2/4/2011 12:23 PM ET|
How I'd hack your passwords
An Internet security expert explains just how vulnerable your online accounts are. He also provides tips on making passwords more secure.
If you invited me to try and crack your password -- you know, the one that you use over and over for like every Web page you visit -- how many guesses would it take before I got it?
Let's see . . . here is my top-10 list. I can obtain most of this information much easier than you think. Then I might just be able to get into your e-mail, computer or online banking. After all, if I get into one, I'll probably get into all of them.
- Your partner, child or pet's name, possibly followed by a 0 or 1 (because they're always making you use a number, aren't they?).
- The last four digits of your Social Security number.
- 123 or 1234 or 123456.
- Your city, or college, football team name.
- Date of birth -- yours, your partner's or your child's.
Statistically speaking, that should probably cover about 20% of you. But don't worry: If I didn't get it yet, it will probably only take a few more minutes before I do.
Hackers, and I'm not talking about the ethical kind, have developed a range of tools to get at your personal data. And the main impediment standing between your information remaining safe, or leaking out, is the password you choose. (Ironically, the best protection people have is usually the one they take least seriously.)
One of the simplest ways to gain access to your information is through the use of a brute-force attack. This is accomplished when a hacker uses a specially written piece of software to attempt to log into a site using your credentials. A few years ago, Insecure.org published a top-10 list of password crackers.
So, how would one use this process to actually breach your personal security? Simple. Follow my logic:
- You probably use the same password for lots of stuff, right?
- Some sites you access, such as your bank or work VPN, probably have pretty decent security, so I'm not going to attack them.
- However, other sites, such as an e-mail greeting-card site, an online forum you frequent or an e-commerce site you've shopped at, might not be as well-prepared. So those are the ones I'd work on.
- So, all we have to do now is unleash a password cracker such as THC Hydra on their server with instructions to try, say, 10,000 different user names and passwords (or 100,000 -- whatever makes you happy) as fast as possible.
- Once we've got several login-plus-password pairings, we can then go back and test them on targeted sites.
- But wait: How do I know which bank you use and what your login ID is for the sites you frequent? All those cookies are simply stored, unencrypted and nicely named, in your Web browser's cache. (Read this post to remedy that problem.)
And how fast could this be done? Well, that depends on three main things: the length and complexity of your password, the speed of the hacker's computer and the speed of the hacker's Internet connection.
Assuming the hacker has a reasonably fast connection and PC, below is an estimate of the amount of time it would take to generate every possible combination of passwords for a given number of characters. After generating the list, it's just a matter of time before the computer runs through all the possibilities -- or gets shut down trying.
|Password length||All characters||Only lowercase characters|
|3 characters||0.86 second||0.02 second|
|4 characters||1.36 minutes||0.046 second|
|5 characters||2.15 hours||11.9 seconds|
|6 characters||8.51 days||5.15 minutes|
|7 characters||2.21 years||2.23 hours|
|8 characters||2.10 centuries||2.42 days|
|9 characters||20 millenniums||2.07 months|
|10 characters||1,899 millenniums||4.48 years|
|11 characters||180,365 millenniums||1.16 centuries|
|12 characters||17,184,705 millenniums||3.03 millenniums|
|13 characters||1,627,797,068 millenniums||78.7 millenniums|
|14 characters||154,640,721,434 millenniums||2,046 millenniums|
Pay particular attention to the difference between using only lowercase characters and using all possible characters (uppercase, lowercase and special characters like @#$%^&*). Adding just one capital letter and one asterisk would change the processing time for an eight-character password from 2.4 days to 2.1 centuries.
Remember, these are just for an average computer, and these assume you aren't using any word in the dictionary. If Google put its computers to work on it, it'd finish about 1,000 times faster.
Now, I could go on for hours and hours more about all sorts of ways to compromise your security and generally make your life miserable, but 95% of those methods begin with compromising your weak password. So, why not just protect yourself from the start and sleep better at night?
Believe me, I understand the need to choose passwords that are memorable. But, if you're going to do that, how about using something that no one is ever going to guess and doesn't contain any common word or phrase in it.
Here are some password tips:
- Randomly substitute numbers for letters that look similar. The letter "o" becomes the number 0 -- or, even better, an "@" or "*" (for example, m0d3ltf@rd instead of modelTford) .
- Randomly throw in capital letters (Mod3lTF0rD).
- Think of something you were attached to when you were younger, but don't choose a person's name. Every name plus every word in the dictionary will fail under a simple brute-force attack.
- Maybe a place you loved, a specific car, an attraction from a vacation or a favorite restaurant?
- You really need to have different user name and password combinations for everything. Remember, the technique is to break into anything you access just to figure out your standard password, then compromise everything else. This doesn't work if you don't use the same password everywhere.
- Since it can be difficult to remember a ton of passwords, I recommend using RoboForm for Windows. It will store all of your passwords in an encrypted format and allow you to use just one master password to access all of them. It will also automatically fill in forms on Web pages, and you can even get versions that allow you to take your password list with you on your PDA, phone or a USB key. To download it without having to navigate RoboForm's website, try this direct download link.
- For Mac users I recommend 1Password (though RoboForm does also offer a Mac version). And I should also note that both of these applications have companion versions for iPhones and Android devices, so you can sync your passwords and take them everywhere you go.
- Once you've thought of a password, try Microsoft's password strength tester to find out how secure it is.
Another thing to keep in mind is that some of the passwords you think matter least actually matter most. For example, some people think that the password to their e-mail box isn't important because "I don't get anything sensitive there." Well, that e-mail box is probably connected to your online banking account. If I can compromise it, then I can log on to the bank's website and tell it I've forgotten my password and have it e-mailed to me. Now, what were you saying about it not being important?
Oftentimes, people also reason that all of their passwords and logins are stored on their computer at home, which is safe behind a router or firewall device. Of course, they've never bothered to change the default password on that device, so someone could drive up and park near the house, use a laptop to breach the wireless network and then try passwords from this list until they gain control of your network -- after which time they will own you.
I realize that every day we encounter people who exaggerate points in order to move us to action, but, trust me, this is not one of those times. There are 50 other ways you can be compromised and punished for using weak passwords that I haven't even mentioned.
I also realize that most people just don't care about all this until it's too late and they've learned a very hard lesson. But why don't you do me, and yourself, a favor and take a little action to strengthen your passwords and let me know that all the time I spent on this article wasn't completely in vain.
Please, be safe. It's a jungle out there.
John Pozadzides is the CEO of Woopra, one of the world's leading real-time Web analytics companies, and an expert in Internet architecture, infrastructure and security systems.
VIDEO ON MSN MONEY
Just think about the irony of an article "How I'd hack your passwords" and then providing an author-hosted link to a public 3rd party software program.
The next article should be "Stop trusting people online because you can't even tell when someone is trying to defraud you!"
12-15 character password using combination of at least two upper and lower case letters, numbers, and special characters is almost impossible to hack. Especially if you substitute characters and numbers for letters. An example, PA55w0rd%6547&
Even with the most sophisticated software, this level of password encryption would take months or years to crack. The combination of possible passwords using this criteria is in the billions.
Okay, here is some free advise that I developed. Use a patterened password.
Draw a pattern of 8-10 letters/numbers/symbols on your keyboard. Use the SHIFT for either the first half or the second. For instance, draw at triangle on your keyboard for your password... Try it:
Or a Z pattern:
This will seem like nonsense until you type it, then you see how easy it is to remember, yet for brute force hackers, it is nearly impossible to hack. Use this for ALL your accounts and ease your mind. Unless you are the president, no one is going to bother the amount of time it would take to crack these types of passwords just to post to your facebook account. Don't wait, do it today!!
And for the advice, please check out my friends photography site:
Don't trust the Microsoft Password Strength Tester to check the strength of your passwords. I did that and thought I should try a password that was constructed in the same fashion as mine to see what the tester said about it. It's 12 characters of all kinds, upper and lower case letters, numbers and other signs. The answer I got was orange = medium safe, and it said that a safe password should have at least 14 characters.
Just for fun I simply wrote 14 lower case A's and according to the tester - I HAD A SAFE PASSWORD!!!!!!!!!!!!!!!!
Which password would you rather have? Mine with 12 totally different characters or the one that Microsoft says is safe: aaaaaaaaaaaaaa
So much for the password tester!
OK, so having read the article and got my paranoia levels at defcon (through the roof) the writer advises "using RoboForm for Windows".Re: How I'd hack your passwords
So how do we know this is not just a ploy to get all our nice NATO strength passwords onto his database?
Where does sound honest advice end and yet another scam begin??
You make a good point RightToMyOpinionBub (and this time I’m not being sarcastic). It’s true that no matter how careful we are, our banks themselves can still be hacked and our information stolen. And like you I often prefer to go out into the real world and do things in person. But the fact of the matter is you could just as easily become a victim of identity theft without even owning a computer. Do you shred all your documents and use a PO box for mail? I certainly do. Identity theft is the fastest growing crimes in the world right now. Anyway if you take the proper precautions the odds are slim that you will be a victim of these types of crimes but of course its always still possible no matter how careful you are. These things are just a part of life whether you do business online or not.
It's best to keep your passwords on a sticky note on your monitor or on a piece of paper in your top desk drawer....just an FYI.
and a spare set of keys in your glove box. Ya know, in case you lock your keys in the car.
There will always be lowlifes to take atvantage of others thats the code of those who can't do good and would never try.
WOW some of the comments on this article are ridiculous!! The Author is simply stating basic information that ANYONE who uses a password ANYWHERE should know and abide by. This information is fairly obvious for those who have a bit of computer experience, but for so so many people this could be a LIFE SAVER. What it comes down to is PROTECT YOUR PASSWORD by making it complex in a way that you can remember, but a machine will take a while to crack. Some people need to be coached on this or don't quite understand, so for the Author to explain in in fairly simple terms, and to provide a table that shows a basic representation of how a simple change to your password can make a huge difference, is a very good thing!
If you don't "get it" you may need to read it again and quit being so critical, just take it for what it is, a quick explanation. He never claims to be a computer genius, and that is why it's great, because it really is simple info that SHOULD BE COMMON KNOWLEDGE....BUT IT'S NOT! So John...THANKS!!
RightToMyOpinionBub: Someone could do a lot of damage just by getting your email address. With a little bit of clever email writing they could either cause serious problems for you, or use your email address to get important information from people who trust you. Lastly, once your email is compromised they can lock you out of it and use it to send porn, or viruses etc. So you should worry about security on your online email addresses.
RightToMyOpinionBub makes a good point, lets all just avoid Internet commerce. By the same token I guess we could just stop driving cars and we would never have to worry about being a car accident. And if we never had sex again we would not have to worry about sexually transmitted diseases. In fact why don’t we just go back to living in the stone age like the Amish? The fact of the matter is the Internet is a valuable tool of the modern age and just like cars and other modern conveniences it comes with risk. Smart people move forward with technology and just take the proper precautions. Of course if people want to live in the past that’s certainly their right as well.
Copyright © 2014 Microsoft. All rights reserved.
Fundamental company data and historical chart data provided by Morningstar Inc. Real-time index quotes and delayed quotes supplied by Morningstar Inc. Quotes delayed by up to 15 minutes, except where indicated otherwise. Fund summary, fund performance and dividend data provided by Morningstar Inc. Analyst recommendations provided by Zacks Investment Research. StockScouter data provided by Verus Analytics. IPO data provided by Hoover's Inc. Index membership data provided by Morningstar Inc.