I’ve been reading up lately on password security, and learned a few interesting things. Last year, hackers broke into Gawker Media, a well-used American blogging network, and stole 200,000 passwords. The two most common passwords in the bunch? 123456 and…wait for it…password.
These were the passwords of bloggers, who are supposedly internet-savvy and smart about their online security. Many of them compounded their mistake by using the same password on other sites, such as Twitter and Gmail, enabling the hackers to compromise their entire online existence. If you have only one or two favorite passwords and use them on many sites, you’d better hope they’re unbreakable.
In 2009, the website RockYou was breached and a whopping 32 million passwords were stolen. The most common password on that site was, surprise, 123456. The old favorite Password was down at number 4, but only because the previous two slots were taken by 12345 and 123456789. My favorite was number 20: Qwerty.
Here are the top twenty passwords from that site, which, with the exception of rockyou, are probably representative of the most common passwords on English-language sites:
Of those 32 million passwords, 16% were a person’s first name. Another 4% were some variation of password, and a whole lot more were sequential number sequences, either forward or backward.
This makes a hacker’s job pretty easy. A simple computer program can run through the variations of password, English first names, and sequential number sequences in no time at all, allowing these kinds of passwords to be broken in mere seconds. A “dictionary attack,” which uses dictionary entries from any language, can also be conducted in just a few minutes. If you’re using a single word as your password, it’s vulnerable.
You can drastically reduce your chances of being hacked by choosing passwords which are a combination of lower case letters, upper case letters, numbers, and symbols — and they don’t have to be hard to remember.
One strategy is to think of a short sentence and then modify it. For instance, “My dog is always hungry!” can be converted into something like mY(dogz)ALwaysHungry! Now you’ve got 11 lowercase letters, 4 uppercase, and 3 symbols in one password. You could toss a number or two in there to make it fiendishly complex.
Another strategy is to think of a longer sentence, and then use the first letter from each word. Thus “Every time I leave the house, I forget my car keys” turns into etilthifmck, which no hacker is going to guess offhand.
But you still have to worry about automated hacking programs, which can run guesses at the rate of hundreds to trillions of times per second, depending on their sophistication. These programs conduct what’s called a “brute force” attack, and they can crack a password in no time at all.
The Gibson Research Corporation has put a neat little calculator up on their website that allows you to see how your passwords would fare against a brute force attack. My example from above, etilthifmck, holds up well against an online attack scenario — it would take 1.21 thousand centuries to crack at the rate of one thousand guesses per second. But an offline attack capable of one hundred billion guesses per second would get it in 10.6 hours. A “massive cracking array” scenario, assuming one hundred trillion guesses per second, would nail it in just over 38 seconds.
(I’m thinking the “massive cracking array” scenario translates to “My government is devoting its codebreaking resources to figuring out my password.” Most of us are safe from that one, but you never know.)
An interesting thing happens if I take the above password and modify it a bit. I’ll use the capital letters (E from “Every” and the two I’s) and the comma, and toss in a number — like “my 16 car keys.” Now it becomes EtIlth,Ifm16ck. How long does that hold up under a brute force attack?
Plugging it into the Gibson calculator, I get:
— standard attack, 1.57 thousand trillion centuries
— offline fast attack, 15.67 million centuries
— massive cracking array, 15.67 thousand centuries
Pretty darned safe — and easy to remember, too. The other example, mY(dogz)ALwaysHungry! is even more unbreakable. Plug it into the calculator and see for yourself.
How safe are your passwords?