How safe are your passwords?

I’ve been reading up lately on password security, and learned a few interesting things. Last year, hackers broke into Gawker Media, a well-used American blogging network, and stole 200,000 passwords. The two most common passwords in the bunch? 123456 and…wait for it…password.

These were the passwords of bloggers, who are supposedly internet-savvy and smart about their online security. Many of them compounded their mistake by using the same password on other sites, such as Twitter and Gmail, enabling the hackers to compromise their entire online existence. If you have only one or two favorite passwords and use them on many sites, you’d better hope they’re unbreakable.

In 2009, the website RockYou was breached and a whopping 32 million passwords were stolen. The most common password on that site was, surprise, 123456. The old favorite Password was down at number 4, but only because the previous two slots were taken by 12345 and 123456789. My favorite was number 20: Qwerty.

Here are the top twenty passwords from that site, which, with the exception of rockyou, are probably representative of the most common passwords on English-language sites:


Of those 32 million passwords, 16% were a person’s first name. Another 4% were some variation of password, and a whole lot more were sequential number sequences, either forward or backward.

This makes a hacker’s job pretty easy. A simple computer program can run through the variations of password, English first names, and sequential number sequences in no time at all, allowing these kinds of passwords to be broken in mere seconds. A “dictionary attack,” which uses dictionary entries from any language, can also be conducted in just a few minutes. If you’re using a single word as your password, it’s vulnerable.

You can drastically reduce your chances of being hacked by choosing passwords which are a combination of lower case letters, upper case letters, numbers, and symbols — and they don’t have to be hard to remember.

One strategy is to think of a short sentence and then modify it. For instance, “My dog is always hungry!” can be converted into something like mY(dogz)ALwaysHungry! Now you’ve got 11 lowercase letters, 4 uppercase, and 3 symbols in one password. You could toss a number or two in there to make it fiendishly complex.

Another strategy is to think of a longer sentence, and then use the first letter from each word. Thus “Every time I leave the house, I forget my car keys” turns into etilthifmck, which no hacker is going to guess offhand.

But you still have to worry about automated hacking programs, which can run guesses at the rate of hundreds to trillions of times per second, depending on their sophistication. These programs conduct what’s called a “brute force” attack, and they can crack a password in no time at all.

The Gibson Research Corporation has put a neat little calculator up on their website that allows you to see how your passwords would fare against a brute force attack. My example from above, etilthifmck, holds up well against an online attack scenario — it would take 1.21 thousand centuries to crack at the rate of one thousand guesses per second. But an offline attack capable of one hundred billion guesses per second would get it in 10.6 hours. A “massive cracking array” scenario, assuming one hundred trillion guesses per second, would nail it in just over 38 seconds.

(I’m thinking the “massive cracking array” scenario translates to “My government is devoting its codebreaking resources to figuring out my password.” Most of us are safe from that one, but you never know.)

An interesting thing happens if I take the above password and modify it a bit. I’ll use the capital letters (E from “Every” and the two I’s) and the comma, and toss in a number — like “my 16 car keys.” Now it becomes EtIlth,Ifm16ck. How long does that hold up under a brute force attack?

Plugging it into the Gibson calculator, I get:

— standard attack, 1.57 thousand trillion centuries
— offline fast attack, 15.67 million centuries
— massive cracking array, 15.67 thousand centuries

Pretty darned safe — and easy to remember, too. The other example, mY(dogz)ALwaysHungry! is even more unbreakable. Plug it into the calculator and see for yourself.

How safe are your passwords?


About Fletcher DeLancey

Socialist heathen and Mac-using author of the Chronicles of Alsea, who enjoys pondering science, politics, well-honed satire (though sarcastic humor can work, too) and all things geeky.
This entry was posted in tech. Bookmark the permalink.

5 Responses to How safe are your passwords?

  1. Lilaine says:

    I wouldn’t type any of my passwords or pass-phrases in that calculator : you never know…
    They could track down my IP, crack my computer firewall, intercept my Internet traffic, then go and play with my precious little data …. :p

    • oregon expat says:

      The site states that nothing typed into that calculator leaves your browser, but if you don’t believe them (which is good, healthy paranoia!), then turn off your computer’s wireless for a minute and erase your cookies after you’re done.

      • Lilaine says:

        Thanks, I’m going to sleep better tonight, after having rebooted my DSL wifi router (that’ll change the IP address), and formatted my hard drive (you never know where those little cookies go hiding themselves : I found crumbs under my keyboard, once !!)… ;D
        By the way, the pass-phrase to access my Wifi LAN is… was :
        which any Frenchie about my age and a little younger could understand, with a little effort 🙂
        Lilaine, the paranoid computer techie

  2. Kugai says:

    I’m well aware of Password Security. I myself DO use one password (with at least three variations on it) at most of the Forums I am a member of. It’s a unique one created by me, and is stored in only one place – my head.

    It’s amasing to see just how lax some people can be about it though. Some of those look like they were created by President Screwb!

  3. RLW says:

    This is interesting:
    I played on the linked site for a little while. If I used variations on the password fredphelpssucks, keeping the length the same, but substituting on captial letter, number, or symbol for one of the letters in the password, it appears that, if you were to be lazy on your passwords, the most significant difference is one symbol, next is a capital letter, then number. But, most interesting was when I used a “strong password” of 8 characters v. the 15 character all lower case letters. The longer password was more secure than the “strong” password. The gibson guy that set up that website used to (maybe still does) a podcast called “Security Now” I stopped listening to it, but always found the parts I could understand interesting.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s