In Parts 1 and 2 of this series, I terrified you with stories about how sites store your passwords and how hackers can then crack them. As I said, no password is uncrackable. That’s the bad news. The good news, though, is that you can generate passwords that are strong enough so that hackers don’t bother with you.
Hackers may target specific, high-profile people, expending a lot of energy to access to their accounts. But most of the time, they’re looking for quick and easy ways to get into a large number of accounts. Remember, a really weak password can be cracked immediately.
So let’s put some numbers to this theory. Say a hacker steals hashed passwords for 10,000 people and has a computer that can attempt 1,000 passwords per second. That means he can run a basic hash-comparison check on all passwords in ten seconds. If 5% of those users have weak passwords that are found in the hash tables, the hacker will get 500 cracked passwords within in those ten seconds.
I previously mentioned the big hack of Google, Facebook, and Twitter, where user information for two million people was compromised. According to Trustwave’s Spider Labs security group, approximately 34% of those passwords are considered bad-to-terrible. Applying that statistic to our example, the hacker would garner about 3,400 passwords in that ten seconds. He’s probably going to stop there and work with what he has. Why put in the effort to crack additional passwords when you cracked so many right away? It just isn’t worth the time.
And there lies the trick: You need to make your passwords strong enough so the hackers give up on them. Strong passwords can take months to crack. Very strong passwords can take centuries. No hacker is going to wait that long with all the low-hanging fruit available.
So how do you make your passwords strong? Let me introduce you to the Ken Commandments of Passwords! (Note 1: There aren’t ten of them. I just used “Ken” to rhyme. Note 2: If you follow this blog, you’ll undoubtedly see Ken Commandment lists for all sorts of topics. It’s a concept I’ll re-use. So there.)
For these Commandments and examples, I’ll be making heavy use of security expert Steve Gibson’s Haystack Calculator, which is an amazing tool that will tell you how long a brute-force hack would take to get through all password combinations with a given set of parameters. I HIGHLY recommend that you read his article and use his calculator it to test how strong your passwords are.
Commandment 1: Follow the Rule of Four (Five is Right Out!)
The “four” in this case refers to character sets. There are four sets of characters that you can pull from to create passwords:
- Lowercase letters (26)
- Uppercase letters (26)
- Numbers (10)
- Special characters, such as $, %, and + (33)
In a brute-force attack, a hacker attempts to crack a password with one-character passwords, followed by two-character passwords, and so on. When looking at an eight-character password, Haystack tells us the following:
- With only lowercase letters, there is a password “space” of 217 billion different combinations. An offline fast-attack scenario making about 100 billion attempts per second would process the entire space in just over 2 seconds (click image 1 below).
- With both lowercase and uppercase letters, the number of unique combinations increases to 54 trillion and a fast-attack scenario would process the entire space in just over 9 minutes (click image 2 below).
- With lowercase letters, uppercase letters, and numbers in that eight-character password, it takes about 37 minutes to exhaust the entire space (click image 3 below).
- With all four character sets (lowercase letters, uppercase letters, numbers, and special characters), it would take a fast-attack a little over 18 hours to exhaust the entire space of an eight-character password (click image 4 below).
Most likely, a hacker isn’t going to wait 18 hours when he can crack a bunch of other people’s passwords in a few seconds. But other hackers might have better funding and can use a large array of computers to attempt these cracks. These arrays might be able to process up to 100 trillion guesses per second. An eight-character password using all four character sets would be cracked within 1.12 minutes. This is where Commandment 2 comes in.
Commandment 2: Longer is Stronger
The examples above assume an eight-character password. Let’s see what happens with longer passwords. The following values assume the passwords use all four character sets. The time necessary to exhaust the password space assumes that a massive attack array is being performed, making 100 trillion guesses per second.
| No. of Characters | Time to Exhaust Space |
|---|---|
| 9 | 1.77 hours |
| 10 | 1.00 weeks |
| 11 | 1.83 years |
| 12 | 1.74 centuries |
| 13 | 165 centuries |
| 14 | 15,670 centuries |
As you can see, simply adding a few characters can really make a difference. Unfortunately, computers are getting faster all the time, so these times will undoubtedly shrink. But most security experts believe that a 14-character password using all four character sets is strong enough to where you don’t have to worry about it getting cracked in a brute-force attack.
Commandment 3: Use a Different Password for Every Site
I know, I could sense you all shouting, “What are you, crazy?!” But you know what, say a hacker does manage to get your password for a site. Maybe that site is using old encryption that’s easy to break. If a hacker gets your password for a site, they will certainly try that same password for other sites. If you use the same password for your bank account, I probably don’t need to tell you what’s going to happen to your money.
At the very least, use a unique password for each site that has access to your money (your bank, Amazon, PayPal, etc.) and use a unique password for each email account.
If you use a different password for every site, a hacker who manages to crack one password will not have access to anything else.
Commandment 4: Change Your Passwords Often
You probably have a lot of passwords, and the thought of having to change all of them sounds like a pain in the butt. But it’s a good way to play keep-away with the hackers. If they get their hands on your hashed password and really devote themselves to cracking it, it won’t do them any good if you’ve changed it before they crack it. At the very least, if a site that you use is hacked, change your password on that site immediately. If you’re feeling ambitious, change your passwords on five or ten sites every month. Come up with a rotation where every password is changed once a year.
Commandment 5: Don’t Make it Easy for the Hackers
People do crazy things for the sake of convenience. Every year, a list of the most common passwords is issued. Here’s the list from 2013. Check it out and see if any of yours show up. If so, change them NOW. These are the first passwords tested in a brute-force attack.
Don’t use dictionary words. They are the second group of passwords tested. Adding a number to the end of a dictionary word (i.e., password1) doesn’t help, so don’t do that, either.
Don’t use dictionary words with leet-speak (substituting numbers or special characters for letters). If your password is p@ssw0rd or p1zza, it’s in the third set of passwords tested, meaning you’re still doomed.
Don’t use the names of family members or pets. Anyone can find out your dog’s or kid’s name by looking at your Facebook or Twitter feed. Even if you think that stuff is private, it’s really not. A hacker could send you a friend request posing as someone you went to high school with, check out all your family members, and try using their names to hack into your accounts (this is an example of “social engineering,” which I’ll address in a future post). It happens all the time. And, sadly, it works all the time. And most names are also tested early in a brute-force attack.
And don’t write them down where others can find them. If you’ve got your passwords on sticky notes all over your monitor and someone breaks into your house, you’ve just given them access to everything. If you have to write them down, put them somewhere safe. Like a safe. Or a lockbox.
A Note on Password Managers
I would be remiss if I failed to mention password managers. These are applications that generate random, strong passwords, and then manage them for you so you don’t have to remember all of them, logging you into sites as you visit them. You set a master password for the app, and that’s the only one you have to remember. A lot of people swear by password managers, but I don’t use them. They are a single point of failure, so if something goes wrong, or if I forget my master password, I lose access to everything. And if my database is stolen and the hacker manages to crack the encryption, the hacker gets access to everything. I know it’s a long shot, but I’d rather keep my passwords in my own hands than trust a third party not to botch it on me.
In Conclusion
No password is 100% foolproof. But that doesn’t mean that every password is equally susceptible. If you’re the president of a country or large corporation, there might be hackers trying desperately to access your files. But, if you’re just an average person, a password that takes more than a few days to crack is probably good enough to prevent its being compromised.
I have a couple more related articles planned, so if you find these password articles helpful, keep an eye out for the next few. I want to explain things like phishing and social engineering. I might also do a writeup of how I manage my own passwords. It might be a little over the top for most people, but it might give you some good ideas, too.
Until then, stay safe everyone!