Passwords really are a funny thing. We create a key that unlocks an account, but if someone finds out what that key looks like, that person will have access. The scary thing? It’s not that difficult.
It’s recommended that we choose a password that is easy to remember while fitting the criterium given by the service provider. This typically means including several characters, having at least one number, a special character, and a capital letter. Services require these specifications with the intent of forcing users to make their passwords “stronger”, which in turn makes their services more secure.
So how can we make a password that follows these specifications and is easy to remember, but doesn’t rank among the most common and easy to guess passwords on the web?
Many people make their passwords out of a combination of a name and a number, like the name of their dog and their birth year (i.e. Biscuit84!). Others use a simplified word or phrase (i.e. forever = 4Ever!; eye for an eye = Eye4neye!). These are decent passwords that will satisfy the minimum standards of most websites, but they’re still exceedingly crack-able.
Easy-to-remember information is basic information. A hacker can learn the name of your dog and when you were born in the matter of a 3-minute conversation. Or they can do like everyone else and just stalk your social media. But there are other ways to crack a password open.
Remember those spy movies where the main character plugs a device into a computer and attempts to find the password by running through thousands of possible combinations? Well, that really happens, and it’s called cracking by brute force! Brute force is a method of hacking where the hacker uses a program to try each and every possible combination until one works.
Let’s say I want to break into your smartphone and you have a four-digit passcode. That’s ten numbers with four spaces, meaning there are only 10,000 possible combinations. For this scenario, let’s say your password is i4ni (4464), and my software will see something like this: _ _ _ _. By using brute force software (a program that can type significantly faster than I can), that four-digit passcode might be cracked in around 2 milliseconds. More characters mean a stronger password because there are more possible combinations.
Let’s move on to hacking into a computer where a password can be pretty much whatever you want it to be. If the password is “eye4n!”, it can be cracked in 34 seconds using brute force. What can be improved? There are twenty-six letters in the alphabet (fifty-two if we differentiate lowercase from uppercase), ten numbers, and thirty-two special characters (not including alt-codes). They’re all variables programmed into the cracking software.
Statistically, most people only use lowercase letters and numbers (a two character combination comes out to 1,296 possible outcomes, 3 = 46,656, 4 = 1,679,616, etc.). If a special character is added, that’s another 32 options for each character. The password “Eye4n!” has six characters with the options of numbers, uppercase and lowercase letters, and special characters, which means there are 735 billion possible combinations. But that number is cut down significantly when you factor in that a hacker can program their brute force tool to specify that most people only capitalize the first letter of a password if they use uppercase letters and put an exclamation point at the end of a password as the only special character. All of a sudden, that password that seemed strong might be cracked in around 34 seconds.
One answer to what can be improved is to add a space or spaces inside of the password.
If we change “Eye4n!” to “Eye 4 n !”, the time to crack it jumps to about four months! It gets better. Because people statistically use letters, numbers, and occasionally special characters, hackers usually won’t include the space in their programs because it exponentially increases the number of possibilities and will take too much time to simulate! Knowing this, how long do you suppose it would take to crack a passphrase as simple as “Eye 4 an eye makes 1 blind!”? Answer: an incredibly long time.
Passwords need to be strong because they are the keys to our virtual lives. If you have an app to access your bank account, it has a password. Your social media and emails have passwords. Your device has a password. And if you tend to reuse passwords, once one is cracked, most of your accounts are at risk. Your cybersecurity can be exponentially improved by making sure you have a variety of strong passwords that are easily memorable – but only to you.
If you, your organization or company, or someone you know would like more information on password cracking or our company, please do not hesitate to reach out to Mission Multiplier at firstname.lastname@example.org.