Password Cracker: Not Your Daddy’s Saltine

By Gary McCullors

cracker

SplashData released a study in December 2012 that identified the top 25 passwords used and posted by hackers.  The top two were “password” and “123456.”  If you make it that easy, you need cracking.  For those of us that take passwords seriously, we tend to think we are being original, or cute, when we create them, but when the “Cracker” is released (a play on “Release the Kraken,” from the Clash of the Titans) we find we are not as original or cute as we thought.

There are two very effective ways to guess/crack your password – dictionary and brute force attacks.  Dictionary attacks are the most common and are designed to guess your password from a predefined list, such as the SplashData list, and however many more guesses are on the list.  The good news is, your password has to be on the list for it to be guessed.  The bad news is, it just might be on there.

The brute force attack does not work on a dictionary list; it works on every possible combination of whatever you tell it to try: mixed-cased letters, numbers, symbols, and length.  This method will eventually guess your password.  How quickly will depend on the computer(s) being used.  Only 20 years ago it was predicted that you would not be able to crack a 9 character password of mix-cased letters, numbers, and symbols in your lifetime.  The speed of the processors, multi-core processors, graphics processors, and computer bundling has reduced a lifetime to a mere 48 days in just 20 years.  What will it do in in the next 20?

Not all password security psychics are created equal.  One password analyzer available on the Internet  said it would take 6,050 centuries to crack my 14 character password with mix-cased letters, numbers, symbols, and no discernible word or keyboard patterns – it took less than 12 hours to crack.  That is a big gap between prediction and reality.

What do you do?  Make your password as difficult as possible to crack by making it as long and complex as possible.  Here are some suggestions for creating and safeguarding your password:

  • Avoid common passwords, passwords based on you, your family, pets, life, work, age, event dates, and such.
  • Try grouping words together and substituting letters and numbers – hide my identity in 2013 = h1d3m1Ld3n7l7u1N2oiE (this would eventually get cracked, but it will take them a while).
  • Change it frequently – this has generated discussions among the experts recently.  Some say the only reason you would want to change frequently is if the password is stored someplace that could be compromised.  Others say the more often you change it, the more tempted you are to write it down, and stick it to the bottom of your keyboard.
  • Use a password keeper – this has to be an encrypted keeper, not your password protected spreadsheet.  A quality password keeper will be one that the vendor tells you that if you lose your password to the keeper, you’ve lost your data.  A quality keeper will cost money, but it is worth it when I only have to remember ONE very complex password for my password keeper.  I prefer the ones that have a desktop and mobile device interface, and will let me sync them.
  • And, don’t share your password with anyone – we’ve seen a lot of broken friendships, relationships, and ships passing in the night that have gotten people in a pickle because they thought it was going to last forever.

I think we’ve covered most of it.  Did we miss anything?  If so, please don’t hesitate to share, we live for criticism.

Keep ‘em guessing for as long as you can!