One of the things that constantly amazes me is people’s lack of care with their passwords.
The problem is, people just aren’t really all that concerned with their own security. Why bother with a strong password? If someone wants to get a kick out of reading my email, let them! There’s nothing super-secret in there!
Well, unfortunately, that’s a very short sighted and dangerous view.
Most people tend to use the same password (or small number of passwords) for pretty much anything. So let’s say I have the same password on my webmail as I do on my internet banking. Sure, my bank’s webpage will lock you out after three failed attempts…but my webmail doesn’t. A hacker takes his time, gets into my email, and then tries that same password to get into my bank, my paypal account, anything I have behind a password. In a few short steps we go from ‘worthless’ emails to major financial and identity theft.
Starting to look a little more serious now, isn’t it?
Secondly, you have to be aware of social engineering, and the fact that most hackers looking for passwords get them by collecting very small, seemingly unimportant pieces of information that when put together lead to the more important stuff.
Social engineering is a little out of the scope for this post, so I’ll just keep it simple. Most people tend to use things like their spouses name, date of birth etc as passwords. So, even if you use separate passwords for you bank and webmail, if I can crack a weak email password…I can get information about you from your emails that can give me a clue to your bank password. People tend to use things like a spouses name, or their date of birth etc…all easily gleaned from a few choice emails.
Choosing a Secure Password
There are a list of passwords hackers always try first. Your date of birth, your date of birth backwards, ‘Password’, ‘letmein’, ‘God’, ‘qwerty’ etc. Sadly, a lot of the time, passwords from this relatively short list are usually the correct ones….good bye bank balance.
So what should you do, and what makes a secure, strong password?
Well, first of all, avoid any from the above list…even spelled backwards. If you think a hacker isn’t willing to sit in front of a PC for a few hours trying passwords, you’re kidding yourself.
Secondly, avoid anything obvious or personal. When I was in college, there was a classmate who got his user account hacked on an almost daily basis. (Luckily, it was by his friends as a practical joke). But what made his passwords so easy to crack?
Well, he started with the name of his favorite football team. Then he changed it to the team manager’s name, then their home stadium, then went through a list of the players…you get the idea. He gave the ‘hackers’ a very small sample of passwords to try. If I want to crack your password, I’m going to try everything from your husband or wife’s name, to your pet’s name, to the title of your favorite song.
The trick is to pick something totally and completely random, preferably not even a dictionary word. I’ll explain why in the next section.
The thing is people want passwords that are ‘easy to remember’, and a basic rule of thumb is the easier it is for you to remember, the easier it is for anyone with a little bit if knowledge about you to crack. However, memorizing isn’t all that hard. You remembered your phone number easily enough, right? And that’s just a random grouping of numbers!
If you want to be secure, remembering a random password is easy enough.
Beyond Guessing
Remember how I said to even avoid dictionary words? Well, that’s because they are easily cracked by ‘dictionary cracker’ software. A program on the hacker’s computer simply enters word after word, hoping it will stumble upon the correct one.
Bearing in mind that a dictionary cracker can try hundreds of words per second, it could crack a dictionary word password in just a few seconds.
Next comes something that surprised me. I prided myself on the fact that my passwords were all completely random 10-digit numbers. Absolutely impossible to guess, and nothing you’d find in a dictionary hacker.
Then I experimented and found a piece of software that managed to crack my passwords in under three seconds.
How did it do this? I’ll tell you.
Another common hacker tool is a plain brute-force cracker. It just repeatedly tries to crack your password by trying random groupings of letters or numbers. So, my ten digit password wasn’t difficult to crack at all. It simply counted up from 0000000000 to 9999999999 in sequence until it got the right combination. (a feat that took it less than three seconds). It’s the equivalent of trying to break into one of those three digit briefcase locks by just trying every combination until you get to the one that works. Despite the fact that a ten digit number has 10000000000 possible combinations, we’re also using a computer than can try hundreds of thousand of combinations a second…it doesn’t take long at all.
So how do you beat this?
Well, the truth is you can’t. Not really. All passwords can be broken, but the aim of the game is to have a password that will simply take too long to crack. A committed hacker might leave a cracker running for a few days or a week or two…but if your password is strong to the point where it will take hundreds or thousands of years to crack…you can safely assume you’re secure.
Ok, to understand how to beat these crackers, you have to understand how they work.
It will start by simply running through the alphabet and trying each letter it comes across as a password. (Just in case you’re dumb enough to have the letter ‘A’ as your password). If that doesn’t work, it’ll try two letters, going through the entire alphabet in every possible combination. If that doesn’t work, it’ll move up to three letters and so on and so on. Then it will do the same with numbers. Then it will try with mixtures of letters and numbers.
So what does this tell us so far?
It tells us that the strongest password will be a mixture of letters and numbers, and the longer your password, the harder it is to crack. Like we’ve already seen, it can crack a ten digit number in seconds, the same with any length of word…but by mixing numbers and letters together, it suddenly makes the job a whole lot harder.
However, the longer your password, the harder it is to crack. I can’t stress this enough. Going from a 5 character password to a 10 character password makes an almost unbelievable difference in how difficult it is to crack…I’ll explain this in detail later.
So, it’s simple enough to see that by mixing letters and numbers, the cracker has to try every single combination of the numbers 1-9 and the letters A-Z mixed together in a long sequence of characters. By adding more digits, we’re multiplying the possible number of possibilities exponentially.
However, there’s still more you can do.
Passwords tend to be case-sensitive, so mixing capitals with lower-case letters also exponentially increases the number of possibilities. Inserting special characters, such as !,@,#,$, or % ramps up the number of possibilities as well. (By using a mixture of upper and lower case letters, we’re doubling the amount of alphabetical letters the cracker has to deal with…even more so with special characters).
If this seems like a lot of trouble, here’s the difference it makes:
A five character password using only numbers and letters would take about two and a half hours to crack, but only twelve seconds if you only use lower case letters.
A seven character password using only numbers and letters would take about two and a half years to crack, but only about two hours and forty-five minutes using only lower-case letters.
A ten character password would take over four and half years to crack, but (and this is the big point of all this), 1,900,000 years to crack using a mixture of upper and lower case.
So by now you see my point, even a supposedly ‘strong’ five character password can be cracked in a couple of hours, even using upper and lower case letters. By moving to seven characters we’re at a much more strong 2.5 years, and once we get to 10 characters you’re changing the amount of time it will take to crack from two and a half hours to almost two million years.
Summing Up
DO NOT : Use common words or phrases.
DO NOT : Use short passwords.
DO NOT : Use anything ‘guessable’ by someone who knows a little about you.
DO : Use random strings of letters, numbers and special characters.
DO : Use a different password for each account you have.
Lastly, the best tip I can give you:
It doesn’t matter how strong your password is if you write it down and leave it lying around for someone to find. That’s about as secure as writing your PIN number on the back of your cash-card.
No comments:
Post a Comment