One Man's Blog

Specialization is for Insects.

Home / Computing / How I’d Hack Your Weak Passwords

How I’d Hack Your Weak Passwords

John P.

By

If you invited me to try and crack your password, you know the one that you use over and over for like every web page you visit, how many guesses would it take before I got it? Let’s see… here is my top 10 list. I can obtain most of this information much easier than you think, then I might just be able to get into your e-mail, computer, or online banking. After all, if I get into one I’ll probably get into all of them.

  1. Your partner, child, or pet’s name, possibly followed by a 0 or 1 (because they’re always making you use a number, aren’t they?)
  2. The last 4 digits of your social security number.
  3. 123 or 1234 or 123456.
  4. “password”
  5. Your city, or college, football team name.
  6. Date of birth – yours, your partner’s or your child’s.
  7. “god”
  8. “letmein”
  9. “money”
  10. “love”

Statistically speaking that should probably cover about 20% of you. But don’t worry. If I didn’t get it yet it will probably only take a few more minutes before I do… Hackers, and I’m not talking about the ethical kind, have developed a whole range of tools to get at your personal data. And the main impediment standing between your information remaining safe, or leaking out, is the password you choose. (Ironically, the best protection people have is usually the one they take least seriously.) One of the simplest ways to gain access to your information is through the use of a Brute Force Attack. This is accomplished when a hacker uses a specially written piece of software to attempt to log into a site using your credentials. Insecure.org has a list of the Top 10 FREE Password Crackers right here. So, how would one use this process to actually breach your personal security? Simple. Follow my logic:

  • You probably use the same password for lots of stuff right?
  • Some sites you access such as your Bank or work VPN probably have pretty decent security, so I’m not going to attack them.
  • However, other sites like the Hallmark e-mail greeting cards site, an online forum you frequent, or an e-commerce site or a cryptocurrency wallet you’ve shopped at might not be as well prepared. So those are the ones I’d work on.
  • So, all we have to do now is unleash Brutus, wwwhack, or THC Hydra on their server with instructions to try say 10,000 (or 100,000 – whatever makes you happy) different usernames and passwords as fast as possible.
  • Once we’ve got several login+password pairings we can then go back and test them on targeted sites.
  • But wait… How do I know which bank you use and what your login ID is for the sites you frequent? All those cookies are simply stored, unencrypted and nicely named, in your Web browser’s cache. (Read this post to remedy that problem.)

And how fast could this be done? Well, that depends on three main things, the length and complexity of your password, the speed of the hacker’s computer, and the speed of the hacker’s Internet connection. Assuming the hacker has a reasonably fast connection and PC here is an estimate of the amount of time it would take to generate every possible combination of passwords for a given number of characters. After generating the list it’s just a matter of time before the computer runs through all the possibilities – or gets shut down trying. Pay particular attention to the difference between using only lowercase characters and using all possible characters (uppercase, lowercase, and special characters – like @#$%^&*). Adding just one capital letter and one asterisk would change the processing time for an 8 character password from 2.4 days to 2.1 centuries.

Password Length All Characters Only Lowercase
3 characters 4 characters 5 characters 6 characters 7 characters 8 characters 9 characters 10 characters 11 characters 12 characters 13 characters 14 characters 0.86 seconds 1.36 minutes 2.15 hours 8.51 days 2.21 years 2.10 centuries 20 millennia 1,899 millennia 180,365 millennia 17,184,705 millennia 1,627,797,068 millennia 154,640,721,434 millennia 0.02 seconds .046 seconds 11.9 seconds 5.15 minutes 2.23 hours 2.42 days 2.07 months 4.48 years 1.16 centuries 3.03 millennia 78.7 millennia 2,046 millennia

Remember, these are just for an average computer, and these assume you aren’t using any word in the dictionary. If Google put their computer to work on it they’d finish about 1,000 times faster. Now, I could go on for hours and hours more about all sorts of ways to compromise your security and generally make your life miserable – but 95% of those methods begin with compromising your weak password. So, why not just protect yourself from the start and sleep better at night? Believe me, I understand the need to choose passwords that are memorable. But if you’re going to do that how about using something that no one is ever going to guess AND doesn’t contain any common word or phrase in it. Here are some password tips:

  1. Randomly substitute numbers for letters that look similar. The letter ‘o’ becomes the number ‘0’, or even better an ‘@’ or ‘*’. (i.e. – m0d3ltf0rd… like modelTford)
  2. Randomly throw in capital letters (i.e. – Mod3lTF0rd)
  3. Think of something you were attached to when you were younger, but DON’T CHOOSE A PERSON’S NAME! Every name plus every word in the dictionary will fail under a simple brute force attack.
  4. Maybe a place you loved, or a specific car, an attraction from a vacation, or a favorite restaurant?
  5. You really need to have different username / password combinations for everything. Remember, the technique is to break into anything you access just to figure out your standard password, then compromise everything else. This doesn’t work if you don’t use the same password everywhere.
  6. Since it can be difficult to remember a ton of passwords, I recommend using Roboform for Windows users. It will store all of your passwords in an encrypted format and allow you to use just one master password to access all of them. It will also automatically fill in forms on Web pages, and you can even get versions that allow you to take your password list with you on your PDA, phone or a USB key. If you’d like to download it without having to navigate their web site here is the direct download link.
  7. Mac users can use 1Password. It is essentially the same thing as Roboform, except for Mac, and they even have an iPhone application so you can take them with you too.
  8. Once you’ve thought of a password, try Microsoft’s password strength tester to find out how secure it is.

By request I also created a short RoboForm Tutorial. Hope it helps… Another thing to keep in mind is that some of the passwords you think matter least actually matter most. For example, some people think that the password to their e-mail box isn’t important because “I don’t get anything sensitive there.” Well, that e-mail box is probably connected to your online banking account. If I can compromise it then I can log into the Bank’s Web site and tell it I’ve forgotten my password to have it e-mailed to me. Now, what were you saying about it not being important? Often times people also reason that all of their passwords and logins are stored on their computer at home, which is save behind a router or firewall device. Of course, they’ve never bothered to change the default password on that device, so someone could drive up and park near the house, use a laptop to breach the wireless network and then try passwords from this list until they gain control of your network – after which time they will own you! Now I realize that every day we encounter people who over-exaggerate points in order to move us to action, but trust me this is not one of those times. There are 50 other ways you can be compromised and punished for using weak passwords that I haven’t even mentioned. I also realize that most people just don’t care about all this until it’s too late and they’ve learned a very hard lesson. But why don’t you do me, and yourself, a favor and take a little action to strengthen your passwords and let me know that all the time I spent on this article wasn’t completely in vain. Please, be safe. It’s a jungle out there.

EDIT: You might also want to listen to my interview on Connecticut Public Radio about password security.

Or this ABC World News report:

>
And here’s another ABC World News report:

Comments

  3. Thanks for this article. I am a new blogger so this is very helpful. It’s hard to know how long it takes to make a successful blog, so “being patient” is among some of the best advice you can give. It’s easy to get discouraged when you don’t see movement, but this give me some encouragement.

  4. So, I hear that if you string a bunch of dictionary words together for a password, that it will be very secure and easy to remember. I have my doubts about this. Is this true?

  5. I have a friend (intimate relationship) who said they were hacked when I saw a personals ad on their e-mail (two different ones showing their e-mail in a conversation with another person and an actual posting of their own). My friend said they did not send these e-mails and did not post ads on a personal encounter site. Is it possible that someone would hack your e-mail and have conversations with people on personals sites and actually use that persons home address and said person could not see the e-mails being sent back and forth? My friend says that this has happened before and that my friend is unaware of such actions. Have you seen this happen before and in your opinion does this happen often? I feel lied to and I want the truth about such hacking. Thanks

  6. Fenix TK12 High Performance LED Flashlight. The Fenix TK12 R5 model has 4 brightness with measured output of 245 lumens maximum. This is the latest model now rated using the new ANSI output standards. A key feature of the Fenix TK12 R5 is that it always turns on in the last selected mode. The TK12 R5 is shipped in the Default mode with 245 lumens in high and 42 lumens in low with run times of 2.75 and 20 hours respectively. The TK12 has 2 additional modes, and each mode has 2 choices of output.. Features of Fenix TK12 R5 model High Performance LED Flashlight:. &bull- 3 modes with 2 levels of output for each mode (total of 4 brightness levels plus disorienting strobe). Default mode: 245 lumens (2.75 hours, shines up to 587 ft), 42 lumens (20 hours). Camping mode: 95 lumens (9.5 hours), 8 lumens (98 hours). Hunting mode: 245 lumens (2.75 hours), strobe (250 lumens). &bull- intelligent memory – the TK12 R2 model will always turn on in the previously selected mode. &bull- pushbutton switch for momentary on and constant on/off. &bull- slightly textured reflector for a smooth beam. &bull- ultra-clear glass lens with anti-reflective coating. &bull- tactical tail switch with momentary on. &bull- anti roll slip-resistant body with grip ring. &bull- reverse polarity protected. &bull- digitally regulated to maintain more consistent light levels. &bull- durable aircraft grade aluminum. &bull- premium Type III hard anodized finish. &bull- waterproof to IPX-8 standard (submerged in 2 meters of water for 30 minutes) – not dive rated. &bull- measures 5.4″L with a head diameter of 1.3″. &bull- weighs 5.7 oz with batteries. &bull- powered by 2 ea CR123A lithium batteries or one 18650 Li-ion rechargeable battery,. batteries NOT included. &bull- includes nylon belt holster with top flap and velcro closure, wrist lanyard, removable pocket clip,. 2 spare O-rings and spare switch cover. &bull- limited 1 year warranty through BrightGuy. Note: damage due to battery leakage is not covered under the Fenix warranty. &bull- made in China. Operation of TK12 R5 LED Flashlight:. &bull- partially depress the pushbutton switch for momentary on, press and click for constant on. &bull- to change modes, loosen-tighten-loosen-tighten the head of the light (within 0.5 seconds) to. advance to the next mode – this may sound complicated, but it’s easy. &bull- each mode has 2 output settings, slightly loosen and tighten the bezel to adjust between settings. within each mode. * submerged in 2 meters of water for 30 minutes <a href="javascript:toggle('data3')-activateTab.
    Fenix TK40 LED Flashlight. With 630 lumens maximum, the Fenix TK40 is the brightest flashlight powered by AA batteries available today. The Fenix TK40 gives you a total of 4 brightness modes ranging from 630 lumens to 13 lumens with respective run times of 2 hours and 150 hours. Fenix TK40 is the perfect LED flashlight for anything that requires high-output light.. Switching of Fenix TK40:. Press the tailcap switch and release for constant on. Press the tailcap twice fast for flashing. (Note: each brightness level has an associated flashing mode- refer to the sequence of switching below.) To change brightness levels, from the off position, turn the TK40 on and release the tail switch. Then, press and hold the tailcap switch for more than 1 second to scroll to the next level. From any mode, press and release the switch for off. Press the tail switch again, and the TK40 will turn on in the last selected brightness level.. Sequence of Switching for the Fenix TK40:. 1. Turbo: from this mode, rapidly press the switch twice for disorienting strobe. 2. Low: rapidly press the switch twice for slow flashing. 3. Medium: rapidly press the switch twice for SOS. 4. High: rapidly press the switch twice for fast flashing. Features of Fenix TK40 High Powered LED Flashlight:. &bull- Cree brand MC-E four-core LED with a lifespan of 50,000 hours. &bull- 2 modes with 8 types of output. &bull- 4 brightness settings:. Turbo, 630 Lumens for 2 hours. Low, 13 Lumens for 150 hours. Medium, 93 Lumens for 20 hours. High, 277 Lumens for 6.8 hours. &bull- 4 flashing modes: Strobe, Slow flashing, SOS, Fast flashing. &bull- digitally regulated output – maintains more consistent output over the life of the batteries. &bull- runs on 8 ea 1.5V AA batteries, compatible with alkaline or NiMH rechargeable (warning:. use of lithium batteries voids the warranty). &bull- can be powered by 4 AA batteries in an emergency. &bull- 8.1" long x 2.3" head diameter. &bull- anti-roll body design. &bull- made of T6 aircraft-grade aluminum. &bull- durable Type III hard-anodized anti-abrasive finish. &bull- waterproof to IPX-8* Standard (not dive rated). &bull- toughened ultra-clear glass lens with anti-reflective coating. &bull- push-button tailcap switch for constant on/off (no momentary on). &bull- includes plastic case, wrist lanyard, two spare o-rings, and a rubber switch boot. (batteries not included). &bull- limited 1 year warranty through BrightGuy. Note: damage due to battery leakage is not covered under warranty. *Submerged in 2 meters of water for 30 minutes. Warning: Use of lithium batteries will damage this light and voids the warranty. The TK40 has automatic overheating protection which may cause the light to flicker during prolonged operation in a hot environment. Do not use the turbo mode for more than 15 minutes. Please only use high-quality batteries of the same type, brand, capacity and state of charge. Mixing batteries may cause battery leakage and damage the flashlight. If you leave the flashlight unused for a few days, please unscrew the head 2.5 turns to prevent slow discharge of batteries. If the flashlight will not be used for a long period, please remove the batteries to avoid damage from battery leakage. <a href="javascript:toggle('data3')-activateTab.

  7. I m sorry, but the LED s do seem to be more vibrant than the plasmas; and the projection tube LED s seem to be a poor relation for not much less. Besides, I learned a long time ago that lots of wizzbangs, whirlygigs and moving parts generally add up to lots of repairs. If the most advanced LED projection TVs use hundreds of tiny mirrors, what lubricates the hinges, or whatever they turn on and how many cazillions of motions must they accomplish over the usable life of the unit?
    For 30 minutes I was on the phone, the lady didnt have a clue who to refer me to, so she refered to retailers. After 35 minutes my call ended up in one of the retailers in the high street who said i will be 95 to get a expensive equiry call, but I did not go ahead. Within 2 days later I called out two tv engineers recommende dby some friends – – both engineer said the bulb which is located behind the screen is about to go and a replacement cost would be about 250/350.

  8. Mr. Everett has described Peter Salem, a black man, and once a slave, as having been among the most prominent and meritorious characters at the battle of Bunker s Hill. Indeed, the historical painting of that scene, by Col. Trumbull, an eyewitness, done in 1785, gives Peter Salem, with other black patriots, a conspicuous place. One of the latter is thus commemorated:
    Normally, one, two or three of the devices are utilized and are attached to the rod in relation to the curtain hooks so that the devices moved to spaced interval, preferably along a mid portion of the curtain rod, when the curtain is pulled to the closed position. Also, the devices move with the curtain to a stored or opened position at one end of the rod, and when the weight members are moved to their inactive position, they hang freely with the curtain engaging members so as not to distort the curtain when in the stored or open position.

  9. These coaxial cables use a solid copper 18-gauge conductor. Surrounding this conductor is an insulating plastic tube, called a dielectric. Overlaying this dielectric is a series of shields, insulating the conductor from harmful interference from radio frequencies and other devices. These alternating braided and foil shields supply 95 percent coverage of the cable, making it almost immune to the types of signals that are destructive to delicate digital feeds.
    A computer repair technician is most often faced with the problem of corrupted OS during PC repair. And the best solution is data transfer, where the hard drive is formatted and OS and other software are reinstalled. This is done by data transfer cables available in varieties such as USB, parallel and serial null-modem.

  11. Loved your post. :) I found myself laughing as I went down your top 10 of obvious passwords. I’ve been a lot more paranoid about passwords since one of my webservers was hacked through a wordpress plugin security flaw!

    Anyway, cheers for the post – all the best from Scotland.

    Chris

  12. I doubt you would ever guess my password, and as I have a different password on pretty much any site you would only be able to get on one pages. Here’s an example of how my password is:
    aOFyX__m}X8Z<FW9n.]00jH6.-P"<g$X
    Good luck guessing that one eh..

  13. your concept has opened many of my friends’ eyes after I showed it to them, who keep their password as their first name or their address.I also liked your advice to throw in random capital letters and replacing common letters with unusual characters.One tip I’d like to give out, though most people don’t pay attention to chemistry classes but the molecular formulas of many compounds can be manipulated into good passwords.How is that eh?

  16. I would like to remind everyone here posting about the impracticality of using separate passwords for different sites.

    There are several groups that have stolen millions of passwords, the group on the top of my mind right now is Lulzsec. Do a Google search.

    Anyway, they hacked porn sites, PSN, and the CIA (or FBI, can’t remember) sites and leaked those passwords to a massive amount of people.

    Those (many thousands) of people used those passwords and entered them into bank sites, forums, even Facebook.

    Bottom line is: Follow these instructions! Just because you can’t completely understand how someone can steal your password doesn’t mean they can’t.

  17. Easy Nowadays to find a password.
    Phishing
    keylogging or by using RAT’s
    Bruteforcing
    Sniffing

    Though phishing has become a trend nowadays .Nothing to learn.

  19. I have heard of a suggestion in regards to password security that I wonder if it is true. Instead of thinking of your password as only a word, but as a phrase such as “I love to vacation in palm springs”. The idea being that password cracking programs can only guess at the whole phrase at once not one character at a time. So the above phrase isn’t going to be found in any dictionary. Does this theory hold any water, or is the premise faulty that password crackers can’t break the password one character at a time. What are your thoughts?

    • Pass phrases work rather well. It makes human memorability work out a bit better and even if the list of words you choose from were known, it can be made to make for effective phrases.

      If a language has typically 5000 words in typical use, then three random words would
      be 5000^3 combinations to search, even if I know I should be search on only words.

      Consider using something else for a space symbol.

  20. Would it be insulting if I were to offer an award for a hacking contest, such as to the person first successfully hacked flirt4free.com? What kind of award would be good? Should it be a token symbol like an hacker statuette, or a symbolic $100?

    How would we know s/he actually successfully hacked, without doing any damage to the site of course?

    • Skeptic,

      The last cracking contest I ran, offered the participants the chance to know among their group, how long and in what order their password was cracked. Also, the group was given a brief on any feature of passwords that tend to lead to its longer survival against the cracking software. This free level of reward is often very motivating.

      If I were to give out awards to winners, I would make it a T-shirt that says, “The average password lasted longer than 36 hours against a Pentium Quad Core, how about yours?”

      Or, “My average password lasted less than 2.5 Minutes just like 50% of you all.”

  21. Don’t put too much trust in the Microsoft password checker. According to it, the following is a “best” password:
    abcdefghijklmnopqrstuvwxyz1

    So is:
    111111111111111111111111111111111111111

    Whereas one of my 8 character passwords with capitals and funky characters in a non-dictionary word is classified as “weak”.

  24. To add to this:
    (1) Never use your cell no. as your password
    (2) Website’s name as your password.

    I typically use a combination of two strange words+a few numbers+3-4 special characters. Till now this has kept me safe.

  25. Hacking might be a crime buts its the users duty to protect, I dont know how you calculated the time you would take to hack but I would say one needs to be very very careful.

    • best way to stay safe is dont open any unwanted links. install good antivirus on your system and always leave firewall on

  26. Посмотрит фильм и останешься довольным.
    Прошли те времена когда мы искали двд в клубах и платили за задержку фильма.
    Теперь выбираем и смотрим без морок.

  27. I just read your article on how you can hack into my passwords. I used the ideas that were provided and I now have a super strong PW with 20 characters! Thank you for making me THINK and act now, before it was too late!

  28. Okay. I used to have all different passwords. Too hard to remember. Wrote them down, trashed paper and left on computer at home. Computer went down. Can’t retrieve. Got married and started using one password. I need to start getting back into this. Thanks for your article. I checked my password strength and it came up weak! I didn’t even use any of the first 20% you could get, nor names. Even my (I thought) hard one came up weak. I will definitely be checking out your suggestions and redoing my whole password routine! Thanks so much.

  31. Yes always use a password with 3 combinations, alphabest, numerics and special characters, then it will be very tough to hack.

  32. you can use create your password unique by using your mind just in simple way !!!
    use this sytx:
    “alphabat+special_charachter+numbers”

    e.g.
    “Aka$h.^_^.”

  33. Wow..I was only looking at how to get a Credit Check report and to see whether it was worthwhile paying a monthly fee in case of Identitly Fraud – when I ended up on this Blog by John P. I must say I’ve found it most interesting and as a newbie to all this I’m in awe of most of the replies! I’ve definitely learnt a lot today, so thank you for the advice. (Can’t say I understand it all..it’s a lot to take in) In fact I’m not one for commenting on Blogs ..you can count on one hand how many I’ve done..I can’t get my head round Twitter ..only used it once or twice but sure I’m tweeting to myself..its all the @ signs that get me! lol
    …plus its now nearly two hours since I started reading your info and I’ve still to to apply forthe Report lol! I might add that I use Roboform already but its was only for form filling (I do lots of intesnet competitons)…I didn’t feel safe (!) about using it for storing banking passwords…your advice on how it works was enlightening so I see I can use it in a more more useful way now! Keep up the good work!

  34. Yes,
    Truly this is your advise to keep the password strong enough.
    I recommend to have a password which contains upper case,lower case,numbers and alphabets and special characters and hence closing all loop holes.

    Nice Article
    Liked it
    Thanks

  35. Great article, awesome advice… I’m a bit old so I’m not that computer savvy, so this is very helpful. Even though I use different passwords for my banking I’m still off to change them all now…

    Just curious though, if someone is to use roboform or 1password, what’s to stop a hacker figuring out the master password and then gaining access to everything?… Sorry if that’s a stupid question, but I’m just learning here.

    Again thanks for the info, I’m going to link my whole email inbox to this article and hopefully it can help out a few others.

  37. I need to tell you that all military codes in the past have been broken…to my knowledge. This I believe was because they were written by the intelligent and therefore open to attack by other intelligent people. The weakness of the intelligent is that they will always act intelligently…even to throw you off. They are logical…they think. They always use mental constructs.
    Leave the world of thought and logic to come up with passwords. I will not explain any more. Don’t think up your passwords.

  38. wow, thats pritty easy to hack password. Actually I used to use some of the points you mentioned in first part, hehehe, now i changed it…so need to hack :)

  44. Justforyou, your GPU processing power wouldn’t help you anyhow in the task of discovering my passwords. Untill you manage somehow to get md5 hash for any of them. And, btw if you got md5 hash – it would WAY more efficient to use rainbow tables on SSD harddrives, rather then brute force with GPU.

    I’m working for a big russian antivirus company and from our statistics I can tell you that no matter how strong your password is – it’s quite easy to grab it using trojans, keygrabbers, faked websites etc etc etc

    so password strength is only a small piece in the big puzzle of keeping your web idendity secure.

  45. ok first of all all of this is way to hard all i did was download this thing on my computer and i got passwords from games and stuff thats like it. but i dont use it to hack in to peoples bank accounts and crimmanal stuff like that!!!! OMG!!!

  47. Nowadays we have GPU Power.

    My Ati 5750 does about 18mil. (md5)hashes a sec.

    So the figure shown in the article isn’t good anymore.

    ATI HD5870:
    ~3650M/s single MD5
    ~1360M/s single SHA1

    ATI HD4770:
    ~1075M/s single MD5
    ~350M/s single SHA1

    nVidia GTS250:
    ~570M single MD5
    ~175M single SHA1

  49. I knew a bunch of people at school who would run their fingers across the home row of the keyboard, left to right, and have asdfghjkl;’ as their password for everything. I don’t know if that’s at all common, though.

    Anyway, thanks for the article and the links. I’ll be looking into Roboform after Christmas when I have some spare cash again.

  50. The word “hack/hacking/hacked” is the wrong one for security/black hat/evil/bad/nasty/etc stuff. You want/should consider “Cracker” or “Attacker”.

    See:

    Words to Avoid (or Use with Care) Because They Are Loaded or Confusing – GNU Project – Free Software Foundation (FSF) – http://www.gnu.org/philosophy/words-to-avoid.html#Hacker

    http://www.wired.com/threatlevel/2010/05/hackers-wante/
    http://thepiratebay.org/torrent/5573874/Hackers_Wanted_%282008%29

  51. Another good tip (or one I’ve used for years) You make a sentence in your head which is easy to remember. e.g. ‘I like pepsi cola with 0% sugar in it’ You take the first letter of each word in that sentence i.e. IlPcw0Sii (could be anything really, note how the I, the P for Pepsi and the S for sugar are capitalised). You could create a sentence for each specific account (‘I really really love my Hotmail 4ccount password 80085’…). This way you don’t really need a password manager as you will easily remember the password because of the sentence.

  53. I grabbed some software to try to make creating complicated passwords easy, but I’m always afraid that I might lose the master password, or forget it outright, then I would have to scramble to access the stuff I have passworded.

    Makes me nervous just thinking about it.

  54. This thread is helpful. But people have dragged this conversation to long the point of it is…..STOP USING WEEK ASS PASSWORDS and if you do use them…..well prepare for your online accounts to be eventually stolen if you piss off the wrong people.

  55. All I believe is that, how much characters (long with good combination) you used for your password to be secured, your password can be cracked by indecent hackers. Once they know your email, they’ll search your password through their software. If they found your password encrypted, they have a decrypt software to reveal your password and so the crime begins.

  56. Those things don’t work in some operating systems linux or you who don’t know you can call it UBUNTU ,those BRUTUS force are just mere dreams that ethical hacker are justs trying to show.I my self have used it but i still obtained nothing so i prefer using mine own called ,ENFORCER 57, that is just the version i have made, it has the ability to block if they a trying to track, it hides the password.

  58. Been using Roboform for quite some time now. Can’t live without it. Recommend it to everyone and it is not expensive.

  59. Last time I forgot my password and tried everything i could do but failed, until I found this great tool Windows Password Software. It works great, and you can google it.you can try to google it.

  60. Excellent article — Thank you for taking the time to write this. I just spoke with someone today who told about having an Yahoo email account hijacked. The humble webmail password can be a stepping stone to getting into bank accounts, PayPal, etc. — which users think are safe because they employ a better password for those accounts.

  61. John’s blog was written way back in 2007. The interesting thing is that hackjers now use scripts that make use of the GPU on their graphics boards instead of their CPU. These GPU’s run much faster and sometimes multiple GPUs give parallelism. I would say tha most 7 character passwords could be brute forced in a matter of minutes these days with a fast ADSL line. It is really getting to the stage that passwords are not a safe way to go. banks that I have dealt with in the past have a good way of doing it – they will ask for the nth character in your password several times (at least 3) – a different 3 charcaters could be asked for each time. Thus a lot more permatations can come from the same 10 charcater password. Most a at least dual layer too – requiring user name, passwords and passkey. The best ones provide a digital rotation or formulaic device – they give you a number, you type it in to your device (like a small calculator) and it returns a result – great for bank customers, no good for basic website membership though.

  62. For most of my passwords I use 10 to 12 and more characters. So it seems I am safe considering nobody is going to get busy for 4.48 years to hack my passwords!

  68. My favorite trick for generating a password is to create a sentence that you will remember like:
    When my dogs bark at the squirells we start barking at the dogs.

    I then take all of the first letters and pick a couple to capitalize and a couple to substitute with other characters so you can get:
    Wmdb@tsW$b@+d

    Whala! Completely random (you probably couldn’t remember the characters yourself if you tried to do it without your sentence) and it helps create longer passwords that are both tough and memorable.

  69. This is a good post. The best I’ve read today. The chart showing the times to crack is interesting. I’ve recently started using the password generators that use special symbols, numbers, and letters. I can’t memorize the passwords but after a recent security issue, I’ll go through the hassle of better passwords.

  70. “All those cookies are simply stored, unencrypted and nicely named, in your Web browser’s cache.”. If you have access to the actual computer, things become much easier. How many people have access to your personal computer though?

  72. It seems that even most old people (not from computer generation, that’s the point) wouldn’t use a dictionary word as a password these days.

  73. “All those cookies are simply stored, unencrypted and nicely named, in your Web browser’s cache.”. If you have access to the actual computer, things become much easier. How many people have access to your personal computer though?

    • You have to learn to spell first and be able to form whole sentences before you can hack things!

      • BAHAHAHAHAHA
        OMG so true…sheesh did that guy “Mark” go to school?

        Guessin’ he quit before he learned english!

        Hmmmm, bet his passwords are all the same!?

        There should be a minimum intelligence level achieved before being allowed on the net at all!

        Cheers!

  76. Oh, one more thing: assume criminals will eventually have access to supercomputers, distributed computing, and law-enforcement technologies and techniques. Keeping your passwords on a USB drive is insane if you don’t have them properly encrypted and passworded. People can break into your house, you know. The law can be subverted into doing it for criminals. RIAA, anyone? Nazis and Commies, anyone?

    If you have a master password file, be sure it’s got a completely unique password that really is impossible to break. 32 characters MINIMUM, 256 bit MINIMUM. 4096 bit isn’t insane if you’re important enough, or will be one day.

    Oh, and don’t forget your master password. :)

    Hey, somebody visit my site and tell me if it’s any good. Click my name.

  77. Very good article! The link to the password tester is especially valuable. To get the fourth bar, you need a password of at least 20 characters, though sometimes you need 21-25 or even more if you’re not being creative enough!

    I’d like to mention something you didn’t: escalating computer power. Each year or two, computing power doubles. What takes a trillion years to do now – crack a 13-character password – will, in 10-20 years, take only a billion years, and in another 10-20 years will take only a million years. After a century of progress, it might take only a few seconds to crack a 13-character password.

    If what you have to protect is important enough, you need LONG passwords.

    You’ll note the table shows that simply adding a single character multiplies the time to crack by a factor of about 100 – that is, it takes 100 times as long to find one more character.

    Note also the expanding chasm between cracking lower-case passwords and those which make use of the full keyboard. You have effectively tripled the number of characters that must be tried, but the effect becomes astronomical very quickly! It’s like raising each character added to the power of 4; the cracking factor jumps from about 25x to about 100x for EACH CHARACTER. So use the full keyboard.

    Something a friend taught me was to use unprintable characters. This again boosts your safety by a factor of 2 per character, so that a 13-character password will take 10 million-trillion years to crack. But how to access them? And why don’t all input field allow them? Frex, I used some non-printable characters for a Excel password. I can type those characters within Excel, but I can’t type them into the password field, so Im forced to copy-and-paste.

    So, the lesson, again: draw from a large pool of characters, make passwords 20+ characters, and don’t make them out of words in a dictionary.

  78. Very interesting. When I worked for a bank, I was always shocked at the sheer volume of people who would either tell me their PIN when I asked ‘do you have a pin?’ or have it written on a piece of paper in their wallet/purse. This is the same thing, so many people don’t realise how vulnerable they are having an easily guessable password. Oh well I guess they’ll find out the hard way. Thanks for the article.

  80. I *loved* this article! Really helped out a lot! And thx for all the links.

    I realize a lot of other comments are from people who think they’ve got personalized passwords (diff. passwords for each site) covered, but I’d like to throw my technique out there:

    I’ve used the same password phrase forever, but have changed it around enough and I’m really getting somewhere. My phrase has a lot of letter o’s. I used to change these to 0’s, which I realize was covered in your post! Now I just change the o’s or 0’s to the *second letter* in the domain name (ex: all o’s or 0’s would be changed to “n” if your site required a password). I’ve found that the first or last letter in the domain name can be too obvious sometimes (Facebook = k or Gmail = g).

    Next, my original phrase has 3 words. Between the first and second word I enter the number of syllables in the domain name (“3” for this site). Between the second and third word I enter the number of words in the domain name (“3” again for this site). Lastly, I enter the number of vowels in the site name at the very end (“4” for this site).

    I have not integrated capitals…yet. Maybe I’ll change the number of vowels from a number (“4”) to capitalizing the corresponding letter in the password (the 4th letter in the password will be capitalized for this site).

    Ex: If my phrase was originally, oh, i dunno… “cop on pot”
    Step 1: cnpnnpnt (the second letter of this site is “n”)
    Step 2: cnp3nn3pnt4 (3 syllables, 3 words, 4 vowels)

    Ex (for Facebook): cap2an1pat4
    Ex (for Gmail): cmp2mn2pmt2

    It’s about that time to change up *all* of my passwords yet again! I think I might change the second letter thing to the letter on my qwerty keyword directly to the right of that letter w right-most letters going left one (ex: “m” for this site)(anything with “p” would be “o”). I also think I’ll put all the numbers at the very end instead. I might try to utilize the space bar and capitals (as you mentioned). I’m not sure about special characters, as a lot of sites I use don’t accept them.

    Any other simple conversion suggestions I could integrate? (aka like my 0’s or o’s to the second letter of the domain name)…

    And what do you think?

  81. Dark Helmet: So the combination is… one, two, three, four, five? That’s the stupidest combination I’ve ever heard in my life! The kind of thing an idiot would have on his luggage!

  82. Great post, its shocking how easy people can hack in to things. One things i’m scared of is somebody hacking my WordPress Blog… Any Tips how to prevent it?

    Cheers
    Stuart

  84. great article…just one thing..most password crackers hv 1337 mode nw..so usng 1337 tok is no good..nd i wd also hv mentiond nt falng prey to social engineering…nd to the wise guy hu uses copy..most if nt all keyloggers also log th clipboard…nd yeah u may hv hiddn ur txt file prety wel bt givng ur ip is THE most stupidest thng to do…u thnk gd no blackhat read ths script kiddie

  85. Interesting article, I have wrote an article about passwords in a new blog which links in with what you have wrote here, “Why ONE Unbreakable Password is not enough “.
    http://is-hacked.com/2010/why-one-password-is-not-enough/

    On Tuesday at 9pm, will also outline the dangers of such in a real world example, of hacking several websites including one or two known names. (Those effected, have been notified)

  86. Use an easy to rember sentence

    “My brother David moved to No. 12 Pleasant Drive in 2001”

    becomes

    MbDmtN1PDi2

  87. No bank I know will just email you out your password. My bank requires a pin number AND a password and never requests the whole thing (just e.g. digits 1, 5 and 9). If you forget your password they send you one in the post for security reasons with a separate pin number.

  88. I’ve seen applications like RoboForm, but then a hacker would just need to crack the 1 password, through any method, and get access to EVERYTHING.

    • I presume that RoboForm stores a different, more or less randomized password for every place you go to – that way, if a hacker cracks one site, it’s not useful for any other site, and all they can do is sneak a keylogger onto your computer.

  91. Seriously LOVED this article. Thought I use many of the techniques, I would have never shared the information and let the HELPLESS stay HELPLESS with a weak password. LOL.

    Good write up and topic, and the CHART was good information/great example.

    Web Your Name®

  92. I heard Facebook is a social networking website that is operated and privately owned by Mark Zuckerberg, Eduardo Saverin, Dustin Moskovitz and Chris Hughes and others.. It’s pity Facebook does not actively enforce the age limit, resulting in children under the age of 13 using it.

  93. Great article, found this after hearing a story on NPR about password security and wanted to verify their numbers. I’m a tech support agent, so it’s handy to have stuff like this to show customers.

  94. My favorite technique to create a password is to just bang out some alpha-numeric spam on my keyboard (if some special symbols get in there, it’s just some extra spice, can get those by keeping a finger on the shift key and tapping it as you go). Usually I bang out a string that is too long, like 2dt82t[2t-g21=gr3484gvrhd9r64nrf*v5d7ge5. Many places have limits on password length, no problem, just delete some of the characters until you’re within the limit. The next step is to change some of the letters to upper-case which is easy to do in my text editor (highlight a couple chars, press the to-upper-case button). You could also use one of the many password generators that can be found online. The problem now is that you can’t remember your password. The solution is to save the password to a text file on your computer (and make sure no one can get at it, and don’t create a shortcut to it on the desktop or you’re as screwed as the guy who uses ‘god’ as all his passwords). You could store the text file on a pen drive, flash memory device or something that never leaves your personal desk (which no one has access to). Now you can copy and paste your crazy passwords into forms which will also always defeat keylogger hacks because you’re not pressing any keys aside from CTRL+C and CTRL+V. I’ve been using this method for almost ten years and have never had a password compromised (and for one example: I’ve been the envy in a couple video games I played, I’m sure people have tried). The only things I really have to worry about are non-encrypted data transfers which may be intercepted (always a possibility) or someone gaining access to my computer and locating the file (not likely but you’re welcome to try, I’m currently located here: 24.240.68.151 // USA, WI, Madison, Charter). Cheers everyone, best of results in keeping your accounts and data safe! =)

  95. @James:

    The best way to be sure is to turn your firewall on and make programs ask to be let through. Be vigilant – only let things through that you know are legitimate. Oh, and read the executable names properly – a clever way is to replace some letters with other letters that look similar – such as replacing lower case Ls with upper case Is. “rundIl32” in the default font looks suspiciously similar to “rundll32” – in this font you see the difference, of course.

    Anti-virus packages like Sophos and Norton may analyse the behavior of running programs and put a stopper to ones that are acting suspiciously. “Virtually indetectable” (well it’s undetectable actually, but I digress) is a very broad term, and is most likely just a insubstantial boast more than anything else. Nothing is undetectable if you know where to look, and what to look for.

    If you want to be super sure of your system’s cleanliness, reformat your PC and reinstall your operating system. Better yet, replace your hard drive. If you want to be super pedantic, replace your entire computer. But we’re getting off track into sheer paranoia here.

    If this malicious program is transmitting its findings over the Internet, turning your firewall on in the way that I have suggested would most likely stop that in its tracks as long as you’re not just clicking “Unblock” to everything.

    Due diligence is all it takes to be safe. Don’t click on links you see in emails, especially if they claim to be from your bank. Be careful what you click on, and be sure before you accept any change to your system. And above all, BACKUP OFTEN. You never know when something will come along and wipe out everything on your computer.

  96. Great though scary article.

    I am worried that someone may have delivered password hacking software to my PC via an executable in an email. I k now this person has done things like this before.

    When I read the hacking software product descriptions they often claim to be virtually indetectable once they are on your PC. Is it true that say Norton would not pick them up?

    How can I assure myself my PC is clean?

    Thanks in Advance

  99. John,

    I just stumbled across your blog and read your “How I’d Hack Your Weak Passwords” comments.

    I have a Fidelity Investments account. The PIN for the account has a maximum length of 12 characters. The characters must consist of the numbers 0-9 and the letters a-z (both lower and upper case permitted), no special characters permitted. But…all of the letters are converted into numbers based upon the touch tone keypad on most any telephone. So the PIN basically consists of a maximum 12 character long value consisting of the numbers of 0 through 9. Based upon the assumptions contained in your password length/ # of characters table, how long would it take for a hacker to generate every possible combination of numbers?

    I am guessing a couple of minutes.

    The only recourse I have found thus far is to use a very long, weird and unique username, so the username is acting more as the password than the password is.

    I am not happy with this situation.

    I would appreciate any feedback you would give me.

    Thanks for your consideration.

    Doug

    • Doug,

      Yes, this is a sad state of security indeed. I would suggest that the most effective means of getting something like this changes is actually to shed light on it. This is what ethical hackers do when they exploit a system in order to reveal the faults that a criminal would take advantage of.

      How about writing a letter to the New York Times saying exactly what you said here and referencing this article just in case they need a little enlightement? But don’t stop there, send a duplicate letter to USAToday, and a couple of other publications.

      If even one of them picks up the story you’ll see things change at Fidelity so fast it’s not funny. Of course, you could also always vote with your wallet by moving to another provider. I’m not a huge fan of Fidelity to start with…

      Cheers,

      John P.

      • i’m equally as bugged about the state of online banking.

        i currently have an account that has a MAXIMUM of 8 characters long. EIGHT!

        seriously? they can update the website to use all new .net code, but you stick with the same old ass database schema? >.<

  100. This works well:

    Take a secret word, 13 characters is convenient. Now pick a seed a word associated with the system you’re logging in to. Could be the website name, your user name (if it’s unique), the business, whatever.

    Using the seed to modify your start point in the secret word, and to add additional numbers.

    For example, say the seed was “lifehacker” and the secret word was mishmashables. Take the number of letters in ‘lifehacker’ (10) and start that many into mishmashables and type out, say, 8 characters, looping at the end of the word.
    Lifehacker = esmishma
    Now use the number of letters in the seed to further fuck it up
    esmishma101890

    (in this case the rule is num of letters in the seed, ‘number’ of the last letter of the seed (just counted out, b=2, z=26, etc.), num lttrs sqr – num letters) = 10 , 18 , 90

    tons more rules are possible, but you get the picture.

    there you go! nothing to write down so long as you’re disciplined in how you generate your seed words.

    the problem is a LOT of seeds have 7 letters (who knew) and if you’re generating many passes for the same organization using the same user name it’s hard to get unique seeds. The latter is a serious issue, still working on a fix. Suggestions welcome!

    share and enjoy