Password Crackers — How to Beat Them and Improve your Security

Password Crackers are software programs that can be used to discover someone’s password.  There are several free ones available on the internet.  Because of these types of programs it’s pretty commonplace to hear about weak passwords leading to a personal data breach.   The advice to fix it usually goes something like this:

1. Use a mix of letters, numbers, and symbols in your password.
2. Don’t choose your name/birthday, kid’s birthday/name, spouse’s birthday/name, pet’s names, favorite sports team, etc as part of your password.
3. Don’t tell anyone your password or write it down.
4. Use a password manager program to generate and store all of your passwords.

Some of these are more effective than others at securing your passwords.   In Information Security, three things are typically considered when trying to authenticate someone to a system:

1. Something you are
2. Something you know
3. Something you have

The username/password scheme uses the first two of these. You are your username and you know (hopefully) your password. Some stricter controls are placed on systems that require higher security with things like authentication tokens or one time password pads are used. Most of the time the first two are used. ‘

What’s in a Username?

Usernames are typically assigned, an email address, or a user selected name that people tend to use across multiple sites. You can buy a little extra security by not reusing usernames across multiple platforms.   At least that way if someone has a password and username you use for one account, they won’t be able to try that everywhere.

Password Crackers

There are numerous password cracking software programs available for free (or cost) in the public domain. These programs are designed to guess either intelligently or non-intelligently at a user’s password.   The password crackers will typically require the user’s username and some idea on the system where the password is used. For certain systems the password cracking software will require a secure hash of your password which can be obtained in numerous ways (that’s another article).

Once the needed information is obtained the password cracker will start to preform its magic.   Password crackers often use a dictionary of common words or names.  It may add two words together, add numbers or symbols after the words in the dictionary, or it may be a brute force attempt in which it tries every possible combination of letters/numbers/symbols.

Keep in mind these comparisons can be done at a high rate of speed. Some password crackers can try MILLIONS of combinations per second. How long do you think it would take to find a password with that kind of speed?

If you consider a password of only letters that is 8 characters long, that is 208,827,064,576 possible combinations. If you have a password cracker that can try 1 million password a second that’s only 58 hours worth of security.

That leads back to the list of things you should do to make your password more secure.

Use letters, numbers, and symbols in your password

The idea is to make each possible guess have a larger keyspace to search. In a system with only letters there are only 26 possible letters to try for each position. Adding numbers to this makes it 36, and most common symbols on a keyboard 50+.

If you consider a password of only letters that is 8 characters long, that is 208,827,064,576 possible combinations. If you have a password cracker that can try 1 million password a second, that’s only 58 hours worth of security.

If you consider a password of only letters and numbers that is 8 characters long, that is 2,821,109,907,456 possible combinations. If you have a password cracker that can try 1 million password a second, that’s only 783 hours (about 33 days) worth of security.

Add the symbols to get to 50+ and it’s 39,062,500,000,000+ combinations, or about 452 days worth of cracking time.

That sounds good on paper. But adding these symbols/numbers is actually a little misleading. For example, how many people simply add a “1” at the end of their password to satisfy a number requirement? How many people add one symbol at the end to satisfy the symbol requirement, or capitalize just the first letter, or add a year, or replace “a” with “@” or “s” with “$” or add a “!” at the end of their password?  Password cracking software has become more sophisticated and knows these tricks.

Don’t choose your name/birthday, kid’s birthday/name, spouse’s birthday/name, pet’s names, favorite sports team, etc as part of your password.

The same password crackers will start with a list of commonly used names/words/sport teams/etc etc. The password crackers will add years, numbers, symbols, and do character replacement.  Some will even combine two or more words together.   This is significantly quicker than the brute force techniques mentioned above.

Don’t tell anyone your password or write it down.

Sometimes its ok to share a password. A bank account with your spouse for example.  It’s important that everyone involved knows the security implications of this.   Just don’t share a password with just anyone.  A lot of people like to reuse passwords. That password you shared once for one seemingly minor purpose may have a lot more consequences when it’s on another website.   And please don’t write them down.  What if your purse/wallet gets stolen or your house broken into?  It doesn’t do a lot of good to keep your money in a bank when someone knows your password.

Use a password manager program to generate and store all of your passwords.

Password managers are great for generating long and difficult to guess passwords.   They have a couple of major problems:

• They are the master key to the kingdom.  What happens if they get breached, or someone steals your computer or phone that has it installed?
• Without the program you won’t know your password.  There are some cloud services that help with this issue, but I’m still not convinced I won’t be stuck somewhere trying to find a way to log into something and I can’t access the cloud service.

So what’s the best way to strengthen your password?

LENGTH.

Simple as that, make it longer.   The Chart below shows the number of days to break a password given it’s complexity and length.

Adding 1 character to the length is roughly equal to adding 10-14 more character to complexity.  Which is easier for users to remember and use? A complex system of letters, symbols and numbers?  Or simply adding another word, partial word, or a couple of random letters to their password?

Well what about websites and systems that lock you out after so many tries?

People reuse passwords. Some systems don’t lock you out. Furthermore, your password may be stored in a keychain type system on your mobile device, or it could be saved in your web browser.

by
Mark Davis, Ph.D. CISSP, CCFP