How to Guess A Password

Last week I talked about passwords from the security side of things.  This week I’d like to talk about passwords from the hacker side of things, and then how to protect yourself personally from these kinds of attacks.  So let’s assume I’m a hacker and I either have a hash of your password or I’m just trying to log into an account online.  What methods could I use to guess your password?

Brute Force Attacks

This is probably the easiest type of attack to understand and the one that probably come to mind when you hear the words “password cracking.”  Essentially what happens is the hacker will try every single possible combination of numbers and letters until they get a match.  So the hacker would try ‘a’, then ‘aa’, then ‘aaa’, then ‘aaaa’, then ‘aaaaa’, and later ‘aaaaaaab’ on and on and on until they get a hit.  This is easily automated by computers.

youtube.com – An example of a computer program trying brute force attacks

The largest problem with this type of attack is the amount of time it takes to try every single possible combination as the work required scales exponentially.  If you have just lowercase letters, that’s only 26 possibilities in each spot.  With uppercase, 52.  With numbers and symbols, 62-80+ depending on the system used and the restrictions on passwords.  Lets split the difference and say 76 possible characters for each spot in your password.  If you have a 2 character password, there are 76 * 76 possibilities or 5776 possible passwords.  A modern computer would crack that instantly.  But as you add more digits, the number of possible passwords follows 76^n where n is the length of you password.  By the time you get to 8 digits, there are 1,113,034,787,454,976 possible passwords, which would take quite a long time indeed to try.  So you might think that it since most websites require a minimum of 6 or 8 characters anyways, it must be nearly impossible for hackers to guess your password.  But there’s a better way.

Dictionary Attacks

We’ve all heard in the news before about various password breaches where millions and millions of accounts get their information leaked onto the internet.  Well, hackers are smart people, and they started looking for patterns in the accounts that were leaked and as a result, there are now lists of the most commonly used passwords.  (The most common ones are “12345” and “password”)  So now, instead of brute forcing passwords one letter at a time, they try these common passwords and it is exponentially more efficient to crack passwords this way.  To give you an example of just how efficient this is, over 50% of people use one of the Top 25 most common passwords.  That’s absolutely ridiculous!  With just 25 passwords, I could break into 50% of people’s accounts!  Now you might say “Well my password is secure, instead of ‘password’, I use ‘P@$$w0rd'”  And that is slightly better, but there are scripts in use that take the most common passwords, and make common substitutions like @ for a, $ for s, or 5 for s, etc.  And they try all of those passwords.  Even though that’s a ton of possibilities, it’s still massively more effective than a brute force attack, and much more likely to get people.

How to Protect Yourself

The absolute best way you can protect yourself is to have a strong, randomly-generated, unique password for every single website you visit.  Now, no one is capable of remembering all those different passwords, so they use a password manager.  Two popular ones are LastPass and 1Password.  For both of these services, you only need to remember one password that you use to get all your other passwords.  They will generate random passwords for you and will even copy and paste them into the password box for you in websites so all you need to do is click Login.  I cannot recommend LastPass enough.  I use it for all my passwords, and it’s great.

6 thoughts on “How to Guess A Password”

  1. I should really look into LastPass or something similar. My password is different for every website, but there’s probably a theme of some sort that would be easily detected and exploited by a hacker. But on that topic, I have a question – if someone consistently used the same password, but a password which consisted of nonsense letters and numbers (something like 29t33jpX), how easy would it be for a hacker to attack that? What if the password was uniform for every website/account except for a distinguishing character at the end? That’s literally just a generic question – and I still plan on visiting LastPass some point soon – but I’m curious about how easily something like that could be hacked.

  2. One mistake I always people advise against is using personal information in the passwords which only makes it easier to guess it, especially if the hacker knows the person on a personal level. I feel like all of us are guilty of that to a certain extent; for a while my passcodes were just my birthday and some of my passwords were literally my name. I’ve rectified that since, but I feel as if a lot of people still make this mistake

  3. While I do definitely agree with using a password manager, you also should be careful of who you trust with your information. LastPass recently had a data breach where hackers got away with a significant amount of personal information – thankfully no encrypted passwords were taken, but the fact that they were able to get as much as they did is slightly concerning. You’d think that a company who’s only goal is to increase your online security would be able to defend against intrusions by attackers.

    1. While I do definitely agree with using a password manager, you also should be careful of who you trust with your information. LastPass recently had a data breach where hackers got away with a significant amount of personal information – thankfully no encrypted passwords were taken, but the fact that they were able to get as much as they did is slightly concerning. You’d think that a company who’s only goal is to increase your online security would be able to defend against intrusions by attackers.

Leave a Reply

Your email address will not be published. Required fields are marked *