How I’d Hack Your Weak Passwords

If you invited me to try and crack your password, you know the one that you use over and over for like every web page you visit, how many guesses would it take before I got it? Let’s see… here is my top 10 list. I can obtain most of this information much easier than you think, then I might just be able to get into your e-mail, computer, or online banking. After all, if I get into one I’ll probably get into all of them.

  1. Your partner, child, or pet’s name, possibly followed by a 0 or 1 (because they’re always making you use a number, aren’t they?)
  2. The last 4 digits of your social security number.
  3. 123 or 1234 or 123456.
  4. “password”
  5. Your city, or college, football team name.
  6. Date of birth – yours, your partner’s or your child’s.
  7. “god”
  8. “letmein”
  9. “money”
  10. “love”

Statistically speaking that should probably cover about 20% of you. But don’t worry. If I didn’t get it yet it will probably only take a few more minutes before I do… Hackers, and I’m not talking about the ethical kind, have developed a whole range of tools to get at your personal data. And the main impediment standing between your information remaining safe, or leaking out, is the password you choose. (Ironically, the best protection people have is usually the one they take least seriously.) One of the simplest ways to gain access to your information is through the use of a Brute Force Attack. This is accomplished when a hacker uses a specially written piece of software to attempt to log into a site using your credentials. Insecure.org has a list of the Top 10 FREE Password Crackers right here. So, how would one use this process to actually breach your personal security? Simple. Follow my logic:

  • You probably use the same password for lots of stuff right?
  • Some sites you access such as your Bank or work VPN probably have pretty decent security, so I’m not going to attack them.
  • However, other sites like the Hallmark e-mail greeting cards site, an online forum you frequent, or an e-commerce site you’ve shopped at might not be as well prepared. So those are the ones I’d work on.
  • So, all we have to do now is unleash Brutus, wwwhack, or THC Hydra on their server with instructions to try say 10,000 (or 100,000 – whatever makes you happy) different usernames and passwords as fast as possible.
  • Once we’ve got several login+password pairings we can then go back and test them on targeted sites.
  • But wait… How do I know which bank you use and what your login ID is for the sites you frequent? All those cookies are simply stored, unencrypted and nicely named, in your Web browser’s cache. (Read this post to remedy that problem.)

And how fast could this be done? Well, that depends on three main things, the length and complexity of your password, the speed of the hacker’s computer, and the speed of the hacker’s Internet connection. Assuming the hacker has a reasonably fast connection and PC here is an estimate of the amount of time it would take to generate every possible combination of passwords for a given number of characters. After generating the list it’s just a matter of time before the computer runs through all the possibilities – or gets shut down trying. Pay particular attention to the difference between using only lowercase characters and using all possible characters (uppercase, lowercase, and special characters – like @#$%^&*). Adding just one capital letter and one asterisk would change the processing time for an 8 character password from 2.4 days to 2.1 centuries.

Password Length All Characters Only Lowercase
3 characters 4 characters 5 characters 6 characters 7 characters 8 characters 9 characters 10 characters 11 characters 12 characters 13 characters 14 characters 0.86 seconds 1.36 minutes 2.15 hours 8.51 days 2.21 years 2.10 centuries 20 millennia 1,899 millennia 180,365 millennia 17,184,705 millennia 1,627,797,068 millennia 154,640,721,434 millennia 0.02 seconds .046 seconds 11.9 seconds 5.15 minutes 2.23 hours 2.42 days 2.07 months 4.48 years 1.16 centuries 3.03 millennia 78.7 millennia 2,046 millennia

Remember, these are just for an average computer, and these assume you aren’t using any word in the dictionary. If Google put their computer to work on it they’d finish about 1,000 times faster. Now, I could go on for hours and hours more about all sorts of ways to compromise your security and generally make your life miserable – but 95% of those methods begin with compromising your weak password. So, why not just protect yourself from the start and sleep better at night? Believe me, I understand the need to choose passwords that are memorable. But if you’re going to do that how about using something that no one is ever going to guess AND doesn’t contain any common word or phrase in it. Here are some password tips:

  1. Randomly substitute numbers for letters that look similar. The letter ‘o’ becomes the number ’0′, or even better an ‘@’ or ‘*’. (i.e. – m0d3ltf0rd… like modelTford)
  2. Randomly throw in capital letters (i.e. – Mod3lTF0rd)
  3. Think of something you were attached to when you were younger, but DON’T CHOOSE A PERSON’S NAME! Every name plus every word in the dictionary will fail under a simple brute force attack.
  4. Maybe a place you loved, or a specific car, an attraction from a vacation, or a favorite restaurant?
  5. You really need to have different username / password combinations for everything. Remember, the technique is to break into anything you access just to figure out your standard password, then compromise everything else. This doesn’t work if you don’t use the same password everywhere.
  6. Since it can be difficult to remember a ton of passwords, I recommend using Roboform for Windows users. It will store all of your passwords in an encrypted format and allow you to use just one master password to access all of them. It will also automatically fill in forms on Web pages, and you can even get versions that allow you to take your password list with you on your PDA, phone or a USB key. If you’d like to download it without having to navigate their web site here is the direct download link.
  7. Mac users can use 1Password. It is essentially the same thing as Roboform, except for Mac, and they even have an iPhone application so you can take them with you too.
  8. Once you’ve thought of a password, try Microsoft’s password strength tester to find out how secure it is.

By request I also created a short RoboForm Tutorial. Hope it helps… Another thing to keep in mind is that some of the passwords you think matter least actually matter most. For example, some people think that the password to their e-mail box isn’t important because “I don’t get anything sensitive there.” Well, that e-mail box is probably connected to your online banking account. If I can compromise it then I can log into the Bank’s Web site and tell it I’ve forgotten my password to have it e-mailed to me. Now, what were you saying about it not being important? Often times people also reason that all of their passwords and logins are stored on their computer at home, which is save behind a router or firewall device. Of course, they’ve never bothered to change the default password on that device, so someone could drive up and park near the house, use a laptop to breach the wireless network and then try passwords from this list until they gain control of your network – after which time they will own you! Now I realize that every day we encounter people who over-exaggerate points in order to move us to action, but trust me this is not one of those times. There are 50 other ways you can be compromised and punished for using weak passwords that I haven’t even mentioned. I also realize that most people just don’t care about all this until it’s too late and they’ve learned a very hard lesson. But why don’t you do me, and yourself, a favor and take a little action to strengthen your passwords and let me know that all the time I spent on this article wasn’t completely in vain. Please, be safe. It’s a jungle out there.

EDIT: You might also want to listen to my interview on Connecticut Public Radio about password security.

Or this ABC World News report:

>

And here’s another ABC World News report:


Article Written by
John P.

John P. is CEO of Livid Lobster and co-host of Geek Beat TV. You can also find him on Twitter, Facebook and Google+.

Comments

  1. Chris says:

    Hey, how effective would a password be, if you just repeated it?

    For example, say your password was initally “polo”. According to your table that would take 0.046 seconds to crack. But what if I repeated that, so my password was actually, “polopolopolopolopolo”. Would that be significantly stronger as a password?

  2. The Man says:

    Alec,

    Well, I wasn’t expecting that question. ;-) But it’s a good one.

    One of the best ways to know if the site you are visiting is associated with a known issue is to install the McAfee Site Advisor.

    Beyond that you may want to check out all the articles I have that are tagged with the keyword “Security“.

    Hope that helps a bit.

    John

  3. Alec says:

    “The Man” says, ” It’s a dangerous Web so make people PROVE to you that they are protecting you.”

    Many of us don’t know how to do that. Do you know of any good articles about how to tell what’s real and what’s not?

    This article (How I’d Hack Your Weak Passwords) was very helpful to me. Thanks!

  4. John says:

    This is a pretty usefull blog post. It is shocking how easy some of this stuff is… The only thing I find that works for me in terms of security and ease of remembering is the use of pass phrases. It’s actually a pretty neat little menmonic trick. If anyone is interested I have a coupole of posts on my blog. Thanks for this article One Man!

  5. The Man says:

    Elaine,

    It’s on Google Video now, but I’m very disappointed with the quality as Google processed it. The video was quite sharp on my end, but doesn’t look so there.

    I uploaded it as an .avi file, but need to convert it to .wmv and try again on my end. Part of the problem is that they are downconverting it from 640×480 to 320 x240 and it’s just not enough resolution to see the screen captures.

    As soon as I get something in a useable format I’ll create a new post about it.

    John

  6. The Man says:

    Angry Monk & Alex,

    You’re right. You don’t know that you can trust me, Roboform, Clipperz or anyone else. It’s a dangerous Web so make people PROVE to you that they are protecting you.

    Of course, we could all just retreat into the hills and live off the land… :-)

    John

  7. Alec says:

    It seems to me, one of the easiest ways a hacker could get lots of passwords is to set up a phony online password manager and let users of the this phony site just submit all their passwords to him.

    The first posting in this string was from someone who said, “I’m the co-founder of Clipperz , an online password manager….”

    How would I have any idea whether or not this guy is legit?

    How would I have any idea whether or not “The Man” is legit?

  8. weegie.geek says:

    I use the Passwordmaker extension for firefox.

    Type in a string of characters, and it will use it, and the domain name of the currently viewed website to create a unique password.

    All you have to do is remember the key used to create the password.

    For example, using they key “hardpassword” on this site would generate the password “BnoRC4cyelkn”, using my current settings.

    I’ve got it set to only use alphanumeric characters, but you can make it use punctuation marks, and other characters as well, and you can change the length of the generated password.

    Brute forcing the passwords generated by this app would take quite a while, and even if it was managed, it’s a different pass for every site, so no other sites would be compromised.

    I’ve only been using it a few days, but it’s easy to use, and the thinking behind it’s solid, so I’d recommend it.

    You can also use this app to avoid having firefox save your passwords for each site, since you can regenerate them, if you enter the key. It’s also a good portable solution, all you need to do is install the extension on any other install of firefox, and use the key to generate the password again.

    I also can’t stress strongly enough how important it is to use each password you choose, however you generate it, for only one site.

    Take security seriously, no matter how important the data.

  9. elaine says:

    Wow! You’re awesome – thank you very much. I just checked google video and searched for roboform and don’t see it yet but will check back and let you know.Very nice of you to do this and I appreciate it very much.

  10. The Angry Monk says:

    You’re freaking me out! I am serious. I feel naked! This TJX has got me freaked out! Everything is freaking me out. How can I trust the Man? He says use RoboForm. How do I know that this program isn’t some elaborate front for collecting info? I put it on and then you hack me through a backdoor. Who can we trust?

    I’m going back to bed.

    The Angry Monk

    btw, I guess we all need to use pseudonyms and wear “masks” while on the internet.

    pps
    if you’re some super duper hacker who will send me my name & address just to show me how vulnerable I am…don’t bother…just take the cash.

  11. The Man says:

    Elaine,

    Ok. You asked for it, you got it! I just created a 15 minute video tutorial that explains how I use Roboform.

    I’m uploading it to Google Video as I type this, but it will take quite a while to upload and then Google has to process it. This means that it will probably be posted sometime tomorrow.

    Don’t worry, I’ve had this request privately from a lot of people so it’s not like you cause me any work or anything. :-)

    Please let me know how you like it after I get it posted.

    John

  12. elaine says:

    Thanks for this good information. I downloaded Robo Form but I have to say that I don’t really get it. The tutorials and user manuals are not logical to me. Can you direct me to a site that can give better instruction/tutorial on how it works and how to use it? I’m really not dimwitted but ever once in a while I run across something that is written in a style that I don’t understand.

  13. Well,

    Let me add some more.
    First of all, your passwords are not secure in many websites. Even if you use a very complex, but same password in everywhere.

    Why?
    Let’s not forget the possibility of that website being hacked, or the website may have a webmaster with bad intentions that won’t hash your passwords while storing. Many systems doesn’t convert your passwords in to hashs. So, either the webmaster or a hacker somehow broke in could extract your password from there and use it in other places if you use same password at other sites.

    I know, because i do this myself!
    For example, i’ve broke in to a script and template selling website because of the vulnerability of the server. I found the admin password at database connection file. Logged in as admin, saw that none of the user passwords were crypted in the database. Mayhap the site owner didn’t crypt them because he was the only one supposed to see them. But it turned out that he wasn’t. So, i’ve tried a few users passwords with their attached websites or emails and… Bingo! Most of them was using the same password. I didn’t do anything. I didn’t mention them of the vulnerability either. Because, once before when i found another site was allowing me to see other people’s account details just by changing the &id= section at the url bar i tried to warn some of the members and the site owner and got cursed, insulted and so on. Anyway, i’m thinking of warning that template site soon, right now i can only read all their emails, log in to their own web server, listen their voice mails, check paypal account etc.. The only thing prevents me to see their bank accounts is that i couldn’t manage to find the last 4 letters of the social security number. But it’s soon, since i now know his policy number too. He’ll have the best birthday present soon (:

    Well, the meaning beneath what i just wrote is, use different passwords at every site. You can either develop your own algoryhtm, use password managers such as Roboform ( it’s great, it integrates itself with your browser and all you have to do to log-in to a website or fill a form is clicking a button! ) and KeePass. Using these, you can carry your passwords at your USB stick via portable version of these programs, sync with your PDA etc. This way you wouldn’t have to write down any of your passwords to anywhere, you wouldn’t have to remember any of your passwords. Generate random passwords and use them while signing up to yet another website.

    Oh, and.. Please do not use the same “Forgot Password” Question & Answer everywhere. After getting one of your accounts, it makes it so easy to get in to an other one. ;)

    (Hey, just FYI, i’m not a hacker. Not even close to hacker! I just know about the internet a bit. But even with that, you can see what can be achieved. So, stop saying “what can happen” and use some f..king password managers (: I don’t even wanna mention what can be done if you’re in a network either wireless or not!)

  14. The Man says:

    c – In theory either of those would be great passwords. I think the marginal difference between the two would probably not even be worth worrying about. Though we’d have to leave that up to a serious crypto analyst to be definitive.

    John

  15. c says:

    very nice info, i got a question though, will the placing of the characters matter? for example an “iceCREAM032907″ vs “03IcE29cReAm07″ ? which will be a better password for the 2?

  16. Matteo says:

    Great post!
    Thanks for sharing.

  17. The Man says:

    jb,

    That is a great example of a passwording scheme. Thanks for sharing. Hopefully it will give other people ideas…

    John

  18. jmkeuning bunchafreaks says:

    Take any site, yahoo.com for example. You want to make up your own system, but here is a suggestion. Take the first two letters of the site – “ya.” Add a letter to each making it “zb.” Now you need some numbers. The last letter is “o” – “o” is the 15th letter in the alphabet. Your password for yahoo is zb1515. Want one for eBay? fc2525. Make them even better by making the first letter caps and ending with shift+your number – yahoo is zB1515!%. Easy to make, hard to crack, impossible to forget!

  19. The Man says:

    Jarrett,

    Thanks very much for the kind words. Also, good catch on the quote. :-) Very, very few people know where that is from. If you look at my Who’s the Man page you’ll see it in its entirety. Words I try to live by…

    Also, thanks for sharing your insight. More wisdom regarding the fact that we should really use multiple passwords. Also the reason that I personally use Roboform as I mentioned previously.

    And thanks for bookmarking me. I’ll try to continue entertaining you. :-)

    John

  20. Jarrett says:

    I found this article referenced in multiple places today, and then happened to find it through StumbleUpon just now.

    About six months ago I switched from a password that, while absolutely connected to me in no obvious way, and a combination of two words that is unlikely to be obvious, was still a relatively simple, all-lowercase, all-alphabet password to one that fits in your 2.1 century bracket. It gets a “Strong” from Microsoft’s password tester (you apparently have to jump to 14 characters or more to get the highest rating, and not all services allow passwords anywhere near that length). The password I use is, obviously, eight characters long (I picked this length as it’s the minimum for many sites), and a combination of letters and numbers, both upper and lowercase, with absolutely no connection to anything. No letter or number has any basis in my life, my identity, my personality, my likes, my dislikes. I chose it simply by finding a combination of disparate characters that I could learn to type quickly. I memorized it and have since written it down nowhere.

    Since then, though, and before your article I began to realize just how risky, even with how “uncrackable” this password is, to be using it everywhere as I do. How many simple, run-of-the-mill, fly-by-night web forums have I signed up for using this password? And how many financial institutions are hacked on an annual basis? Any one of these sites, and especially the simplistic ones, could be hacked at any time, and that’s not assuming that the person running the site might have less-than-honest intentions.

    So now what I’m looking into is the best way to make variations of one standard password. I figure the easiest way, outside of a password manager (not only does that make me nervous, but it seems inconvenient, especially when I don’t have access to it), to have a different password for nearly everything is to have a base password and then modify it for each site based on the site’s name. Perhaps changing one or two characters in the password based on the name of each site. Are there any suggestions you might have on a smart way of handling this?

    Also, I’m noticing more and more sites requiring a special character in the password. The reason I haven’t yet done this is because so many sites will NOT recognize a special character in the password. It’s the lack of standards like this that complicates matters (much like some sites allowing 14 characters and some sites stopping you at 9) even further. Any good ideas on working around this?

    I also wanted to give you credit for the Lazarus Long quote. Seeing that’s what got me to stop and read the whole article, not to mention bookmarking your front page.

Speak Your Mind

*