If you invited me to try and crack your password, you know the one that you use over and over for like every web page you visit, how many guesses would it take before I got it?
Let’s see… here is my top 10 list. I can obtain most of this information much easier than you think, then I might just be able to get into your e-mail, computer, or online banking. After all, if I get into one I’ll probably get into all of them.
- Your partner, child, or pet’s name, possibly followed by a 0 or 1 (because they’re always making you use a number, aren’t they?)
- The last 4 digits of your social security number.
- 123 or 1234 or 123456.
- “password”
- Your city, or college, football team name.
- Date of birth – yours, your partner’s or your child’s.
- “god”
- “letmein”
- “money”
- “love”
Statistically speaking that should probably cover about 20% of you. But don’t worry. If I didn’t get it yet it will probably only take a few more minutes before I do…
Hackers, and I’m not talking about the ethical kind, have developed a whole range of tools to get at your personal data. And the main impediment standing between your information remaining safe, or leaking out, is the password you choose. (Ironically, the best protection people have is usually the one they take least seriously.)
One of the simplest ways to gain access to your information is through the use of a Brute Force Attack. This is accomplished when a hacker uses a specially written piece of software to attempt to log into a site using your credentials. Insecure.org has a list of the Top 10 FREE Password Crackers right here.
So, how would one use this process to actually breach your personal security? Simple. Follow my logic:
- You probably use the same password for lots of stuff right?
- Some sites you access such as your Bank or work VPN probably have pretty decent security, so I’m not going to attack them.
- However, other sites like the Hallmark e-mail greeting cards site, an online forum you frequent, or an e-commerce site you’ve shopped at might not be as well prepared. So those are the ones I’d work on.
- So, all we have to do now is unleash Brutus, wwwhack, or THC Hydra on their server with instructions to try say 10,000 (or 100,000 – whatever makes you happy) different usernames and passwords as fast as possible.
- Once we’ve got several login+password pairings we can then go back and test them on targeted sites.
- But wait… How do I know which bank you use and what your login ID is for the sites you frequent? All those cookies are simply stored, unencrypted and nicely named, in your Web browser’s cache. (Read this post to remedy that problem.)
And how fast could this be done? Well, that depends on three main things, the length and complexity of your password, the speed of the hacker’s computer, and the speed of the hacker’s Internet connection.
Assuming the hacker has a reasonably fast connection and PC here is an estimate of the amount of time it would take to generate every possible combination of passwords for a given number of characters. After generating the list it’s just a matter of time before the computer runs through all the possibilities – or gets shut down trying.
Pay particular attention to the difference between using only lowercase characters and using all possible characters (uppercase, lowercase, and special characters – like @#$%^&*). Adding just one capital letter and one asterisk would change the processing time for an 8 character password from 2.4 days to 2.1 centuries.
| Password Length | All Characters | Only Lowercase |
|---|---|---|
|
3 characters 4 characters 5 characters 6 characters 7 characters 8 characters 9 characters 10 characters 11 characters 12 characters 13 characters 14 characters |
0.86 seconds 1.36 minutes 2.15 hours 8.51 days 2.21 years 2.10 centuries 20 millennia 1,899 millennia 180,365 millennia 17,184,705 millennia 1,627,797,068 millennia 154,640,721,434 millennia |
0.02 seconds .046 seconds 11.9 seconds 5.15 minutes 2.23 hours 2.42 days 2.07 months 4.48 years 1.16 centuries 3.03 millennia 78.7 millennia 2,046 millennia |
Remember, these are just for an average computer, and these assume you aren’t using any word in the dictionary. If Google put their computer to work on it they’d finish about 1,000 times faster.
Now, I could go on for hours and hours more about all sorts of ways to compromise your security and generally make your life miserable – but 95% of those methods begin with compromising your weak password. So, why not just protect yourself from the start and sleep better at night?
Believe me, I understand the need to choose passwords that are memorable. But if you’re going to do that how about using something that no one is ever going to guess AND doesn’t contain any common word or phrase in it.
Here are some password tips:
- Randomly substitute numbers for letters that look similar. The letter ‘o’ becomes the number ’0′, or even better an ‘@’ or ‘*’. (i.e. – m0d3ltf0rd… like modelTford)
- Randomly throw in capital letters (i.e. – Mod3lTF0rd)
- Think of something you were attached to when you were younger, but DON’T CHOOSE A PERSON’S NAME! Every name plus every word in the dictionary will fail under a simple brute force attack.
- Maybe a place you loved, or a specific car, an attraction from a vacation, or a favorite restaurant?
- You really need to have different username / password combinations for everything. Remember, the technique is to break into anything you access just to figure out your standard password, then compromise everything else. This doesn’t work if you don’t use the same password everywhere.
- Since it can be difficult to remember a ton of passwords, I recommend using Roboform for Windows users. It will store all of your passwords in an encrypted format and allow you to use just one master password to access all of them. It will also automatically fill in forms on Web pages, and you can even get versions that allow you to take your password list with you on your PDA, phone or a USB key. If you’d like to download it without having to navigate their web site here is the direct download link.
- Mac users can use 1Password. It is essentially the same thing as Roboform, except for Mac, and they even have an iPhone application so you can take them with you too.
- Once you’ve thought of a password, try Microsoft’s password strength tester to find out how secure it is.
By request I also created a short RoboForm Tutorial. Hope it helps…
Another thing to keep in mind is that some of the passwords you think matter least actually matter most. For example, some people think that the password to their e-mail box isn’t important because “I don’t get anything sensitive there.” Well, that e-mail box is probably connected to your online banking account. If I can compromise it then I can log into the Bank’s Web site and tell it I’ve forgotten my password to have it e-mailed to me. Now, what were you saying about it not being important?
Often times people also reason that all of their passwords and logins are stored on their computer at home, which is save behind a router or firewall device. Of course, they’ve never bothered to change the default password on that device, so someone could drive up and park near the house, use a laptop to breach the wireless network and then try passwords from this list until they gain control of your network – after which time they will own you!
Now I realize that every day we encounter people who over-exaggerate points in order to move us to action, but trust me this is not one of those times. There are 50 other ways you can be compromised and punished for using weak passwords that I haven’t even mentioned.
I also realize that most people just don’t care about all this until it’s too late and they’ve learned a very hard lesson. But why don’t you do me, and yourself, a favor and take a little action to strengthen your passwords and let me know that all the time I spent on this article wasn’t completely in vain.
Please, be safe. It’s a jungle out there.
EDIT: You might also want to listen to my interview on Connecticut Public Radio about password security.
Hi
Thought provoking article. Even with password managers, Roboform etc, am I right in assuming you still need to memorise at least one password to get into your PC, to get to password manager, your browser etc?
Or am I missing something here?
@Tony
Hi, yes, you are correct. You need to memorize the password to get into your computer, and if you use a password manager, you will also need to memorize that too.
Two or three good, solid passwords may be all that you need to remember, then delegate the rest to your password manager.
To make a good solid pass phrase (that’s just a password with spaces, like a sentence), read this article.
I stumbled here, so I most likely won’t read this ever again, no offense intended. It was a good article, but that is who I am… a surfer.
Onward…
I am a bit concerned about the effect that these suggestions of “change your passwords every month or whatever” and “have different passwords for every page you visit”. Why?
Because this provokes the end user to choose simple, easy to remember and logic passwords (like pet, etc.). Now if you pick one, strong password for all of the trusted sites and one for all your not-sure or un-trusted then you are, in my perspective of a lot better. These passwords should then of course include lower, upper case and numbers. I personally do not use signs, as quite a few sites are not compatible with them.
No, password managers may help you change your passwords at any time period you want. And, of course you’ll store your password in them and it’s most likely that you’ll use the password the password manager generates so, no need to have weak passwords to remind. You have to read the whole to comment ^^
And @Tony,
Yes you have to remember 1 master password.
Travis – I imagine HARLEY1 is indeed a popular password with a LOT of bikers. :-)
Greg – Thanks for the kind words. I’m happy if I’ve provided a little assistance…
Tony – Yes, you are correct. With a password manager you will still need to memorize the master password. You might also consider a short phrase if it’s easier to remember.
Now what will be cool will be when Roboform or someone else builds in fingerprint reader capability or some other biometric so that you just need to scan your thumb. Then you won’t even need a master password!
Zitrez – No offense taken. ;-) I stumble myself, and am just happy you stopped by.
I should mention that regardless of what anyone else advocates, my personal recommendation is to use many different, difficult passwords in combination with a password manager.
The problem with using only one strong password for your important sites is that if the password is ever compromised – it is compromised across the board. So if one of the institutions you trust has a security breach, in effect all of yours are at risk.
And in a connected world you can’t be too careful.
Take care,
John
Hope I can help by adding the following: Use a good password manager like the free Password Safe, (which has an integrated password generator with sufficient options) and use the maximum length and type of characters allowed by the places you log onto. Additionally, use multi-factor authentication whenever possible. To explain this, there are 3 types of authentication. Something you know (password), something you have (ID card), and something you are (biometrics like fingerprint and retina). I would recommend Dekart Logon for this as it allows you to use a thumbdrive as a logon key in addition to just storing files. You can lock your windows xp machine down so that you need to insert the thumbdrive and also type in a pin code. You can also have it lock or logoff the workstation if the thumbdrive is removed.
Hope this info helps
Goodevening,
I too stumbled at this page and have read all of it (including the comments).
This is not the first time I see this kind of text about passwords. Recently I had also read about passwordschemes and I have to say they seem very good.
The one I had seen was a bit different jmkeuning. It had namely an addon to it. It stated that you should create a standard 4 character string wich you can easely remember and has all the good features and this string you put in front or behind the created string with the scheme.
There is only 1 thing why I don’t use these schemes. Because a scheme is only good for one-time use only.
If you want (or perhaps must) change your password every few months this could be tricky.
And using anything like date related things in the scheme would make it rather difficult up to impossible to recreate the password (like hmmmz was it march or april when I created this password).
The thing I do is that I have a list of passwords (not on text but only in my head) and that list contains various strength passwords and every so many months I will add one to it (workrelated :P). The password I use is based on the level of security (feeling) I want to the certain website/application or whatever. Luckely I have a good memory (at the moment).
Further more I want to add is that I find a password program the same thing as keeping a list. And a list maybe even better!! Because that list isn’t digital and what isn’t digital can’t be seen (without an cam of somesort) by that “hacker” so many miles away. I know I know those password programs use encryption stuff and takes so many years to crack. But know that a “hacker” has all the time in the world.
The only good encryption is the encryption that you invented yourself and isn’t massly used by so many. Because that encryption used by many will be cracked, because it’s so widely used and thuse is interesting to be cracked! The only problem is that where not all that good with math atleast I know I’m not that genius.
Last but not least is that I know that surfing on the web is dangerous but I’m not that paranoid that everything is evil. Else I couldn’t have filled in this comment or read this page for that matter ;).
Greetz,
TheM
Hi John,
I just wanted to let you know that we added instructions to the PassPack Sign up page letting users know that they need to turn on JavaScript for PassPack to work.
Thanks for the catch,
Tara
Hello John and fellow commenting people,
I’ve recently stumbled through here, this was great advice to manage my passwords.
Though I might not get back to you ( I will subscribe and see what happens), you have all mentioned that you should not use the same password across the board.
What about 5 or 6 secure passwords used in all random places for different accounts?
Likewise, I agree with heading to the hills and living off the land.
–J. “Ace” P. Frye.
Ace,
Certainly the more passwords you rotate into use, the better off you are. The reason is, if one of them is compromised the hacker only gains access to a portion of your stuff…
Thanks for joining in!
John