Your Clever Password Tricks Aren't Protecting You From Today's Hackers

Security breaches happen so often nowadays, chances are you're sick of hearing about them and all the ways you should beef up your accounts. Even if you feel you've heard it all already, today's password-cracking tools are more advanced and cut through the clever password tricks many of us use. Here's what has changed and what you should do about it.

Background: Passwords Are Easier To Crack Than Ever

Our passwords are much less secure than they were just a few years ago, thanks to faster hardware and new techniques used by password crackers. Ars Technica explains that inexpensive graphics processors enable password-cracking programs to try billions of password combinations in a second; what would have taken years to crack now may take only months or maybe days.

Making matters much worse is the fact that hackers know a lot more about our passwords than they used to. All the recent large-scale password leaks have helped hackers identify the patterns we use when creating passwords, so they can now use rules and algorithms to crack passwords more quickly than they could through simple common-word attacks.

Take the password "Sup3rThinkers" — a password which would pass most password strength tests because of its 13-character length and use of mixed case and a number. Website How Secure Is My Password? estimates it would take a desktop computer about a million years to crack, with a four billion calculations-per-second estimate. It would take a hacker just a couple of months now, Ars Technica notes:

Passwords such as "mustacheehcatsum" (that's "mustache" spelled forward and then backward) may give the appearance of strong security, but they're easily cracked by isolating their patterns, then writing rules that augment the words contained in the [2009 hack of online games service] RockYou [...]and similar lists. For [security penetration tester] Redman to crack "Sup3rThinkers", he employed rules that directed his software to try not just "super" but also "Super", "sup3r", "Sup3r", "super!!!" and similar modifications. It then tried each of those words in combination with "thinkers", "Thinkers", "think3rs", and "Think3rs".

In other words, hackers are totally on to us!

What You Can Do: Strengthen Your Passwords By Making Them Unique and Unpredictable

We've suggested plenty of strong password tips over the years, but in light of the faster and newer cracking capabilities, these are worth reviewing.

1. Avoid Predictable Password Formulas The biggest problem is we're all padding our passwords the same way (partly because most companies limit your password length and require certain types of characters). When required to use mix of uppercase and lowercase letters, numbers and symbols, most of us:

  • Use a name, place or common word as the seed (women tend to use personal names and men tend to use hobbies)
  • Capitalise the first letter
  • Add a number, most likely 1 or 2, at the end
  • Add one of the most common symbols (~, !, @, #, $, %, &, ?) at the end

Not only are these patterns obvious to professional password guessers, even substituting vowels for numbers or appending another word wouldn't help much, since hackers are using the patterns against us and appending words from the master crack lists together.

Other clever obfuscation techniques, such as shifting keys to the left or right or using other keyboard patterns are also now sniffed out by hacking tools. As one commenter wrote in the Ars Technica article, hackers use keyword walk generators to emulate millions of keyboard patterns.

The solution: Don't do what everyone else is doing. Avoid the patterns above and remember the basics: don't use a single dictionary word, names or dates in your password; use a mix of character types (including spaces); and make your passwords as long as possible. If you have a template for how you create memorable passwords, it's only secure if no one else is using that rule. (Check out IT security pro Mark Burnett's collection of the top 10,000 most common passwords, which he says represents 99.8 per cent of all user passwords from leaked databases, or this list of 500 most common passwords in one page.)

2. Use Truly Random Passwords Use multiple unrelated words for your strong, long password: Using a passphrase is more secure and more memorable than complicate, shorter passwords, as web comic Xkcd pointed last year. Longer and simpler passwords trump shorter and more complex ones — but only if the words you use are truly random. If you're using a common quote or saying for your passphrase, you're a target, because hackers' dictionaries include common quotes, phrases, titles and lyrics — and they can easily employ rules to use just the first letter of each word or other similar pattern. "To be or not to be" and "2b30rn0t2b3" and "tbontb" might all very well take just seconds to crack thanks to fast algorithms, so make your passphrase truly unique and random. (The Xkcd password generator can pick four random words for you.)

The best option is to use a password generator and manager: While the passphrase approach might be good for, say, your computer login or the few cases you need to remember your password, the best option is to generate a truly random, long and complex password. This avoids the problem of easily cracked patterns and word lists. LastPass, KeePass, or 1Password can all generate a random password for you. See how to build a nearly hack-proof password system with LastPass for detailed instructions. Remember, the only secure password is the one you can't remember.

3. Use a Unique Password for Each Site No matter what passwords you choose or create, this is the most important security strategy of all: Use a different password for each site. This limits the damage that can be done if/when there's a security breach — if your password is compromised on one site, at least all your other accounts are protected.


Comments

    So if websites allowed 3 tries before locking an account for a day, or till you ask for a reset, it as far as I can see, the hackers task becomes much more difficult?

      Cracking the passwords through the website login is usually not the issue, it's when they have access to large databases of hacked/leaked usernames and passwords that thsi comes into play.

    I was wondering that as well - how can hackers test all those combinations both in terms of the website stopping it and also just as a time issue?

      I don't think this is how they do it. For instance, if they were able to hack into a site and gain access to the encrypted password file, they just need to download the file, then run their password algorithms, encrypt them then compare the encrypted password against the downloaded file. If the encrypted strings match, then they have a password hit, without having to attempt logging on.

        If they've hacked into the site, you probably have to assume all the data is compromised anyway (though if the data itself is encrypted when stored, a strong password will help)

        It always comes down to 'unique passwords'. If somebody works out your default password or your password-choosing scheme, you're in far more trouble than if they get one of your many simple-but-unique passwords.

        Oh, and two factor authentication. Enable it on anything really important to you.

    I've used combinations of street names from places I used to live and my dead pets' names. Most of these aren't in the dictionary. Always at least 3 6-letter words. Easy for me to remember and almost impossible for anyone else to get.

    It would be good if the article expanded Tip #3 with some hints as to how on earth you remember 10 completely randomized passwords for 10 different websites/services

      +1

      at work seen strong password implementation policy only created a lot of sticky notes under the keyboard with 'notes'

      Lastpass is a good way to do that. It's a browser plugin and standalone site that holds all your passwords for you. You have a master password which only you know and that's used to encrypt your passwords list. Basically, as long as you can remember your master password, Lastpass remembers the rest for you.

        I wonder how something like Lastpass will work in the future with both Apple and Microsoft setting things up so that your computer's log in credentials is your Apple / Live account. Need to actually be logged into your computer to run Lastpass. Potential Catch-22.

      What Tony said... that would be most helpful!!

    The best way of making strong passwords is using a password manager. Other than that I use a while sentance and take out key letters (eg the first/last/first and last letter of every word). A trick i took away from a friend was make the sentance as dirty as you can so that you will remember it!
    Just my 2 cents

      problem with that if you HAVE to tell some one your password over the phone (emergency situation) it becomes very embarrassing
      my boss had to do it ones with me it was something like muffdivingcock with some numbers instead of letters etc

    Until we use biometric authentication in addition to passwords, we will never have really good security. Even though a person's biometric 'signature' can potentially be copied, it means the hacker has to be targeting a specific individual, making it that much more unlikely that they'll succeed.

    (The Xkcd password generator can pick four random words for you.)

    Don't use this. Not because the process isn't sound, but because if people do start using it, hackers will add the word list to their own if they don't already have it, and add the 4-random-xkcd-words sequence to their patterns. Come up with your *own* random words.

    Learn a language that is not English and write your password in that language.

    lol...I use the same crap password I have used for 20 years on all Gawker properties. As well as all other sites I don't care about. The exact same password that was released in a public torrent a few years back when Gawker got hacked. I just don't care.

    I use three tiers:

    1) I don't give a shit.
    2) I kind of care, slight modification to I don't give a shit password, still non-unique.
    3) I really, really care. TesaFreteSachuxEs36xek9fa4uwrexa, etc.

    How about a tip to turn on two factor authentication on your gmail.

    Your email is your single point of failure. If a hacker gets access to that they can do password reset on most sites.

    Listen to this weeks Security Now, Steve Gibson from GRC.com has a good breakdown of it, explaining it in very easy to understand terms. Episode #366
    http://twit.tv/sn

    The problem with password generators is mobile. Good luck logging on to a website on your phone if your password is !54#5$^%&@354aerjn35@^&&jkhdrjhg6i236#^&!&g$&.

    Use a foreign language, that wouldn't be readily associated with who you are, to select the word.

    Two factor is a joke.. sms confirmation, also a joke.. hackers (social engineers) have already broken through all those "security" precautions.. Just do a quick search for "phone porting fraud" and you'll see what I am talking about.

    Best thing you can do is use a different password for EVERY login. Use special characters at RANDOM places in your password.. don't simply replace 1 with ! or 4 with $.. or even A with a 4 that you then convert to a $.. or an L or I with a 1 that you then convert to !.. it's way too predictable and easy to guess. DO use a foreign language to select a couple of words that can not be connected to you in any way.. pick a language that doesn't resemble your primary language.. for example, avoid german, spanish, italian, french words.. pick something weird and wild.

    Or simply create a genuinely random password and use that.. :)

    The problem of complex password creation, storage and real-world use has already been SOLVED by LastPass. +1 LastPass

    A password with 16 letters of 'a's seem quite secure. 345 thousand of years to crack.

    i like the idea of generating a 32-character random password, with uppercase, lowercase, numbers and special characters for all sites. the problem is that websites haven't caught up to the security everyone is preaching.

    many sites don't allow special characters. many sites don't allow passwords longer than e.g. 12 characters (whether they tell you or not). often i'll enter my fantastically random password, the site will accept it, and then truncate it so i can't log in again. and then, my favourite, the sites that send me my password in a plain text email.

    many of the readers here have gotten the message. let's start preaching to the creators of my financial websites, etc.

    Trying to use password complexity to protect you from brute force attacks is insane. It's like trying to improve your running technique to protect you from bullets - no matter how complex your password - you're never going to get it complex enough to stay ahead of brute forcing techniques.

    Don't use secure services without lockout policies. A 1 second lockout policy after every failed password attempt still cripples brute force attacks far more effectively than password complexity. Don't use services that can email you your password when you forget it - email isn't secure and storing passwords unhashed so you can email them out to people is idiotic. And make some noise about webmasters salting hash tables. Unsalted hash tables might as well be in plain text.

    I always found online banking passwords to be weird. Both banks i have accounts with only allow a maximum of 8 characters, seems like a bit of a flaw to me as that's the one I'd really never want anyone to guess.

Join the discussion!

Trending Stories Right Now