter w right-most letters going left one (ex: “m” for this site)(anything with “p” would be “o”). I also think I’ll put all the numbers at the very end instead. I might try to utilize the space bar and capitals (as you mentioned). I’m not sure about special characters, as a lot of sites I use don’t accept them.
Any other simple conversion suggestions I could integrate? (aka like my 0′s or o’s to the second letter of the domain name)…
And what do you think?
how to hack email id password
Very interesting. When I worked for a bank, I was always shocked at the sheer volume of people who would either tell me their PIN when I asked ‘do you have a pin?’ or have it written on a piece of paper in their wallet/purse. This is the same thing, so many people don’t realise how vulnerable they are having an easily guessable password. Oh well I guess they’ll find out the hard way. Thanks for the article.
Very good article! The link to the password tester is especially valuable. To get the fourth bar, you need a password of at least 20 characters, though sometimes you need 21-25 or even more if you’re not being creative enough!
I’d like to mention something you didn’t: escalating computer power. Each year or two, computing power doubles. What takes a trillion years to do now – crack a 13-character password – will, in 10-20 years, take only a billion years, and in another 10-20 years will take only a million years. After a century of progress, it might take only a few seconds to crack a 13-character password.
If what you have to protect is important enough, you need LONG passwords.
You’ll note the table shows that simply adding a single character multiplies the time to crack by a factor of about 100 – that is, it takes 100 times as long to find one more character.
Note also the expanding chasm between cracking lower-case passwords and those which make use of the full keyboard. You have effectively tripled the number of characters that must be tried, but the effect becomes astronomical very quickly! It’s like raising each character added to the power of 4; the cracking factor jumps from about 25x to about 100x for EACH CHARACTER. So use the full keyboard.
Something a friend taught me was to use unprintable characters. This again boosts your safety by a factor of 2 per character, so that a 13-character password will take 10 million-trillion years to crack. But how to access them? And why don’t all input field allow them? Frex, I used some non-printable characters for a Excel password. I can type those characters within Excel, but I can’t type them into the password field, so Im forced to copy-and-paste.
So, the lesson, again: draw from a large pool of characters, make passwords 20+ characters, and don’t make them out of words in a dictionary.
Oh, one more thing: assume criminals will eventually have access to supercomputers, distributed computing, and law-enforcement technologies and techniques. Keeping your passwords on a USB drive is insane if you don’t have them properly encrypted and passworded. People can break into your house, you know. The law can be subverted into doing it for criminals. RIAA, anyone? Nazis and Commies, anyone?
If you have a master password file, be sure it’s got a completely unique password that really is impossible to break. 32 characters MINIMUM, 256 bit MINIMUM. 4096 bit isn’t insane if you’re important enough, or will be one day.
Oh, and don’t forget your master password. :)
Hey, somebody visit my site and tell me if it’s any good. Click my name.
yo teache me how to hack people bamk accounts and me and u can be millionairers
You have to learn to spell first and be able to form whole sentences before you can hack things!
@roy – hahaha.. true true.. :P
i like to use this one:
http://password-genius.com/
“All those cookies are simply stored, unencrypted and nicely named, in your Web browser’s cache.”. If you have access to the actual computer, things become much easier. How many people have access to your personal computer though?
It seems that even most old people (not from computer generation, that’s the point) wouldn’t use a dictionary word as a password these days.
What, you mean you DON’T all use 16-character passwords?
“All those cookies are simply stored, unencrypted and nicely named, in your Web browser’s cache.”. If you have access to the actual computer, things become much easier. How many people have access to your personal computer though?
This is a good post. The best I’ve read today. The chart showing the times to crack is interesting. I’ve recently started using the password generators that use special symbols, numbers, and letters. I can’t memorize the passwords but after a recent security issue, I’ll go through the hassle of better passwords.
← Previous Comments