Bad Passwords
Considering how important it is to have good passwords, you don't want to make one that's easy for bad guys to guess or discover with computer tricks. Here are some examples:
Easy to Guess
Obvious
There are lists online of the most common passwords in existence and it's easy to see that people really do think alike. If you're using password, 123456, or qwerty, just stop reading and go change all your passwords now!
Ok, not really. You need to read the rest of this guide to figure out how to make a good password first.
Other obvious passwords are famous people, places, religious terms etc. How would a bad guy know what kinds of sports you like or your favorite cars? What's your screenname Mr. RedskinsLuva? Which hobbies did you list in your profile? How many pictures of your fishing boat did it take before I try some fishing terms or boat models as your password?
It's not hard to guess a password based on your hobbies and interests when you broadcast that information openly |
Basic Information
Name, birthday, kid's names, pet's names (living or dead), birthplace, previous addresses (street name, city, or state) and, of course, all of the above with 123 or ! added to the end because gosh, no one would ever think of that!
I don't mean to mock, but please take to heart that if you make a password personal, then the only thing someone needs to know is personal information about you to guess it. And the number one way people learn your personal information is that you provide it online! (or if they're family, friends, or co-workers).
On a Sticky Note
You've probably heard the classic examples of people who put their password under the keyboard, behind the monitor or just pasted right out in the open. Though everyone laughs and thinks, "wow, how dumb!" we're still doing it! In 2005 my university had taken a promotional picture of the computer science people in front of some servers and in the background was a sticky note with the root administrator password! The photo made it to the university's computer science program brochures before anyone noticed.
Granted if no one ever comes in your house or into your office where they can see the sticky you might be safe, but the minute that changes (cleaning lady, relative, repair guy), you're at risk.
Easy to Discover
The techniques described above work for people who know you or take the time to learn a little about your obsessions, but your average hacker doesn't care. Their techniques rely on first getting access to a database or file full of system passwords.
If they can manage to break into a poorly secured web server (as in the TJX example), they can locate the password file/database and download a copy to their machine.
Using password cracking software found easily online or something they built custom (less likely depending on how pro the hacker is), they'll attack the password file itself at a rate of thousands to hundreds of thousands of tests per second.
Short Passwords
This would take about 50 minutes to crack by hand |
On a computer, this takes mere seconds |
So consider that some hacker has a file with your password in it and can test passwords until one hits. That's like grabbing a combination lock, pulling on it to see if it's open, then turning the dial and trying again. Repeat until they get in.
This technique is called a brute force attack which is to say they just try every combination, one after another. Using this technique it is guaranteed that they'll get in eventually. To defend against this, length is key!
The thing about passwords is that every time you add a letter, you are exponentially raising the number of attempts that bad guys have to make. Check this out (rounding for simplicity):
- 123: 1,000,000 combinations
- 1234: 1,000,000,000 combinations
- 12345: 10,000,000,000 combinations
- 123456: 1,000,000,000,000 combinations
- 1234567: 1.0 × 1014 combinations
- 12345678: 1.0 × 1016 combinations
In theory,with current computing power trying to crack your 8 character password would take about 115 days. Increase that by one character (to a length of 9) and it will take them 31 years instead!
Randomness
So having an 8 character password minimum is absolutely essential, but there are some problems with this. The first is that hackers aren't dumb. They know you're far more likely to have a password that looks like this:
HarryPotter!
Than this:
G7x89&ft1-$
That means if they try all the more common phrases, words, and combinations first, they're likely to not have to search all those trillions of combinations at all! They do this with files called "dictionaries" that contain the most common passwords in order. Once they've done brute force through the first 5 to 7 character combinations, they try the dictionaries for longer passwords.
And yes, they have dictionaries for every language so if you think you're being clever by saying it in French or Spanish, you're not.
So if you choose anything like this, you're at risk:
- Any word in a real dictionary no matter how long
- Any two-word combination from a real dictionary
- Famous places
- Famous people
- Anything sports related
- Words relating to popular TV shows or movies
- Religious terms or short phrases
- Pop culture anything
- Writing in 733t. We know that a @ is substituted for A and a ! looks like an L
And of course any of the above with modifications that people can easily think of. Adding numbers to the end, alternating case, putting punctuation between the words, etc.
And one last one: using patterns on the keyboard is also something hackers have thought of before.
Wrap Up
I know it seems like making a password that most other people wouldn't use is hard, but it really isn't once you learn some simple tricks.
Making Good Passwords
To understand what makes a good password, let's talk about what makes a bad one first. |
Making good passwords can be complex, but here are some tips and tricks that will make it easier. |
Password Protection
Once you've taken the trouble to make a good password, the next step is to keep it safe! |
Now that you've done all this work, you have to learn the most important rule of all: DON'T GIVE THEM AWAY! |
I’m not sure I follow “123: 1,000,000 combinations”
First, if you are only using the characters 1, 2, and 3 then there are only 27 combinations. If you are using all numbers (0-9), then there are only 1,000 combinations. If you are using all alpha-numeric and special characters, you are still only at around 100,000 combinations (depending on what special characters you allow).
The only way to get 1,000,000 combinations from three characters is if you are using a 100 character set. I doubt a 100 character set exists (unless you start counting Chinese characters).
Fair enough. These calculations were based on 127 or 256 characters (I don’t remember which), but that’s probably not realistic since most people will only use alpha-num and special characters.