How many warnings do we need?
I’ve been warning my friends for a long time about weak passwords.
Now, it’s official:
ALL eight-digit passwords can be broken in less than 6 hours.
ALL, not just the one you are using.
That’s right, all of your 8-digit passwords are useless. They’ve been cracked and discovered.
You can read about the hardware and technique at:
What is even scarier is that the technique used was a simple “brute force” attack. In other words, the same system using a more sophisticated attack (such as a dictionary attack), would be able to crack all passwords even faster.
To sum up, your passwords must be at least 16 characters long, nonsensical, and with a mix of numbers, letters, and symbols. A password that’s 32 characters long is exponentially better. And 64, and 128…
Of course, technically speaking, long passwords can still be cracked. But the longer your password, and the more gibberish is in it, the more the password cracking machine has to work at it, using up valuable time and computer resources. It will likely only make a certain number of attempts (say, only a few of million) then give up and move on to “lower hanging fruit.”
One of the misleading lines in the article cited above is:
“The technique doesn’t apply to online attacks, because,among other reasons, most websites limit the number of guesses that can be made for a given account.”
While true of that specific technique (hardware + software), a very similar method could be used for online passwords. And, with the exception of the hardware cited in the article, similar techniques are probably being used already. What makes this kind of setup so dangerous is that it can be easily adapted to online cracking. Here’s how such a system might work:
- Create a database of all targeted websites. The data contains the password-length, username policy, and character policies for each website. Those websites with the weakest policies would be targeted first and most often.
- A website is targeted, and the username is already known or easily guessed (like email, first/lastname, etc.).
- Only two attempts at the password are made, avoiding the “3-times and it’s locked,” that some sites use. If the two attempts fail, the point at which the cracking algorithm got to is recorded against the username/website.
- The next username/website is then attempted. After a certain period of time, perhaps an hour or longer, the first username above will be attempted again from a different IP address or a different machine.
- The process repeats at a rate of about 1,000 attempts per second, cycling through the database created and updated in steps 1 and 3.
Yes, such an approach would be relatively slow, but the idea for most hackers is to obtain many passwords, not just one. They are net-fishing. With automation, and with several machines sharing data and running at once, it would be only a matter of time before the password harvest began.
…the real hackers and crackers are not human…
It is wise to remember that there is no human hacker sitting at a computer doing all this manually with a keyboard and a mouse. He’s not staring at his monitor waiting for results, nor is he a shaggy recluse, unkempt, with few social skills.
The human hacker is out getting his latte, or he’s on the golf course, at the game, or maybe taking his kids to a movie. Or, in the case of state-sponsored hacking, he might be taking a language class, renewing his weapons certification, or pulling his shift at a radar installation. He’s already done his work, and he only needs to review the results that his servants will produce. Because…
The real hackers and crackers are not human–they are systems built by humans and then switched on to do their thing. They are, in effect, electronic slaves that require no food, clothing, or encouragement, and they never need to take a break from their 24/7 task.
Take a moment to get your head around that. Ponder the scope and consequences for us all. Take another moment.
Got it? Now back to the lesson at hand…
The weakest passwords get harvested and hacked first.
What is a weak password?
You’ll get many answers to that, depending on who you ask. That’s because “weak” is a relative term. “Weak” compared to what?
Well, now we know: Weak as compared to an 8-digit password, which is essentially useless.
The weakest passwords are those that are short and/or make some kind of sense. For example, mypet1945 is a short password, and it has words and a year, so it makes sense to a dictionary (a customized dictionary which is referenced by the cracker). Youremail@emailservice.com is also weak because it makes sense: it’s easily detected as an email address and, again, contains strings of letters that a dictionary can identify (“@emailservice.com“).
So here’s my answer as to what a weak and what a strong password may be:
Strongest: 125 characters long, mix of uppercase letters, lowercase letters, numbers, and symbols, with no words or names in it, and with no sequential letters, numbers, or symbols (abc, 123, #$%, etc.) and with no repetition (aa, aA, 99, %%, etc.).
Less Strong: fewer characters
Less strong: no numbers and/or no letters and/or no symbols
Less Strong: uppercase-only or lowercase-only letters
Here are some examples of some progressively stronger passwords from weakest to strongest:
a8!dw2B#Zwo9hE*% (very weak, too short)
a8!dw2B#Zwo9hE*%baT (very weak, has a word in it)
a8!dw2B#Zwo9hE*%a8!dw2B#Zwo9hE*% (just as weak as above, pattern repetition)
a8!dw2B#Zwo9hE*%%*Eh9owZ#B2wd!8a (same as above, reverse-type pattern repetition)
a8!dw2B#Zwo9hE*%ads%f44j(8@9p? (stronger, but do you notice the two 4’s side by side? A computer will notice, too.)
a8!dw2B#Zwo9hE*%9wEaZd!2w8#B*%oh (just as weak as above, since it uses the same characters over again starting at the 17th position)
a8!dw2B#Zwo9hE*%4bU*q@S6R1x3+J?D (much better, but still a bit too short).
a8!dw2B#Zwo9hE*%4bU*q@S6R1x3+J?Dy^b~7&V0z9i3Tq0rN#v$M1h5@0f7Ka3m (Okay, now we’re getting somewhere! 64 characters, mixed numbers, symbols, upper- and lowercase letters. Now if we made it twice as long, around 128 characters, it’d be practically unbreakable. It would certainly be so long that only the most determined cracker would bother trying.)
There you have it. You know what to do. If only online services and business knew, too!
It’s worse than you think.
You’d think that banks and financial institutions would be on top of things, right? Wrong, so wrong. A recent study concluded that 350 million customers are at risk. The researchers studied the password security practices of seventeen banks. Of them, about a third had pretty useless security. The worse offenders, the researchers found, were the following banks:
- Wells Fargo
- Capital One
- Chase Bank
The fact is that many business do not allow more than a few characters, and they often disallow the use of symbols in the passwords that their customers try to use. I’m not just talking about that quilting website, either. Banks, online stores, utility companies such as water or power, and even some email services utterly fail to incorporate sensible password policies. It is as if they are stuck in the 1980’s, before there was even a web, and the only threat was someone looking at the bottom of your keyboard where you taped your password.
What is extremely aggravating is that most sites don’t even tell you what their password requirements are, or what their restrictions are, until you try to change to a strong password and it gets kicked out. And sometimes not even then will they tell you! They’ll just abbreviate a long password, or force upper or lower caps!!!
This is willful neglect, and it puts every individual at risk. Until these dinosaurs evolve into the modern age, what can you do?
So what can I do?
Here are some tips:
Don’t EVER share a password via email, text, or other messaging service. You might as well write it on a billboard or advertise it on a Jumbotron.
GET RID (as in SHRED) THOSE LISTS OF PASSWORDS that you have laying around, stuck in a drawer, or that you’ve written on a business card or cable bill. More and more these days, burglars and sneeks know to look for material related to your identity and your accounts. These are things like checkbooks, bank statements, and, yes, lists of passwords. They’ll scoop those up along with your flat-screen, loose jewelry, and guns, and they’ll be in and out of your place in 10 minutes flat. Or, worse, they’ll just take a pic with their smartphone so you’ll won’t suspect anything was taken. And, more and more, criminals prefer this kind of loot over metal and plastic because it’s easy to hide and sell. And the smart ones are training the dumb ones.
Use strong passwords (see above) and password manager software. A password “safe” or “manager” software is extremely useful for creating and managing strong passwords. You should use one.
That’s all for now! I’ll try to post other tips for personal computer security later on.