So what’s in a password? All your business communications, for a start. There’s your personal privacy, perhaps your family’s as well. Then there’s your banking, PayPal, eBay, identity theft, your website, ransomware headaches.. all that fun stuff. Yet, for all that’s at stake, the shocking truth is that nearly everyone’s passwords are completely insecure.
Does that sound alarmist? Well let me put it this way: I’ve been an IT pro for half my life so far. I’m up to my neck in networks and servers every work day – it’s. What I’m trying to get at here is I know a thing or two about computers.
It took a bit of research into the world of modern password cracking to realise that all of my passwords were awful too. I changed them immediately.
It’s actually quite shocking just how easily the bad guys can crack passwords with today’s machines.
How can everyone’s passwords be so catastrophically bad?
It’s like this: we all use the same words, patterns and techniques to build passwords. And most of us never change the bloody things unless we’re forced.
All those clever tricks we use to make it difficult for the bad guys – which, in the privacy of our minds we might even be a little proud of – are used by millions, perhaps billions of other people too. The bad guys already have the code to break them.
So even if you’ve avoided choices that are obviously bad, like princess, monkey or assword, what you use instead can be trivially easy to crack.
How? I’ll walk you through it.
How Passwords are Stored
For about as long as we’ve had websites, hackers have found ways to break into them. Sometimes they manage to steal the password file. This has happened to some high profile websites that you might have signed up to once, like LinkedIn and Myspace.
Some of these data breaches have been very public – you can even check online whether your account was involved. Other breaches are quiet and you could never know. And for a whole host of reasons, it’s basically impossible to guarantee that it will never happen.
So can the bad guys just take all your login details and see if they’ll work on your email account? If you’re really unlucky, then yes.
But some clever people realised quite a while ago what a nightmare it is to keep passwords in plain text, waiting to be stolen. Which is why they’ve figured out a way to check them without actually storing them.
What they store instead is the hashed password. This is produced by using a thing called a cryptographic hash function on the original password. These hashed passwords look like complete mumbo jumbo – something like $1$O3JMY.Tw$AdLnLjQ/5jXF9.MTp3gHv/.
What makes hash functions so useful for password storage is that they only work in one direction. You can easily get a hashed password from the original password, but you can’t calculate the original password from the hashed password.
So when you enter your password in the website, they run their hash function on it and check whether the mumbo jumbo matches up with the mumbo jumbo in their database. This gives them a way to quickly check whether the password you enter is correct – without ever having to leave your original password lying around, waiting to be stolen.
Neat, hey? This, by the way, is why when you forget your password, you get sent a link to reset it. They can’t send you your old one: they don’t actually have it. That’s a good thing.
But I wouldn’t be writing this article if there wasn’t a weakness. Someone who has your hashed password can repeatedly try to guess the original. When the hashed passwords match, they know they’ve guessed correctly.
Modern computing power makes this easy
To sit at your desk typing password after password would be awfully tedious, and you’d only get the most obvious. A computer will happily sit there trying combinations for as long as you leave it.
Hypothetically, with unlimited time or unlimited processing power, absolutely every password can eventually be guessed. But nobody actually has those things.
In practice, a strong password is one that takes so long to guess that the bad guys either give up, or spend so much time on it that it’s no longer useful.
It turns out that the same graphics processors that power the latest games are also great for cracking passwords. If you’re really keen, you can build a dedicated password cracking rig by putting 4 or 8 graphics processors into the one computer. One of these rigs can crack thousands of passwords in a matter of seconds.
This kind of password cracking rig can cost about $5000-$10000. That’s a bit more than most of us spend on a computer. But it’s hardly the Russian intelligence budget. Professional fraudsters can afford this level of computing power.
Brute force attacks
This most basic way to crack passwords is to try every single combination of characters. It’s called a brute force attack because there’s no real intelligence guiding the computer’s choices – it just relies on the brute force of the processor to try every possibility.
This method works brilliantly on short passwords, especially if they don’t make full use of the available characters. Because the computer tries every possible combination, there’s nowhere to hide. The very shortest passwords might be cracked in seconds.
But as passwords get longer and combine lower case letters, capitals, numbers and symbols, the number of combinations that the cracking rig needs to try becomes so large that it simply takes too long.
To illustrate: let’s say an attacker has a password cracking rig that takes an hour to crack every combination of lower case letters up to 7 characters long. That means it will take until tomorrow to crack every combination up to 8 characters, and most of the month to crack every combination up to 9 characters.
What if we stop using just lower case letters, and start including capitals, symbols and numerals as well? Then this same rig would take about 2000 years to crack a 9 character password.
To crack longer passwords, the bad guys need to get a bit smarter about which combinations they test. This means using a dictionary file.
Is this like the Oxford English Dictionary? It can definitely include those words.
But you can put whatever you like in a dictionary file. You can include cultural references, slang, brand names, proper nouns, foreign words and common names for people and pets.
You can even include words that aren’t even really words. Patterns based around the keyboard layout, such as qwe, qwerty, asdf, 1q2w3e4r and so on, are very common in passwords, so they find their way in too.
Using dictionary and brute force attacks together
If you run brute force attacks, you’ll clean up all passwords up to a certain length. And a dictionary attack will crack passwords in the dictionary. Where it gets really diabolical is when these techniques are used together.
This means the hacker doesn’t even need to have to have the actual password in the dictionary file. They just need to anticipate the pattern you used to put it together.
Many passwords consist of a word followed by a set of digits – perhaps a birthdate or memorable events like an overseas holiday or getting a pet. It’s very easy to crack passwords like Vietnam2012 or Christopher666 just by trying every combination of a word followed by numbers.
Another very common password technique is to substitute various letters with visually similar numbers or symbols – so the word target might become t@rg3t. On the face of it, this seems like a clever misdirection. But so many people have used these substitutions for so long now that hackers know to check for them.
And of course, by trying different words together in different orders, it’s easy to start cracking phrases like pizzademon, ilikemonkeys or nickelbacksucks.
Older passwords are much less secure
The other thing that can make a big difference to level of encryption used to store it. I’ll do my best to keep this free of jargon.
The more processing power that an algorithm requires, the longer it takes. That slows down how many guesses can be made in any given length of time. Using a more complex encryption to store passwords makes them much harder to crack.
But every year, computer processors get better, faster and cheaper. Against this, every existing standard of encryption in effect gets weaker with every passing year. That’s why good IT professionals upgrade to stronger encryption standards.
But there’s no way to improve the encryption on an old password file stolen years ago. Your password from the ‘90s has become 100 times easier to crack.
Reusing passwords is a very bad idea
As a user, you have very little say in whether anyone has kept their encryption algorithm up to date. There are still some password files out there that don’t use any encryption at all.
Your only way to deal with this issue is to try not to reuse the same password on different accounts. But with every site on the web wanting you to sign up for everything, you’ll quickly find that you spend more time resetting forgotten password than getting any work done!
The solution comes in the form of a password manager. A piece of software and an encrypted database that either lives in the cloud or on your computer’s hard disk, depending on how paranoid you’re feeling.
A good password manager can generate, hash and store all your passwords for you, so you only ever need to remember your one Master Password (better make it a good one!). You can have a really long and complex password for each website and service, and those that support browser integration can autofill all of your details so you only have to click “log in”
So where to from here?
So now you see what you’re up against. To withstand these attacks, you want your passwords to be long, to use a combination of lower case and capital letters, numbers and symbols, to avoid predictable words, phrases and patterns, to be completely unique to each account and to change periodically.
But this actually raises more questions:
What makes a word or phrase “predictable”?
Strong passwords are kind of long and complicated, so how do you juggle a unique one for every single website and service? And then do it all again every couple of years?
How do you this in real life, where you have so many other things to think about, like running your actual business?
How do you get this right without going crazy?
I’ll be covering all of that in part 2, so stay tuned.