• Blog
  • About
Technology Tips For Lawyers

Are Your Passwords Strong Enough To Survive A Brute-Force Attack?

5/31/2013

0 Comments

 

Are Your Passwords Strong Enough To Survive A Brute-Force Attack?


Picture
Passwords protect every piece of your data on the internet. Email accounts, social networking accounts, cloud storage accounts, SaaS applications- practically everything you do online requires a password. Most of us just absentmindedly create an easy-to-remember password without giving it much thought. The problem with that is that if the password is easy for you to remember it may be easily guessed by hackers. As a matter of fact, with the technology available today, practically anyone can crack passwords. In this article, I have some examples of how easy it is for passwords to be cracked. But first, let's take a look at how the password authentication process works.


How do passwords work?

When a password is created on a website, the site stores the password in its encrypted form. This is called a hash. When a user attempts to login to the website, the site encrypts the password that the user just entered, and then compares this hash against the hash that the site previously stored when the account was created. If the two hashes are an exact match, the user is logged in successfully.

The password cracking process involves getting the site's pre-stored hash and decrypting it using a password cracking application. These programs generally utilize a brute-force cracking method and/or a wordlist cracking method. Brute-force simply starts trying every possible combination in alphabetical order. The wordlist cracking method is when the program uses a list of common words and number combinations to acquire the password. The password cracking program runs the hash against the list of password combinations until it finds a match. The password can then be used to provide unauthorized access to the account.

Trying to run a password cracking tool on an actual website will not work as nearly all sites now set limits to the number of invalid passwords that can be entered. Usually around 3-5 attempts are all you get before the site will lock the account or make you wait a specified amount of time before attempting to login again.

How hard (or easy) is it for someone to crack my password?

Nate Anderson, writer and editor for Ars Technica, had never cracked passwords before. But he decided to perform a test to see how just how hard it is. By the end of the first day, he had cracked 8,000 passwords. With a little determination and the right programs, anyone can potentially become a password cracker.

Ars Technica performed another test after this, using three "cracking experts" to attempt to crack a list of over 16,000 passwords. One of the men was able to successfully retrieve 90% of all passwords in just 20 hours! Another got 82% in just a little over an hour and the other got 62% in an hour.

Holy Toledo! How strong should I make my password!?!

Keep in mind that even though the websites store your encrypted passwords, they are not available for anyone to download. But it happens. If the website is breached, all the hashes can be downloaded. Sometimes they can be stolen during a security audit. And sometimes this can be used for good, in case you forget the password to an important file or document. But the fact is, if it does get stolen or accessed by unethical users, your password may be on the wrong side of a brute-force attack.

Passwords should never be less than 6 characters long and personally, I prefer 12 or more. As you can see by the chart above, a password of 7 characters, using a combination of numbers, letters and special characters can be cracked in a little over a week. But look at the jump from 7 to 8 characters. Suddenly that week has turned into 27 months. A password of 12 characters or more would take astronomically longer than that to crack. But the problem is- people want convenience. The don't want to have to try to remember dT^Nsq#c*hl$bV when they can just remember something like MyFordRocks73 or iLuvJesus2013. These passwords will be cracked extremely fast. The Top 25 list of most commonly used passwords in 2012 is a chilling reminder of just how common the most popular passwords are. These passwords should NEVER be used. If you want to make sure your password isn't on any common list, avoid the top 10,000 most commonly used password list as well. To find out how secure your password is, you can test it on sites such as https://howsecureismypassword.net/ which will tell you how strong it is and approximately how long it will take for a cracker to successfully decrypt it.


Related articles
  • How to crack zip file password (alexwillscorp.wordpress.com)
  • Cracking 16 Character Strong Passwords (g33kcoder.wordpress.com)
  • Hackers crack over 16,000 passwords with 90 per cent success (itproportal.com)
  • The Easiest Ways Not to Get Hacked (theatlanticwire.com)
  • Think you have a strong password? Hackers crack 16-character passwords in less than an hour (thisismoney.co.uk)
  • How to set up and use BlackBerry Password Keeper (helpblog.blackberry.com)
  • Anatomy of a hack: even your 'complicated' password is easy to crack (wired.co.uk)
  • How Passwords Get Hacked & Why You Should Be Concerned (simplyzesty.com)
  • New tool cracks Apple iWork passwords (reviews.cnet.com)

0 Comments



Leave a Reply.

    Subscribe to our mailing list: 


    Sync and integrate your Evernote, Dropbox, Google Drive, SkyDrive and Box accounts

    Technology Tips  For Lawyers

    Helping lawyers solve the technology puzzle.

    Archives

    February 2014
    January 2014
    December 2013
    November 2013
    October 2013
    September 2013
    August 2013
    July 2013
    June 2013
    May 2013
    April 2013
    March 2013
    February 2013
    January 2013
    November 2012
    October 2012
    September 2012
    August 2012

    Categories

    All
    Amazon S3
    Amicus
    Android
    Backup
    Basecamp
    Box
    Byod
    Clio
    Cloudhq
    Cloud Integration
    Cloud Security
    Cloud Security
    Cloud Storage
    Collaboration
    Data Loss Protection
    Data Loss Protection
    Dragon
    Dropbox
    Encryption
    Evernote
    Facebook
    Firefox
    Gmail
    Google
    Google Apps
    Google Chrome
    Google Docs
    Google Drive
    Google Plus
    Google Reader
    Google Scholar
    Information Security
    Information Security
    Ipad
    Linkedin
    Mobile
    Mobile Apps
    Mobile Security
    Mobile Security
    Paperless
    Rocket Lawyer
    Rocket Matter
    Rss Reader
    Search Engine Optimization
    Skydrive
    Social Engineering
    Social Media
    Software As A Service
    Sugarsync
    Tablet
    Twitter
    Virtual Office
    Windows 8

    RSS Feed


cloudHQ