Are Your Passwords Strong Enough To Survive A Brute-Force Attack?
Passwords protect every piece of your data on the internet. Email accounts, social networking accounts, cloud storage accounts, SaaS applications- practically everything you do online requires a password. Most of us just absentmindedly create an easy-to-remember password without giving it much thought. The problem with that is that if the password is easy for you to remember it may be easily guessed by hackers. As a matter of fact, with the technology available today, practically anyone can crack passwords. In this article, I have some examples of how easy it is for passwords to be cracked. But first, let's take a look at how the password authentication process works.
How do passwords work?
When a password is created on a website, the site stores the password in its encrypted form. This is called a hash. When a user attempts to login to the website, the site encrypts the password that the user just entered, and then compares this hash against the hash that the site previously stored when the account was created. If the two hashes are an exact match, the user is logged in successfully.
The password cracking process involves getting the site's pre-stored hash and decrypting it using a password cracking application. These programs generally utilize a brute-force cracking method and/or a wordlist cracking method. Brute-force simply starts trying every possible combination in alphabetical order. The wordlist cracking method is when the program uses a list of common words and number combinations to acquire the password. The password cracking program runs the hash against the list of password combinations until it finds a match. The password can then be used to provide unauthorized access to the account.
Trying to run a password cracking tool on an actual website will not work as nearly all sites now set limits to the number of invalid passwords that can be entered. Usually around 3-5 attempts are all you get before the site will lock the account or make you wait a specified amount of time before attempting to login again.
The password cracking process involves getting the site's pre-stored hash and decrypting it using a password cracking application. These programs generally utilize a brute-force cracking method and/or a wordlist cracking method. Brute-force simply starts trying every possible combination in alphabetical order. The wordlist cracking method is when the program uses a list of common words and number combinations to acquire the password. The password cracking program runs the hash against the list of password combinations until it finds a match. The password can then be used to provide unauthorized access to the account.
Trying to run a password cracking tool on an actual website will not work as nearly all sites now set limits to the number of invalid passwords that can be entered. Usually around 3-5 attempts are all you get before the site will lock the account or make you wait a specified amount of time before attempting to login again.
How hard (or easy) is it for someone to crack my password?
Nate Anderson, writer and editor for Ars Technica, had never cracked passwords before. But he decided to perform a test to see how just how hard it is. By the end of the first day, he had cracked 8,000 passwords. With a little determination and the right programs, anyone can potentially become a password cracker.
Ars Technica performed another test after this, using three "cracking experts" to attempt to crack a list of over 16,000 passwords. One of the men was able to successfully retrieve 90% of all passwords in just 20 hours! Another got 82% in just a little over an hour and the other got 62% in an hour.
Ars Technica performed another test after this, using three "cracking experts" to attempt to crack a list of over 16,000 passwords. One of the men was able to successfully retrieve 90% of all passwords in just 20 hours! Another got 82% in just a little over an hour and the other got 62% in an hour.
Holy Toledo! How strong should I make my password!?!
Keep in mind that even though the websites store your encrypted passwords, they are not available for anyone to download. But it happens. If the website is breached, all the hashes can be downloaded. Sometimes they can be stolen during a security audit. And sometimes this can be used for good, in case you forget the password to an important file or document. But the fact is, if it does get stolen or accessed by unethical users, your password may be on the wrong side of a brute-force attack.
Passwords should never be less than 6 characters long and personally, I prefer 12 or more. As you can see by the chart above, a password of 7 characters, using a combination of numbers, letters and special characters can be cracked in a little over a week. But look at the jump from 7 to 8 characters. Suddenly that week has turned into 27 months. A password of 12 characters or more would take astronomically longer than that to crack. But the problem is- people want convenience. The don't want to have to try to remember dT^Nsq#c*hl$bV when they can just remember something like MyFordRocks73 or iLuvJesus2013. These passwords will be cracked extremely fast. The Top 25 list of most commonly used passwords in 2012 is a chilling reminder of just how common the most popular passwords are. These passwords should NEVER be used. If you want to make sure your password isn't on any common list, avoid the top 10,000 most commonly used password list as well. To find out how secure your password is, you can test it on sites such as https://howsecureismypassword.net/ which will tell you how strong it is and approximately how long it will take for a cracker to successfully decrypt it.
Passwords should never be less than 6 characters long and personally, I prefer 12 or more. As you can see by the chart above, a password of 7 characters, using a combination of numbers, letters and special characters can be cracked in a little over a week. But look at the jump from 7 to 8 characters. Suddenly that week has turned into 27 months. A password of 12 characters or more would take astronomically longer than that to crack. But the problem is- people want convenience. The don't want to have to try to remember dT^Nsq#c*hl$bV when they can just remember something like MyFordRocks73 or iLuvJesus2013. These passwords will be cracked extremely fast. The Top 25 list of most commonly used passwords in 2012 is a chilling reminder of just how common the most popular passwords are. These passwords should NEVER be used. If you want to make sure your password isn't on any common list, avoid the top 10,000 most commonly used password list as well. To find out how secure your password is, you can test it on sites such as https://howsecureismypassword.net/ which will tell you how strong it is and approximately how long it will take for a cracker to successfully decrypt it.
Related articles
- How to crack zip file password (alexwillscorp.wordpress.com)
- Cracking 16 Character Strong Passwords (g33kcoder.wordpress.com)
- Hackers crack over 16,000 passwords with 90 per cent success (itproportal.com)
- The Easiest Ways Not to Get Hacked (theatlanticwire.com)
- Think you have a strong password? Hackers crack 16-character passwords in less than an hour (thisismoney.co.uk)
- How to set up and use BlackBerry Password Keeper (helpblog.blackberry.com)
- Anatomy of a hack: even your 'complicated' password is easy to crack (wired.co.uk)
- How Passwords Get Hacked & Why You Should Be Concerned (simplyzesty.com)
- New tool cracks Apple iWork passwords (reviews.cnet.com)
RSS Feed