A recent study by Imperva of 32 million compromised passwords for the site rockyou.com reports that an alarming number of people use easy-to-hack passwords. In light of their report, we wanted to inform the English Department community about the risks associated with insecure passwords and offers some tips for developing strong ones.This page will discuss:
* Facts and recommendations on this site come from "Consumer Password Worst Practices," "How I’d Hack Your Weak Passwords," "Study: Hacking Passwords Easy As 123456," and "Geek to Live: Choose (and remember) great passwords"
A password is considered vulnerable if it is common, too short, has recognizable words or names in it, or uses only standard letters and numbers. Here's why:
The simplest way to crack passwords is what is called a "brute force attack," which essentially means using specially designed software (which is freely available, by the way) guessing combinations of characters until one works. Though this may sound like it would take forever and it could, the brute force attack is made feasible by the common password practices users.
A brute force attack is not an attempt to crack every password, just some. Hackers don't have the time to try EVERY character combination, so they make educated guesses based on what will return the most unlocked passwords in the least amount of time. They typically prey on people who use either common passwords (12345, abc123, password, god, money and so on) or passwords simple enough that every combination can be guessed in a short period of time.
While the Imperva study found an alarming number of people using a short list of passwords, it also found that common practices tended to arbitrarily abbreviate the possible character combinations hackers need to try before getting a match and, consequently, cutting down on the amount of time they need to find matches:
These typical practices reduce the number of character combinations that a hacker needs to try before opening accounts. Hackers can target this limited list of possible passwords and thereby make fewer guesses while returning more cracked accounts in less time.
|Password Length||All Characters||Only Lowercase|
|3 characters||0.86 seconds||0.02 seconds|
|4 characters||1.36 minutes||0.046 seconds|
|5 characters||2.15 hours||11.9 seconds|
|6 characters||8.51 days||5.15 minutes|
|7 characters||2.21 years||2.23 hours|
|8 characters||2.10 centuries||2.42 days|
|9 characters||20 millennia||2.07 months|
|10 characters||1,899 millennia||4.48 years|
|11 characters||180,365 millennia||1.16 centuries|
|12 characters||17,184,705 millennia||3.03 millennia|
|13 characters||1,627,797,068 millennia||78.7 millennia|
|14 characters||154,640,721,434 millennia||2,046 millennia|
In short, make the field of potential character combinations in your password as broad as possible.
The Imperva study recommends that every password you use:
Once you come up with a password you like, that meets this criteria, you can check it against Microsoft's online password security tester.
In addition, each password should be unique to its context. The reason for this is that hackers assume, usually correctly, that people use the same passwords for everything. So rather than targeting a site they expect to have tight security, like a bank, they target websites that they expect to have weaker security, as happened to Twitter in the summer of 2009. Or, they will attempt to trick you into supplying your password in a context you think is secure, usually by impersonating a website you trust or think is innocuous. Once they have one password, they will see if it opens accounts on more secure, and more lucretive, sites. If you have a unique password for each context, if one is cracked, at least it is only one, hopefully unimportant, site that has been compromised.
All of this sounds great, but, as we all know, the core issue is that want passwords we can remember easily. This is the main reason why people use simple, read "easy-to-hack," passwords on every website they use. Here are a couple methods for keeping all your secure passwords under control.
One option for dealing with this problem is to develop a rule set for generating passwords. That way you never have to remember individual passwords, just your rule set. Gina Trapani at Lifehacker suggests having a base-password that you modify with letters from the name of the service the password is for. When using a rule set, one must be careful to select rules that generate passwords that meet the recommended criteria, but also that are not too easy to decode. If the system is easy to decipher, a hacker can potentially figure it out and then open all your accounts.
Password storage software like KeePass, RoboForm, or, for Mac users, 1Password are free, ultra-secure, and will remember your passwords for you. These programs can also be set to even autofill website forms for you. Lastpass works in your browser to store passwords you enter, save your form data, and generate strong passwords for you, keeping all encrypted data on your local machine so you never have to remember another password again.
Though more and more often our personal business is conducted online, we typically do not take adequate measures to protect our private data. Often the only defense we have against intrusion and identity theft is our password. While having a secure password may be inconvenient, it is light years better than the consequences of having one's online accounts hacked with a brute force attack.So, take a moment today to secure all your passwords.
Remember, to be secure against a brute force attack, a password should:
Good luck and Safe Surfing!