If you invited me to try and crack your password, you know the one that you use over and over for like every web page you visit, how many guesses would it take before I got it?
Let’s see… here is my top 10 list. I can obtain most of this information much easier than you think, then I might just be able to get into your e-mail, computer, or online banking. After all, if I get into one I’ll probably get into all of them.
- Your partner, child, or pet’s name, possibly followed by a 0 or 1 (because they’re always making you use a number, aren’t they?)
- The last 4 digits of your social security number.
- 123 or 1234 or 123456.
- “password”
- Your city, or college, football team name.
- Date of birth – yours, your partner’s or your child’s.
- “god”
- “letmein”
- “money”
- “love”
Statistically speaking that should probably cover about 20% of you. But don’t worry. If I didn’t get it yet it will probably only take a few more minutes before I do…
Hackers, and I’m not talking about the ethical kind, have developed a whole range of tools to get at your personal data. And the main impediment standing between your information remaining safe, or leaking out, is the password you choose. (Ironically, the best protection people have is usually the one they take least seriously.)
One of the simplest ways to gain access to your information is through the use of a Brute Force Attack. This is accomplished when a hacker uses a specially written piece of software to attempt to log into a site using your credentials. Insecure.org has a list of the Top 10 FREE Password Crackers right here.
So, how would one use this process to actually breach your personal security? Simple. Follow my logic:
- You probably use the same password for lots of stuff right?
- Some sites you access such as your Bank or work VPN probably have pretty decent security, so I’m not going to attack them.
- However, other sites like the Hallmark e-mail greeting cards site, an online forum you frequent, or an e-commerce site you’ve shopped at might not be as well prepared. So those are the ones I’d work on.
- So, all we have to do now is unleash Brutus, wwwhack, or THC Hydra on their server with instructions to try say 10,000 (or 100,000 – whatever makes you happy) different usernames and passwords as fast as possible.
- Once we’ve got several login+password pairings we can then go back and test them on targeted sites.
- But wait… How do I know which bank you use and what your login ID is for the sites you frequent? All those cookies are simply stored, unencrypted and nicely named, in your Web browser’s cache. (Read this post to remedy that problem.)
And how fast could this be done? Well, that depends on three main things, the length and complexity of your password, the speed of the hacker’s computer, and the speed of the hacker’s Internet connection.
Assuming the hacker has a reasonably fast connection and PC here is an estimate of the amount of time it would take to generate every possible combination of passwords for a given number of characters. After generating the list it’s just a matter of time before the computer runs through all the possibilities – or gets shut down trying.
Pay particular attention to the difference between using only lowercase characters and using all possible characters (uppercase, lowercase, and special characters – like @#$%^&*). Adding just one capital letter and one asterisk would change the processing time for an 8 character password from 2.4 days to 2.1 centuries.
| Password Length | All Characters | Only Lowercase |
|---|---|---|
|
3 characters 4 characters 5 characters 6 characters 7 characters 8 characters 9 characters 10 characters 11 characters 12 characters 13 characters 14 characters |
0.86 seconds 1.36 minutes 2.15 hours 8.51 days 2.21 years 2.10 centuries 20 millennia 1,899 millennia 180,365 millennia 17,184,705 millennia 1,627,797,068 millennia 154,640,721,434 millennia |
0.02 seconds .046 seconds 11.9 seconds 5.15 minutes 2.23 hours 2.42 days 2.07 months 4.48 years 1.16 centuries 3.03 millennia 78.7 millennia 2,046 millennia |
Remember, these are just for an average computer, and these assume you aren’t using any word in the dictionary. If Google put their computer to work on it they’d finish about 1,000 times faster.
Now, I could go on for hours and hours more about all sorts of ways to compromise your security and generally make your life miserable – but 95% of those methods begin with compromising your weak password. So, why not just protect yourself from the start and sleep better at night?
Believe me, I understand the need to choose passwords that are memorable. But if you’re going to do that how about using something that no one is ever going to guess AND doesn’t contain any common word or phrase in it.
Here are some password tips:
- Randomly substitute numbers for letters that look similar. The letter ‘o’ becomes the number ’0′, or even better an ‘@’ or ‘*’. (i.e. – m0d3ltf0rd… like modelTford)
- Randomly throw in capital letters (i.e. – Mod3lTF0rd)
- Think of something you were attached to when you were younger, but DON’T CHOOSE A PERSON’S NAME! Every name plus every word in the dictionary will fail under a simple brute force attack.
- Maybe a place you loved, or a specific car, an attraction from a vacation, or a favorite restaurant?
- You really need to have different username / password combinations for everything. Remember, the technique is to break into anything you access just to figure out your standard password, then compromise everything else. This doesn’t work if you don’t use the same password everywhere.
- Since it can be difficult to remember a ton of passwords, I recommend using Roboform for Windows users. It will store all of your passwords in an encrypted format and allow you to use just one master password to access all of them. It will also automatically fill in forms on Web pages, and you can even get versions that allow you to take your password list with you on your PDA, phone or a USB key. If you’d like to download it without having to navigate their web site here is the direct download link.
- Mac users can use 1Password. It is essentially the same thing as Roboform, except for Mac, and they even have an iPhone application so you can take them with you too.
- Once you’ve thought of a password, try Microsoft’s password strength tester to find out how secure it is.
By request I also created a short RoboForm Tutorial. Hope it helps…
Another thing to keep in mind is that some of the passwords you think matter least actually matter most. For example, some people think that the password to their e-mail box isn’t important because “I don’t get anything sensitive there.” Well, that e-mail box is probably connected to your online banking account. If I can compromise it then I can log into the Bank’s Web site and tell it I’ve forgotten my password to have it e-mailed to me. Now, what were you saying about it not being important?
Often times people also reason that all of their passwords and logins are stored on their computer at home, which is save behind a router or firewall device. Of course, they’ve never bothered to change the default password on that device, so someone could drive up and park near the house, use a laptop to breach the wireless network and then try passwords from this list until they gain control of your network – after which time they will own you!
Now I realize that every day we encounter people who over-exaggerate points in order to move us to action, but trust me this is not one of those times. There are 50 other ways you can be compromised and punished for using weak passwords that I haven’t even mentioned.
I also realize that most people just don’t care about all this until it’s too late and they’ve learned a very hard lesson. But why don’t you do me, and yourself, a favor and take a little action to strengthen your passwords and let me know that all the time I spent on this article wasn’t completely in vain.
Please, be safe. It’s a jungle out there.
EDIT: You might also want to listen to my interview on Connecticut Public Radio about password security.
{ 403 comments… read them below or add one }
Next Comments →
John, I think you need to confess to Tom (and others of his ilk) that you’re being facetious. Otherwise, I’m fairly certain they won’t get it.
Then again, maybe they’re beyond help anyway….
Whether he is facetious or not, others are not. Requiring uberstrong passwords guarantees that humans will reach for a sticky note. And having a Greek character with some number after it on my monitor would make others think how hard algebra was to them and how smart I must be. :D
I was once assigned Ii2Go0nO as password that couldn’t be changed, it stayed written and with me for a while until I created a memory hook. Heaven forbid that someone crack into my 1995 student email account, they might eat my homework.
Actually, I really meant it when I said it was a good idea.
The reason is that Tom didn’t write his password down, instead he used a memory device. No one would ever guess that the Greek letter lambda stuck to his monitor was a mnemonic clue to remind him of a password. Also, he did add a couple of numeric characters to the password which are in no way represented by the Greek character.
I don’t believe that the particular password is very strong, but I do believe it is a good example of how you could use a memory device to help devise a stronger password than you might otherwise employ for fear of forgetting. And I’m all for anything that encourages stronger passwords.
John
How about strong enough passwords or limited failed log in attempts? Stronger wouldn’t always be better.
hey….this is really funny…lolz…. me too found a great pasword cracking toolg from here winonline.co.nr …..i cant blive it…it worked on my frendz…email acounts…i cracked dem all….lolzzz….
i just went to that site and did not find where you could have learned to crack a password. Help…how did you do it?
how much would it take to gues for asd47 :P And that’s only for the not so important passwords. The other are a little more complicated, with leters numbersa and signs. :P
I use to be into cracking yahoo ID’s.. back in 1996 yahoo banned a bunch of options as far as making the yahoo ID. Well we would crack the pre-1996 ID’s with simple passwords. It’s amazing how many ppl use “password” “qwerty” “123456″ as their passwords :D
An invite for me, pretty please.
Gracias.
If you were to run a software like hydra on your pc it wouldn’t take FBI to long to catch you. But if you install it on 1000 or maybe even 10,000 of computers (and this is what viruses do) and store the result somewhere then it would be hard to catch you (the hacker).
About passwords, you can’t get mine :P
S.
hi, some of my personal information is being circulated by someone who has a grudge on me. i know the email of the person and i want to hack into it to find out who this person is. it’s so frustrating because the person has hacked into my social networking sites and email! what will i do?? help please :(
Report that person to your local police. Don’t break the law to catch a criminal. Let the law work for you.
John
hi,
a person has shown my pic in his social networking site is there any way for me to go and delete it.i am full novice in it but want to learn.
hi,
a person has shown my pic in his social networking site is there any way for me to go and delete it.i am full novice in it but want to learn.
plz help
yeah and “abc123″, there email addresses and “family”. I did a little bit of cracking in 96 but it is nothing to what is out there.
But what i like the most is the admin passwords they are always so easy.
It’s truly a pity that all you people who have commented here are asking for help.
If you would take this information to heart, you wouldn’t be in this situation. I’m sure John P. is not going to tell you how to compromise someone else’s computer, only how to secure your own. The best offense, is a good defense. Ever hear that one before? Well its extremely true when it comes to computers. Lock your system down and if done properly, a cracker trying to gain access will leave enough footprints to bring him down.
Read the article again, do what he says, and you’re life will be much easier.
And thanks, John, good read.
_____________________________________________________
I wont be reading this again so do not attempt to reply to me. |
Good thing None of my passwords are like that but wouldnt it be just simpler to let Roboform do all the work and randomize passwords?
and don;t forget how men generally use the word “monkey”.
Nice article!! I would be interested as to how to better secure the server to kick out the requests of those hacking programs.
THANKS!!
Ebony Jackson
400-27-4799
1950 Simmons St #1072
Las Vegas, NV 89106 is not a hack, its a forged credit card identity for DOD testing. We still use it to test
Like John, I use Roboform to store my passwords. It actually came with my U3 USB stick, and it’s definitely been useful. Not only does it store passwords for you and automatically enter (and even submit!) your passwords to their respective websites, it can also generate those secure passwords for you. Thus with a few clicks you’ll be all set to have very secure login at any site that you visit.
Another way to obtain a secure password is to use the GRC website’s “perfect password” page here:
http://www.grc.com/passwords.htm
GRC is famous for it’s “Shields Up!” firewall test. You can trust the guy behind it.
I recommend that you export and back up your Roboform information, possibly to a second hard drive or another, similar location. This will help protect you in the event that you lose your USB stick, or need to format your drive, or some other nasty situation crops up.
A recent example: On Youtube, a recently front page featured amature (but very popular) musician lost her account because someone guessed her password and posted childish nonsense under her account. Though she may get her account back in time, that’s thousands of viewers and hundreds of subscribers lost to her because of this situation.
Good luck folks.
“Well, that depends on three main things, the length and complexity of your password, the speed of the hacker�s computer, and the speed of the hacker�s Internet connection.”
It also depends on the amount of failed login attempts that are allowed, the traffic the website is getting and the webmaster of that particular site being an idiot for not checking his logs and badly implementing security. Nowadays, people tend to use popular free and or open source solutions like CMSs as opposed to creating their websites from the ground up, and popular software implements security fairly well these days.
Also, “god”? You posted this in 2007, not 1995. “Hackers” doesn’t come close to reality, wake up.
Finally, the word is “crack”, not “hack”. Look it up (in a place like the Jargon file, rather than the newspaper).
Wow G-Brain! You really let him have it! The real problem here is that he is probably someone trying to play ‘hacker’ by googling up a couple terms or maybe posting some text from an old zine or two. Actually, the admin password for http://www.veryangrytoad.com is ‘god’. He’s good.
i used to break others password by their boy/girl friends name, and their date of birth. these are the most common password.
Next Comments →