Password cracking is the process of guessing passwords using special computer programs, usually designed to compare long lists of words and common passwords and phrases against your password in the hope of a match, or by constructing many permutations of letters, numbers and other keyboard symbols until the right combination is found.
Modern cracking software run on fast computers can make billions of password guesses per second using huge lists of words found in the dictionary, combinations of these words, common names and terms and other letter and number sequences that people like to use to make their passwords easier to remember or faster to type. If this fails the the computer can generate further random character sequences and cycle through them at extreme speed hunting for a lucky or, if the password is weak, inevitable hit. This is called a brute force attack. Often, but not always, password cracking is attempted without the authorization and knowledge of the password owner.
Stealing passwords by malicious means is undertaken for many reasons. Unauthorised account access, financial theft, identity theft and other forms of misrepresentation. Whatever the reason, it’s usually bad news for the person who has had their password stolen.
If you use a password 7 or fewer characters in length, modern software and techniques can crack it regardless of the letters, numbers and symbols used. Short passwords are not secure.
Not all password cracking is malicious. Sometimes it may be necessary to recover a forgotten password. Sometimes entire databases of passwords can be analysed to ensure they are strong enough to prevent or deter malicious access attempts. Law enforcement sometimes use the technique to obtain evidence for investigations.
We will focus on malicious break-in (or hacking) attempts and provide advice on how to protect yourself against such activity.
Long and Random Passwords are Strong Passwords
Computers are ideal for repeating tasks many times in a short period. Modern computers can process billions of instructions in a single second and this makes them ideal for a laborious task such as repeatedly guessing passwords.
However, even fast computers have limits. The goal when creating a strong password is to ensure that so many guesses would be needed to crack it even a computer would take years or decades to succeed by brute force. But as computers get faster these times are tumbling.
According to ARS Technica, one password-cracking expert developed a computer cluster that can cycle through as many as 350 billion guesses per second. This means that it could try every possible Windows password in less than six hours – Scientific Computing
The smaller the number of permutations that have to be cycled through in order to find a match, the weaker the password. That’s why using a mix of upper and lower case letters, numbers and special symbols in your passwords and making your passwords longer adds security. It increases the number of possible characters and therefore the number of permutations the computer has to cycle, of ten exponentially as you add more complexity.
But the range of characters you use and the password length are not the only considerations. If your password contains common words that can be found in the dictionary, names of people or places, or any other common sequence of characters there are huge lists of these words and sequences available that are easy for anyone to find and download. A hacker can run this list against your password in a tiny fraction of the time taken to laboriously cycle every permutation. Cracking times can be reduced from years to seconds when you use common words and phrases in your passwords. There are other techniques that can help expose passwords just as quickly, such as using stolen lists of passwords from databases to help crack additional lists.
For example, consider the password:
abPa$$W0Rd
This might appear secure. It is 10 characters in length, easy enough to remember and uses letters (both upper case and lower case), numbers and symbols. Cycling through all possible permutations might take some time for a fast computer to crack it, not as much time as you might think but probably enough to deter the casual hacker. However, this very password appears in easily obtainable cracking lists. It would take seconds for this password to be cracked by anyone in possession of that list. Password crackers have these lists and they keep a keen eye out for new lists as they become available.
What you really need is a password that is long enough to make breaking it computationally too time consuming, and a password that doesn’t contain common words, phrases, names or other well used sequences. A password unique and random that most likely has never been used before and won’t appear on a list.
An Example of a strong password:
X!i2Us9@kS5-$3JmoS3e
This password would take many years to crack, far more time than an attacker would be prepared to invest. But who could ever remember a password like that? You’d have to write it down and carry it with you, which would defeat the whole point of having a secure password, maybe stick it to the top of the computer monitor (obviously, never do that).
That’s where password managers excel, allowing us to use super strong passwords without the drawbacks.
Use Password Managers
Password managers are special software or apps that store and recall login credentials and generate strong and unique passwords for your online accounts. They are easy to use, secure and reliable. The most basic examples are built right into your web browser, or you can purchase more advanced and flexible dedicated solutions.
Password managers work by monitoring your online activity and detecting when you register at a new web site, or enter your login details for one of your existing accounts, or provide your credit card and personal details for an online purchase or similar transaction.
When such activity is detected, the password manager will display a prompt asking if you want to store your login or other private details. If you save these details, the next time you visit the web site you can click a button in the password manager to fill out your login details or credit card information automatically. You don’t have to remember any of the details and that means you can use long and hard to crack passwords and different passwords for all your accounts.
To prevent anyone with access to your computer using the password manager to login to all your accounts you protect the password manager itself with an access password. This is the only password you have to remember and, of course, should still be hard to guess or crack. But remembering one password is a lot easier than remembering different ones for all your accounts, and is safer than using just a single password on every account.
Another great feature of password managers is the ability to synchronise your credentials across all your devices. So you can use password manager on your desktop, a password app on your phone and synchronise the two so you can easily gain access to your accounts no matter where you are or how you are accessing the Internet.
Use Two Factor Authentication
Two factor/ multi factor authentication sounds technical and complicated, but in principle it is very simple. It goes beyond the traditional username/ password login method and adds a second layer of security. You still login with a username and password as usual. But that’s not enough to gain access, with two factor authentication you also need to provide an additional piece of information such as an authorisation or pin code, usually via a piece of equipment only you would likely have access to at that particular moment in time, typically your mobile phone.
Even if a hacker can crack your password he doesn’t have your phone so he can’t go any further and can’t gain access. With mobile phones now commonplace they are the preferred devices used for two factor authentication. But other methods exist too, including more traditional email, fingerprint and retina scanners and, popular with banks, special card reading devices that generate codes from the microchip on your credit card.
This form of security isn’t convenient for everyone and can often be viewed as an additional complication, but if you are serious about protecting your accounts and data it’s a tough method to crack. Adding extra layers of security is generally a good thing, but it doesn’t mean you can then neglect the initial layer. You should still use strong passwords that are difficult to crack, as a matter of habit.
Other Threats to Your Passwords and Security
Strong passwords and efficient password management strategies are essential in the modern online environment, but they are only as secure as they person who manages them. Can you keep a secret? A hacker doesn’t need cracking tools if he can find a scrap of paper on which you have written your master password. A scammer on the end of a phone doesn’t need to make any guesses if he can trick you into revealing your password or other private data.
In general, never give your password to anyone that you don’t absolutely trust. Never write it down. Keep it in your head and keep it to yourself. But sometimes giving out the password can’t be avoided. For example, a technician might require it to access and fix a broken computer. Or a family member may need shared access.
If you must give your password out for a legitimate reason, once that reason has expired and if the person you gave the password to no longer requires it, change the password.
Never give your password to any third party claiming to be from your bank, insurer, or other company you deal with. Legitimate companies will never ask for your account passwords over the telephone. They may ask for a services pin code or other form of identity verification, but never your primary password.
Remember, once you reveal your password to anyone you have potentially bypassed all your security and made it extremely simple for that person to access at least one of your online accounts.
Four Steps to Better Online Security
- Use strong passwords, at least 8 characters in length (longer is better), don’t use words from the dictionary or other common words or names, use a good mix of letters, numbers and symbols in your passwords.
- Use a different password for each of your online accounts. To help you with this, use a password manager.
- Use two factor authentication to add an additional layer of security to your accounts and data.
- Never write down your password or give it out to anyone you don’t absolutely trust.
Useful Password and Security Resources
- Test How Long it Would Take to Crack Your Current Password
- Popular Password Managers – LastPass, 1Password, Dashlane, RoboForm.