Log in

Bad Passwords

Saturday, September 4th, 2010 (2 comments)

Considering how important it is to have good passwords, you don't want to make one that's easy for bad guys to guess or discover with computer tricks. Here are some examples:

Easy to Guess

Obvious

If your avatar, profile, and posts all point to your favorite car or sports team, maybe your password is related.
If your avatar, profile, and posts all point to your favorite car or sports team, maybe your password is related.

There are lists online of the most common passwords in existence and it's easy to see that people really do think alike. If you're using password, 123456, or qwerty, just stop reading and go change all your passwords now!

Ok, not really. You need to read the rest of this guide to figure out how to make a good password first.

Other obvious passwords are famous people, places, religious terms etc. How would a bad guy know what kinds of sports you like or your favorite cars? What's your screenname Mr. RedskinsLuva? Which hobbies did you list in your profile? How many pictures of your fishing boat did it take before I try some fishing terms or boat models as your password?

It's not hard to guess a password based on your hobbies and interests when you broadcast that information openly

Basic Information

Is your username <i>iwasbornindc</i>? Thanks! That helps.
Is your username iwasbornindc? Thanks! That helps.

Name, birthday, kid's names, pet's names (living or dead), birthplace, previous addresses (street name, city, or state) and, of course, all of the above with 123 or ! added to the end because gosh, no one would ever think of that!

I don't mean to mock, but please take to heart that if you make a password personal, then the only thing someone needs to know is personal information about you to guess it. And the number one way people learn your personal information is that you provide it online! (or if they're family, friends, or co-workers).


On a Sticky Note

Well... It doesn't get much more obvious than this!
Well... It doesn't get much more obvious than this!

You've probably heard the classic examples of people who put their password under the keyboard, behind the monitor or just pasted right out in the open. Though everyone laughs and thinks, "wow, how dumb!" we're still doing it! In 2005 my university had taken a promotional picture of the computer science people in front of some servers and in the background was a sticky note with the root administrator password! The photo made it to the university's computer science program brochures before anyone noticed.

Granted if no one ever comes in your house or into your office where they can see the sticky you might be safe, but the minute that changes (cleaning lady, relative, repair guy), you're at risk.

Easy to Discover

The techniques described above work for people who know you or take the time to learn a little about your obsessions, but your average hacker doesn't care. Their techniques rely on first getting access to a database or file full of system passwords.

If they get a copy of a system's password file, hackers can try thousands of password combinations a second until they find one that works!

If they can manage to break into a poorly secured web server (as in the TJX example), they can locate the password file/database and download a copy to their machine.

Using password cracking software found easily online or something they built custom (less likely depending on how pro the hacker is), they'll attack the password file itself at a rate of thousands to hundreds of thousands of tests per second.

Short Passwords

This would take about 50 minutes to crack by hand
This would take about 50 minutes to crack by hand
On a computer, this takes mere seconds
On a computer, this takes mere seconds

So consider that some hacker has a file with your password in it and can test passwords until one hits. That's like grabbing a combination lock, pulling on it to see if it's open, then turning the dial and trying again. Repeat until they get in.

This technique is called a brute force attack which is to say they just try every combination, one after another. Using this technique it is guaranteed that they'll get in eventually. To defend against this, length is key!

The thing about passwords is that every time you add a letter, you are exponentially raising the number of attempts that bad guys have to make. Check this out (rounding for simplicity):

  • 123: 1,000,000 combinations
  • 1234: 1,000,000,000 combinations
  • 12345: 10,000,000,000 combinations
  • 123456: 1,000,000,000,000 combinations
  • 1234567: 1.0 × 1014 combinations
  • 12345678: 1.0 × 1016 combinations

In theory,with current computing power trying to crack your 8 character password would take about 115 days. Increase that by one character (to a length of 9) and it will take them 31 years instead!

Randomness

So having an 8 character password minimum is absolutely essential, but there are some problems with this. The first is that hackers aren't dumb. They know you're far more likely to have a password that looks like this:

HarryPotter!

Than this:

G7x89&ft1-$

There are dictionaries in foreign languages too!

That means if they try all the more common phrases, words, and combinations first, they're likely to not have to search all those trillions of combinations at all! They do this with files called "dictionaries" that contain the most common passwords in order. Once they've done brute force through the first 5 to 7 character combinations, they try the dictionaries for longer passwords.

And yes, they have dictionaries for every language so if you think you're being clever by saying it in French or Spanish, you're not.

So if you choose anything like this, you're at risk:

  • Any word in a real dictionary no matter how long
  • Any two-word combination from a real dictionary
  • Famous places
  • Famous people
  • Anything sports related
  • Words relating to popular TV shows or movies
  • Religious terms or short phrases
  • Pop culture anything
  • Writing in 733t. We know that a @ is substituted for A and a ! looks like an L

And of course any of the above with modifications that people can easily think of. Adding numbers to the end, alternating case, putting punctuation between the words, etc.

And one last one: using patterns on the keyboard is also something hackers have thought of before.

Wrap Up

I know it seems like making a password that most other people wouldn't use is hard, but it really isn't once you learn some simple tricks.

Seminars and Guides
Work With Jeremy

For:

Seminars

Conferences

Consultation

Private Tutoring

Classes

Click here to
CONTACT JEREMY

Support the Geek

If you hate ads as much as I do, please consider supporting us by donating or browsing our recommended products


Recommended Products and Services
Quick Tips:
IDENTITY THEFT
PRIVACY
INTERNET SAFETY
PASSWORDS

Bad Passwords

To understand what makes good passwords, first check out some of the worst passwords out there and what makes them so bad.

[Click for full description]

Password Tips and Tricks

It's impossible to expect someone to make good passwords by just giving them some rules. There are tricks that make your passwords secure and easy for you all at the same time.

[Click for full description]

Password Protection

It's really a skill to come up with secure passwords that you can remember. Once you've learned how, remember that it doesn't matter how good you are if you don't protect your password properly.

[Click for full description]

Password Mugging

A disturbing new practice among websites and services is where they ask you for your user name and password to other sites. I call this "Password Mugging"

[Click for full description]