We’ve all read about good password practice or tips on how to choose strong passwords that are is easy to remember, but difficult to guess. As it turns out, many of these suggestions are not effective or just plain useless in stopping hackers from decrypting the original password using stolen password files.
So why do hackers always make a beeline for password files? The reason for their appeal is simple: The vast majority of users reuse their password over and over again. Successfully recovering the original password from encrypted password files essentially gives hackers the keys to a treasure trove of user accounts that can be abused or sold for a profit. In addition, it doesn’t help that usernames are almost always the email address of the user these days.
In an attempt to understand how real-world hackers work, a recent report on Ars Technica saw a trio of security experts roped in to break into one such password file. The showdown saw the most determined cracker successfully brute-forcing a staggering 90 percent of the over 16,000 encrypted passwords in just 20 hours using nothing more than a home PC-type setup – including complicated passwords such as “qeadzcwrsfxv1331.”
Based on the real-life cracking techniques described in the article, I list out three simple tips below that actually have a chance against professional cybercriminals. At the end, I also offer an explanation on why even a password such as “qeadzcwrsfxv1331” got brute-forced.
Make Your Password 10 Characters or Longer
Short passwords are always the first ones to fall to the specialized cracking tools harnessed by hackers. Indeed, cracking all possible permutations of passwords with a length of up to six characters could take mere hours. To be safe against sophisticated hackers, it is vital to start with a minimum password length of at least 10 characters.
Random Passwords Are Stronger
Forget all the advice you’ve heard over the years about mixing words found in the dictionary with random characters. Indeed, the massive word lists used by hackers mean that any password that uses words found in daily usage are severely weakened. Ditto to tricks that make passwords easier to remember, such as replacing the character “S” with “$” or the numeric “0” in place of the alphabet letter “o.” This is because most cracking tools are designed specifically to make guesses using such substitutions.
Use Mixture of Uppercase and Lowercase Characters, Symbols, Numbers
While the use of uppercase characters, symbols and numbers does make passwords much harder to remember, they also go a long way toward thwarting crackers by significantly increasing the complexity required to brute-force them. Indeed, crackers always start by attempting to guess the easiest passwords first, and may not even attempt to crack passwords containing such a diverse combination of characters.
Conclusion: Be Password-Savvy
To be clear, the three tips above must be implemented in tandem to be effective. For example, having a highly randomized password, but just keeping it to eight characters will likely see your password guessed in short order. Similarly, a lengthy password is no use if it is not sufficiently randomized or contains words found in the dictionary.
Of course, the use of a robust hashing algorithm on the part of the website or online service provider plays a major part into making things harder for hackers as well. As users have no insight or control over this matter, however, they will be much better served by simply following the directions above as a precaution.
Finally, how does a password like “qeadzcwrsfxv1331” get cracked? It should be obvious now that in spite of its length, the password was fatally weakened by its lack of symbols or uppercase letters and its lack of randomness. Think about it: All 16 characters in that password can be typed out by a touch-typist using only their left hand, which was clearly a decision made for the sake of convenience.
So what are your thoughts on this? Feel free to share them in the comments section below.
