How I’d Hack Your Weak Passwords

Internet standards expert, CEO of web company iFusion Labs, and blogger John Pozadzides knows a thing or two about password security — and he knows exactly how he'd hack the weak passwords you use all over the internet.

Note: This isn't intended as a guide to hacking *other people's* weak passwords. Instead, the aim is to help you better understand the security of your own passwords and how to bolster that security.

If you invited me to try and crack your password, you know the one that you use over and over for like every web page you visit, how many guesses would it take before I got it?

Let's see… here is my top 10 list. I can obtain most of this information much easier than you think, then I might just be able to get into your email, computer or online banking. After all, if I get into one I'll probably get into all of them.

  1. Your partner, child or pet's name, possibly followed by a 0 or 1 (because they're always making you use a number, aren't they?)
  2. The last 4 digits of your social security number.
  3. 123 or 1234 or 123456.
  4. "password"
  5. Your city, or college, football team name.
  6. Date of birth – yours, your partner's or your child's.
  7. "god"
  8. "letmein"
  9. "money"
  10. "love"

Statistically speaking that should probably cover about 20 per cent of you. But don't worry. If I didn't get it yet it will probably only take a few more minutes before I do…

Hackers, and I'm not talking about the ethical kind, have developed a whole range of tools to get at your personal data. And the main impediment standing between your information remaining safe, or leaking out, is the password you choose. (Ironically, the best protection people have is usually the one they take least seriously.)

One of the simplest ways to gain access to your information is through the use of a Brute Force Attack. This is accomplished when a hacker uses a specially written piece of software to attempt to log into a site using your credentials. Insecure.org has a list of the Top 10 FREE Password Crackers right here.

So, how would one use this process to actually breach your personal security? Simple. Follow my logic:

  • You probably use the same password for lots of stuff right?
  • Some sites you access such as your Bank or work VPN probably have pretty decent security, so I'm not going to attack them.
  • However, other sites like the Hallmark email greeting cards site, an online forum you frequent, or an e-commerce site you've shopped at might not be as well prepared. So those are the ones I'd work on.
  • So, all we have to do now is unleash Brutus, wwwhack or THC Hydra on their server with instructions to try say 10,000 (or 100,000 – whatever makes you happy) different usernames and passwords as fast as possible.
  • Once we've got several login+password pairings we can then go back and test them on targeted sites.
  • But wait… How do I know which bank you use and what your login ID is for the sites you frequent? All those cookies are simply stored, unencrypted and nicely named, in your web browser's cache. (Read this post to remedy that problem.)

And how fast could this be done? Well, that depends on three main things, the length and complexity of your password, the speed of the hacker's computer, and the speed of the hacker's internet connection.

Assuming the hacker has a reasonably fast connection and PC here is an estimate of the amount of time it would take to generate every possible combination of passwords for a given number of characters. After generating the list it's just a matter of time before the computer runs through all the possibilities – or gets shut down trying.

Pay particular attention to the difference between using only lowercase characters and using all possible characters (uppercase, lowercase and special characters – like @#$%^&*). Adding just one capital letter and one asterisk would change the processing time for an eight-character password from 2.4 days to 2.1 centuries.

Remember, these are just for an average computer, and these assume you aren't using any word in the dictionary. If Google put their computer to work on it they'd finish about 1000 times faster.

Now, I could go on for hours and hours more about all sorts of ways to compromise your security and generally make your life miserable – but 95 per cent of those methods begin with compromising your weak password. So, why not just protect yourself from the start and sleep better at night?

Believe me, I understand the need to choose passwords that are memorable. But if you're going to do that how about using something that no one is ever going to guess AND doesn't contain any common word or phrase in it.

Here are some password tips:

  1. Randomly substitute numbers for letters that look similar. The letter ‘o' becomes the number ‘0′, or even better an ‘@' or ‘*'. (i.e. – m0d3ltf0rd… like modelTford)
  2. Randomly throw in capital letters (i.e. – Mod3lTF0rd)
  3. Think of something you were attached to when you were younger, but DON'T CHOOSE A PERSON'S NAME! Every name plus every word in the dictionary will fail under a simple brute force attack.
  4. Maybe a place you loved, or a specific car, an attraction from a holiday or a favourite restaurant?
  5. You really need to have different username/password combinations for everything. Remember, the technique is to break into anything you access just to figure out your standard password, then compromise everything else. This doesn't work if you don't use the same password everywhere.
  6. Since it can be difficult to remember a ton of passwords, I recommend using Roboform for Windows users. It will store all of your passwords in an encrypted format and allow you to use just one master password to access all of them. It will also automatically fill in forms on web pages, and you can even get versions that allow you to take your password list with you on your PDA, phone or a USB key. If you'd like to download it without having to navigate their website here is the direct download link. (Ed. note: Lifehacker readers love the free, open-source KeePass for this duty, while others swear by the cross-platform, browser-based LastPass.)
  7. Mac users can use 1Password. It is essentially the same thing as Roboform, except for Mac, and they even have an iPhone application so you can take them with you too.
  8. Once you've thought of a password, try Microsoft's password strength tester to find out how secure it is.

By request I also created a short RoboForm Demonstration video. Hope it helps…

Another thing to keep in mind is that some of the passwords you think matter least actually matter most. For example, some people think that the password to their email box isn't important because "I don't get anything sensitive there." Well, that email box is probably connected to your online banking account. If I can compromise it then I can log into the bank's website and tell it I've forgotten my password to have it emailed to me. Now, what were you saying about it not being important?

Often times people also reason that all of their passwords and logins are stored on their computer at home, which is save behind a router or firewall device. Of course, they've never bothered to change the default password on that device, so someone could drive up and park near the house, use a laptop to breach the wireless network and then try passwords from this list until they gain control of your network — after which time they will own you!

Now I realise that every day we encounter people who overexaggerate points in order to move us to action, but trust me this is not one of those times. There are 50 other ways you can be compromised and punished for using weak passwords that I haven't even mentioned.

I also realise that most people just don't care about all this until it's too late and they've learned a very hard lesson. But why don't you do me, and yourself, a favour and take a little action to strengthen your passwords and let me know that all the time I spent on this article wasn't completely in vain.

Please, be safe. It's a jungle out there.

How I'd Hack Your Weak Passwords [One Man's Blog]


Comments

    I have friends who maintain they're safe because they're on Macs. I tell them it makes no difference, but ... sigh.

    Point taken. Steps shall be taken. Very well written and informative article. Thanks John.

    Awesome. my most insecure throway password will still take a year to crack, wheras my high security ones are safe for a few millenia :D

    I suggest people use a quote from something they have an attachment too(even better if it's something you personally misquote). Let's say "Well uh... This theory of yours appears to have hit the nail on the head!"
    Now just take the first letter of each word: wuttoyathhtnoth
    l33t speak it:
    wu770y42hh7n07h
    Don't forget those caps and punctuation!
    Wu&70y42hh7n07h!

    A strong and surprisingly easy to remember password (think of the words don't try to remember the password itself).

    The table isn't long enough! How long for 23 characters with UC, LC, numbers, punctuation and no english words?

    I recommend a "Master Key" system;
    Make a super secure master key much like a serial with 4 sets of 4 characters.
    i.e. G23f X5ts N1p3 7N1f
    Then use the whole key for hyper sensitive accounts,
    and varied combinations of only 2 or 3 sets for less sensitive account logins.
    It'll be easier to remember because it's almost like having the same password for everything without the lack of security. (It might be more secure not to ever use the whole master key)

    The disadvantage of a password manager is that, like an email account, your likely to use a short simple password to access it.

    sorry to disappoint you john but you weren't even close with your 10 guesses.

    I wouldn't use 3rd parthy software to store your pw...

    Roboform? how do you know it won't send all that info to someone else. lol

    a better option would be to use a word or txt doc and type in all your user and pw and then use winrar with password to zip/rar it. then every time you want to see your pw just go into the rar file and enter your pw to view the file or modify it.

    websites don't let you use 4 char passwords or 123456 most will require you to use atleast 6 to 8 with combination of alphanumeric chars. how are you meant to make all those guesses if you only get 3 tries before you are locked out?

    i agree with Nickp. it's hard to remember 20 different pws. best to use different pws for secure accounts and then use the same pw for less serious sites. even if hackers get the pw they can access my account to their hearts content i wouldn't care.

      Jack, when you want to check your winrar file, the text file inside it is decrypted and stored temporarily on your computer. Which a hacker can simply grab. Lame.

      Software like Roboform and Keepass are built NOT to do that.

    I remember being at school and they gave every student a POKEMON(wtf?) as their password. I used a Dictionary Brute force attack on a computer getting the password of every student who'd used it as part of my argument that I shouldn't be stuck typing in bloody "charizard".

    Shouldn't have bothered with my Head of Computers. They allowed us to pick our own passwords but I was given an afternoon detention for my troubles.

    I wonder why everyone is trying to complicate things.
    A simple strategy is: generate random passwords by your computer, about 25 characters long
    nothing in the world will ever solve this, so you have about 200 bits of random information
    and each service will have it's own password, two of the biggest security problems are solved this way (same password everywhere and weak password somewhere)

    of course you will need help by remembering and typing, say: a password manager (in firefox integrated, you can use it with a master password), protect it with a rememberable and strong password, perhaps additionally with a keyfile (keepass and truecrypt can do that) [the location/identity must be your secret, choose perhaps a good song of your mp3 collection as keyfile]

    make it even more secure by hiding your master-password steganographically, like appending zipfiles to images

    the advatages are clear:
    + strong and random passwords
    + different passwords

    ok, disadvantages are also here:
    - nobody should see in your master-password-storage
    - passwords must be stored on your computer
    - master-password must be very strong
    - password-file must stay hidden/encrypted and should not get stolen

    but let's be honest
    who will ever gain access to this file? (if a virus/trojan does it, it can also log your keystrokes)

    addidional bonus: you can change most passwords easily, because you don't have to remember the new one

    what I want to say is: if you store your random and long passwords encrypted in your browser, it's probably the best compromis of security and lazyness

    oh boy, you are right! I have used passwords with all you mentioned from point 1 to 10!
    thing is though, they are all combined in the same password... i'll let you figure out the order.

    good luck!
    heh.

Join the discussion!

Trending Stories Right Now