Take a second and try to remember all the online accounts you access on a regular basis. Every username, every password, every PIN. It’s not an easy task to undertake.
Now consider how difficult it would be for someone to guess one of your passwords. To your credit, you’ve probably discontinued using your pet’s name or the numbers 1-6 in sequential order and decided to throw in some numbers or symbols near the end. However, hacking tools are far better at guessing than you may imagine and, at rates of up to billions of guesses per second, much more persistent. The ever-present threat of identity theft looms large.
So, what are our options? How can we combat this rising issue? As technology evolves — and it constantly is — we need to consider the new and sophisticated ways that the science of cracking passwords is taking advantage of human limitations.
A little backgroundPasswords are designed to authenticate you before granting you access to your account. To defend against the many threats out there, it’s important to have a better understanding of how passwords are securely stored and encrypted.
Passwords are typically stored on encrypted servers that account providers own and operate. Companies that store passwords must do so using strong encryption techniques to ensure their security. This provides an extra line of defense if the account provider’s network becomes compromised by an attack and the database of passwords is leaked.
Now, password protection hinges on your understanding of how encryption works. Do not be daunted by the assumed complexity of this topic. The ideas at play here are actually quite simple. Encryption uses an algorithm to randomly generate a fixed-character key (commonly called a “hash”) that represents our unique password. Upon attempting to access our account, we submit our password. The password is then hashed using the same encryption program and compared to the hashed password stored with our account. If they’re an exact match, you successfully gain access to your account.
To more clearly understand the hashing process, consider this example: if “cheetah” was my password, a hash would be generated and stored to represent it. If I changed my password by merely one character, say by adding an “s” and making it “cheetahs,” my new hash would be completely different from the first. There’s no getting close to matching a hashed password. It’s either completely correct or completely incorrect.
Actually obtaining a hashed password is more difficult than breaking one. In order to steal the hashed passwords, hackers must first break through firewalls and other security protocols in place by the system to keep unauthorized users out. The method of breaching a system and extracting the pass-word hashes from an encrypted database is a separate, complex topic, so we’ll focus on what’s done with that encrypted password once it’s been leaked or stolen.
Now that you understand how passwords are stored and the basis for how password hashes are generated — by using your original characters and creating a scrambled code that represents them — consider the ways they can be cracked.
Cracking toolsThere are many tools and techniques available to assist password crackers in their mission to crack your password. Once you understand how a password cracker attempts to compromise your account, you should have real insight into how to create a password that will better protect your information.
There are many programs that assist in the cracking of your hashed password. Most use an enormous list of text, called data dictionaries, which are composed of billions of words from nearly any online source, all contained in one list. The list includes books published online; full dictionaries in English, Spanish, French, German, and Russian; previously leaked passwords from other attacks; song lyrics; the Bible; text from Wikipedia pages; and Google searches. As the amount of information available on the web increases, hackers are better equipped than ever to create these massive libraries of passwords.
More recently, sites like Facebook, YouTube, Twitter, and Instagram are fueling attacks for specific account hacking. For example, an attack on Militarysingles.com, which is a dating site for men and women in the armed services, had accounts compromised using data libraries of information that were gathered primarily from postings on Twitter. Words like “hoorah” don’t appear in a dictionary but were commonly found in social media shared by military personnel. As you might expect, “hoorah” was also found as a component of many users’ passwords for the dating site.
Social media provides a whole new host of common slang and misspellings that help password crackers form a comprehensive list of words to test against your password.
Now, you’re probably thinking, “My password isn’t a bunch of words that could be taken from the web or a dictionary.” The most popular ways of scrambling our passwords are all well-known techniques that the hacking community is acutely aware of and provide us only marginal additional security.
Password crackers have a more sophisticated technique for cracking your password; this tool uses combinations from the data library of words mentioned before and then tweaks them ever so slightly to create a unique guess at your password. For example, if the password cracking tool tried to crack my original example of “cheetah,” it would guess many different combinations based on predefined rules that can be employed by the application.
Say you thought that spelling it backwards (hateehc) would avoid being compromised, or you decided to use numbers (ch33t4h) or symbols (cheet@h) in place of letters. Each of these would be guessed, in addition to many other common alterations of the original word.
Fighting backSo what can we do? For starters, increase the length of your passwords. This idea is most commonly realized through the use of pass phrases. For example, “What is my favorite number and color? 27&Blue.” This password is long, alpha numeric and easy to remember. By increasing the number of characters in a password, guessing becomes significantly more difficult. As the character count increases by one, the amount of time necessary to crack it increases exponentially.
Protecting your identity is para-mount. By failing to safeguard the sites that hold pieces of your identity, you’re leaving yourself vulnerable to attacks that could jeopardize your future. Matters for concern could be your credit rating because of fraudulent purchases, embarrassing posts that are generated from your rogue account, or just the annoyance of having to close an account due to its seizure by an enemy party. If one account of yours has been compromised in the past, update your passwords for all your logins and not just the compromised login. Ideally, each of your accounts should have unique passwords. However, there are strategies for people that have more accounts than they can remember.
One option may be to categorize or bucket your passwords. This would allow you to diversify your security by only linking passwords for common groups of accounts. For example, to keep things simple, you could have one password for all of your online mail accounts, one for your sensitive banking/investment information, one for retail purchases made online, and one for work-related logins. This way if one account is in jeopardy of being compromised, you’re aware of other accounts that share that password. The complexity of each password would likely be in relation to the confidential nature of the account type.
No password is uncrackable. Given enough time, resources, and fervent dedication, any password can be compromised. Remember to create passwords that are complex, long in length, and unique in ways that will not appear in any dictionary, blog, or comment section of social media. As the data dictionaries continue to grow, it would be wise to purposely add arbitrary characters to our passwords, as almost every other word will be included in the data libraries being tried against your hash. Modify your passwords in ways that you can remember, but hacking tools would not think to guess.
Password security will never be a one-size-fits-all problem and will continue to be a challenge as technology changes.