If you invited me to try and crack your password, you know the one that you use over and over for like every web page you visit, how many guesses would it take before I got it? Let’s see… here is my top 10 list. I can obtain most of this information much easier than you think, then I might just be able to get into your e-mail, computer, or online banking. After all, if I get into one I’ll probably get into all of them.
- Your partner, child, or pet’s name, possibly followed by a 0 or 1 (because they’re always making you use a number, aren’t they?)
- The last 4 digits of your social security number.
- 123 or 1234 or 123456.
- “password”
- Your city, or college, football team name.
- Date of birth – yours, your partner’s or your child’s.
- “god”
- “letmein”
- “money”
- “love”
Statistically speaking that should probably cover about 20% of you. But don’t worry. If I didn’t get it yet it will probably only take a few more minutes before I do… Hackers, and I’m not talking about the ethical kind, have developed a whole range of tools to get at your personal data. And the main impediment standing between your information remaining safe, or leaking out, is the password you choose. (Ironically, the best protection people have is usually the one they take least seriously.) One of the simplest ways to gain access to your information is through the use of a Brute Force Attack. This is accomplished when a hacker uses a specially written piece of software to attempt to log into a site using your credentials. Insecure.org has a list of the Top 10 FREE Password Crackers right here. So, how would one use this process to actually breach your personal security? Simple. Follow my logic:
- You probably use the same password for lots of stuff right?
- Some sites you access such as your Bank or work VPN probably have pretty decent security, so I’m not going to attack them.
- However, other sites like the Hallmark e-mail greeting cards site, an online forum you frequent, or an e-commerce site or a cryptocurrency wallet you’ve shopped at might not be as well prepared. So those are the ones I’d work on.
- So, all we have to do now is unleash Brutus, wwwhack, or THC Hydra on their server with instructions to try say 10,000 (or 100,000 – whatever makes you happy) different usernames and passwords as fast as possible.
- Once we’ve got several login+password pairings we can then go back and test them on targeted sites.
- But wait… How do I know which bank you use and what your login ID is for the sites you frequent? All those cookies are simply stored, unencrypted and nicely named, in your Web browser’s cache. (Read this post to remedy that problem.)
And how fast could this be done? Well, that depends on three main things, the length and complexity of your password, the speed of the hacker’s computer, and the speed of the hacker’s Internet connection. Assuming the hacker has a reasonably fast connection and PC here is an estimate of the amount of time it would take to generate every possible combination of passwords for a given number of characters. After generating the list it’s just a matter of time before the computer runs through all the possibilities – or gets shut down trying. Pay particular attention to the difference between using only lowercase characters and using all possible characters (uppercase, lowercase, and special characters – like @#$%^&*). Adding just one capital letter and one asterisk would change the processing time for an 8 character password from 2.4 days to 2.1 centuries.
Password Length | All Characters | Only Lowercase |
---|---|---|
3 characters 4 characters 5 characters 6 characters 7 characters 8 characters 9 characters 10 characters 11 characters 12 characters 13 characters 14 characters | 0.86 seconds 1.36 minutes 2.15 hours 8.51 days 2.21 years 2.10 centuries 20 millennia 1,899 millennia 180,365 millennia 17,184,705 millennia 1,627,797,068 millennia 154,640,721,434 millennia | 0.02 seconds .046 seconds 11.9 seconds 5.15 minutes 2.23 hours 2.42 days 2.07 months 4.48 years 1.16 centuries 3.03 millennia 78.7 millennia 2,046 millennia |
Remember, these are just for an average computer, and these assume you aren’t using any word in the dictionary. If Google put their computer to work on it they’d finish about 1,000 times faster. Now, I could go on for hours and hours more about all sorts of ways to compromise your security and generally make your life miserable – but 95% of those methods begin with compromising your weak password. So, why not just protect yourself from the start and sleep better at night? Believe me, I understand the need to choose passwords that are memorable. But if you’re going to do that how about using something that no one is ever going to guess AND doesn’t contain any common word or phrase in it. Here are some password tips:
- Randomly substitute numbers for letters that look similar. The letter ‘o’ becomes the number ‘0’, or even better an ‘@’ or ‘*’. (i.e. – m0d3ltf0rd… like modelTford)
- Randomly throw in capital letters (i.e. – Mod3lTF0rd)
- Think of something you were attached to when you were younger, but DON’T CHOOSE A PERSON’S NAME! Every name plus every word in the dictionary will fail under a simple brute force attack.
- Maybe a place you loved, or a specific car, an attraction from a vacation, or a favorite restaurant?
- You really need to have different username / password combinations for everything. Remember, the technique is to break into anything you access just to figure out your standard password, then compromise everything else. This doesn’t work if you don’t use the same password everywhere.
- Since it can be difficult to remember a ton of passwords, I recommend using Roboform for Windows users. It will store all of your passwords in an encrypted format and allow you to use just one master password to access all of them. It will also automatically fill in forms on Web pages, and you can even get versions that allow you to take your password list with you on your PDA, phone or a USB key. If you’d like to download it without having to navigate their web site here is the direct download link.
- Mac users can use 1Password. It is essentially the same thing as Roboform, except for Mac, and they even have an iPhone application so you can take them with you too.
- Once you’ve thought of a password, try Microsoft’s password strength tester to find out how secure it is.
By request I also created a short RoboForm Tutorial. Hope it helps… Another thing to keep in mind is that some of the passwords you think matter least actually matter most. For example, some people think that the password to their e-mail box isn’t important because “I don’t get anything sensitive there.” Well, that e-mail box is probably connected to your online banking account. If I can compromise it then I can log into the Bank’s Web site and tell it I’ve forgotten my password to have it e-mailed to me. Now, what were you saying about it not being important? Often times people also reason that all of their passwords and logins are stored on their computer at home, which is save behind a router or firewall device. Of course, they’ve never bothered to change the default password on that device, so someone could drive up and park near the house, use a laptop to breach the wireless network and then try passwords from this list until they gain control of your network – after which time they will own you! Now I realize that every day we encounter people who over-exaggerate points in order to move us to action, but trust me this is not one of those times. There are 50 other ways you can be compromised and punished for using weak passwords that I haven’t even mentioned. I also realize that most people just don’t care about all this until it’s too late and they’ve learned a very hard lesson. But why don’t you do me, and yourself, a favor and take a little action to strengthen your passwords and let me know that all the time I spent on this article wasn’t completely in vain. Please, be safe. It’s a jungle out there.
EDIT: You might also want to listen to my interview on Connecticut Public Radio about password security.
Or this ABC World News report:
This is my first time visit at here and i am really impressed
to read all at one place.
Hi John,
All very interesting!
I have just come to the conclusion that Microsoft Web Outlook providers are hopeless. I have had my account hacked and they are unable to provide an help…apart from…the hacker owns the account now and we cannot delete your old account…no in the hacker’s user name with a new password.
Any suggestions?? I am at a complete loss.
hello there and thank you for your info – I have definitely picked
up anything new from right here. I did however expertise several technical issues using this site, since I experienced to reload the site
lots of times previous to I could get it to load properly.
I had been wondering if your web host is OK?
Not that I am complaining, but sluggish loading
instances times will very frequently affect your placement in google and can damage your high-quality score if ads and marketing with
Adwords. Well I am adding this RSS to my e-mail and can look out for much more of
your respective intriguing content. Make sure you update this
again very soon.
You forgot to mention rainbow tables and GPU cracking. People should be aware of the one way hash algorithms that do things right. An extension of this is how fast you can combine these attacks for Wifi networks.
Additionally, you might also want to mention any site that can email your exact password to you is “doing something wrong”(tm)!
Your mode of describing everything in this article is really pleasant,
every one be able to easily know it, Thanks a
lot.
This is really interesting, You’re an excessively skilled blogger. I have joined your feed and sit up for in quest of more of your wonderful post. Also, I have shared your website in my social networks
Excellent advice and knowledge. Thank you!
The link for the Microsoft Password tester has changed to :
https://www.microsoft.com/security/pc-security/password-checker.aspx
correct horse battery staple
you win. XKCD.
Its such as you read my mind! You appear to know so much
approximately this, such as you wrote the e-book in it or something.
I believe that you just can do with some percent to pressure the message house a bit, however instead of that,
this is wonderful blog. A fantastic read. I’ll definitely be back.
Hey just wanted to give you a quick heads up. The words in your post seem to be running off the screen in Internet explorer.
I’m not sure if this is a formatting issue or something to do with browser compatibility but I figured I’d post to let you know.
The design and style look great though! Hope you get the issue resolved soon.
Many thanks
What’s up Dear, are you truly visiting this website regularly, if so afterward you will absolutely get nice know-how.
It’s Greate!!!!!
!!!!!!!!!!!!!!!
It’s Greate!!!!!!!!!!!!!!!!
First off I want to say fantastic blog! I
had a quick question which I’d like to ask if you don’t mind.
I was interested to find out how you center yourself and clear your
head prior to writing. I’ve had a difficult time clearing my thoughts in getting my ideas out there. I do take pleasure in writing however it just seems like the first 10 to 15 minutes are generally wasted simply just trying to figure out how to begin. Any recommendations or tips? Thank you!
thats good but tell me what ‘s the digit no of this •••••••• if u can……….?
Hi, I do believe this is an excellent site. I stumbledupon it ;) I’m going to return once again since i have bookmarked it. Money and freedom is the greatest way to change, may you be rich and continue to guide other people.
awesome , Now I should change all my passwords
my girlfriend changed the password of her account of facebook yet there is info i would like to read and i want to crack her password on her account and aswel in her laptop heeeeeeeeeeeeeelp me please.
Great! :( Now I should change all my passwords (
You forgot to mention one of the good tools for storing / generating passwords, one which is cross-platform across your android, Mac, Windows, linux, iphone – KeePass. You just sync your passwords database across all these platforms and you will never be without your passes. Other, platform-dependant solutions, would leave you pretty disappointed down the road when you would try to switch platforms.
nice one !
ha koung
My team & I offer hacking services.We can hack/recover? any email id,FACEBOOK & website servers & grant our clients access..We always? provide proof before payment so you know you are not being ripped off.Send me a mail “shimomurat@yahoo.com”.We try to reply every client ASAP & execute the project in the quickest time-frame possible
lovelove