Last week I talked about passwords from the security side of things. This week I’d like to talk about passwords from the hacker side of things, and then how to protect yourself personally from these kinds of attacks. So let’s assume I’m a hacker and I either have a hash of your password or I’m just trying to log into an account online. What methods could I use to guess your password?
Brute Force Attacks
This is probably the easiest type of attack to understand and the one that probably come to mind when you hear the words “password cracking.” Essentially what happens is the hacker will try every single possible combination of numbers and letters until they get a match. So the hacker would try ‘a’, then ‘aa’, then ‘aaa’, then ‘aaaa’, then ‘aaaaa’, and later ‘aaaaaaab’ on and on and on until they get a hit. This is easily automated by computers.
The largest problem with this type of attack is the amount of time it takes to try every single possible combination as the work required scales exponentially. If you have just lowercase letters, that’s only 26 possibilities in each spot. With uppercase, 52. With numbers and symbols, 62-80+ depending on the system used and the restrictions on passwords. Lets split the difference and say 76 possible characters for each spot in your password. If you have a 2 character password, there are 76 * 76 possibilities or 5776 possible passwords. A modern computer would crack that instantly. But as you add more digits, the number of possible passwords follows 76^n where n is the length of you password. By the time you get to 8 digits, there are 1,113,034,787,454,976 possible passwords, which would take quite a long time indeed to try. So you might think that it since most websites require a minimum of 6 or 8 characters anyways, it must be nearly impossible for hackers to guess your password. But there’s a better way.
We’ve all heard in the news before about various password breaches where millions and millions of accounts get their information leaked onto the internet. Well, hackers are smart people, and they started looking for patterns in the accounts that were leaked and as a result, there are now lists of the most commonly used passwords. (The most common ones are “12345” and “password”) So now, instead of brute forcing passwords one letter at a time, they try these common passwords and it is exponentially more efficient to crack passwords this way. To give you an example of just how efficient this is, over 50% of people use one of the Top 25 most common passwords. That’s absolutely ridiculous! With just 25 passwords, I could break into 50% of people’s accounts! Now you might say “Well my password is secure, instead of ‘password’, I use ‘P@$$w0rd'” And that is slightly better, but there are scripts in use that take the most common passwords, and make common substitutions like @ for a, $ for s, or 5 for s, etc. And they try all of those passwords. Even though that’s a ton of possibilities, it’s still massively more effective than a brute force attack, and much more likely to get people.
How to Protect Yourself
The absolute best way you can protect yourself is to have a strong, randomly-generated, unique password for every single website you visit. Now, no one is capable of remembering all those different passwords, so they use a password manager. Two popular ones are LastPass and 1Password. For both of these services, you only need to remember one password that you use to get all your other passwords. They will generate random passwords for you and will even copy and paste them into the password box for you in websites so all you need to do is click Login. I cannot recommend LastPass enough. I use it for all my passwords, and it’s great.