Tech blog post: is your password easy to crack?

Themes:
Security of personal data
Data breaches

There is good chance that, when you read this, you logged in using a password this morning. There is an even bigger chance that this password has to meet a variety of requirements: length, special characters, and probably a capital letter as well. But where do these requirements come from? And why do these requirements still not result in good passwords? In this first of a series of 3 blog posts, Dutch DPA technologist Jonathan Ellen takes you on a trip through the world of passwords.

You probably know the dilemma: the more complex your password, the more difficult it is to remember it. This is all the more the case if you use many passwords. The result? Short passwords that look complex on paper, but in reality are based on patterns that are easy to guess.

In this first blog post, we look at passwords from the perspective of a computer criminal. This allows you to learn when a password is really strong. And why passwords are often not strong in practice.

In the next blog post, we will look in more detail at how you use strong passwords in practice. Later, other methods for digital access control, including multifactor authentication (MFA), will also be addressed.

Cracking passwords

The art of finding out which password is used in a certain place is called 'cracking'. This is done by trying out various options until a working password is found.

Cracking passwords takes a lot of time and costs a lot of money. So the more time the criminal has to spend on the operation, the less profitable it becomes. The time required for cracking a password depends on the time needed for each attempt and the total number of attempts required.

In general, passwords are not stored legibly. Only an edited version, also known as the hash value, is kept of them. Calculating that hash value takes a lot of time. As a user, you are not aware of this when you log in. But for criminals, time automatically becomes an important factor after billions of login attempts.

Criminals work online, for example at a login portal of a company or a website. In that case, additional requirements play a part, such as a maximum number of login attempts. It also happens that databases with hash values of passwords leak. These can be cracked offline.

In this blog post, we assume that the criminal has stolen a database with login details, including hash values of passwords. The hashing method used is also known. Cracking these passwords is therefore only a matter of time. But how much time?

Brute force attack

The simplest method of attack in a criminal's arsenal is to try all possibilities. This is called a 'brute force' attack. You start with 'a' and calculate the associated hash value. Does it occur in the list? Then you know that 'a' is a valid password. Is 'a' not in the list? Then you try 'b'. And you keep trying until you have found a working password.

The advantage of a brute force attack is that you do not skip passwords. After all, you try them all. The disadvantage is that a brute force attack can take very long, provided that the passwords are strong.

By way of illustration, we crack a number of passwords. The total time depends, among other things, on the hashing method and computing power used. My home computer can make around 400 million attempts per second (on a Nvidea 1060GTX, hashing method used is md5). 

Better computers achieve far higher speeds, and this will only increase in the future. The next results are therefore the absolute lower limit.

 

Characters >6789
Small letters only 0 s2 s50 s20 min
Small letters and capital letters5 s4 min3.5 hoursapprox. 8 days
Small letters, capital letters, numbers13 s14 minapprox. 15 hoursapprox. 40 days
Punctuation marks included3 minapprox. 5 hoursapprox. 18 daysapprox. 5 years

Keep in mind: during these periods, all passwords have been tried, from 'a' to, for example, 'Z#_sB43)X'. It does not matter how difficult to guess the password was. Or how many numbers and capital letters it contained. If it is shorter than 9 characters, my home computer will be able to crack it.

The results show that a long password is better than a password with many special characters. Extending a password by only 2 small letters from 7 to 9 will slow down the cracking process as much as 600 times. Adding all 26 capital letters, on the other hand, will only extend the period for cracking by a factor 120. If you want to know why this is the case, read the text box below.

 

Better than brute force

Even if you use a password that is strong in theory, you are not yet safe. Criminals have more tricks up their sleeves. In fact, people are extremely predictable. Especially when they try to remember long passwords. 

Instead of something completely arbitrary, they will quickly opt for a year, their favourite sports team or another simple adjustment, such as starting with a capital letter. Everyone knows that 'W3lkom2023!' is a lousy password, despite its length of 11 characters.

Criminals make grateful use of this. They do not even have to try the vast majority of all possibilities to get a result. They start with passwords that were cracked earlier, because they are often reused. This is called 'credential stuffing'. 

After this, they try the same list again, but then adjusted with patterns that are used by many people. A terrifying number of passwords can be cracked using this 'dictionary attack', because many people use variations on a single password.

The only remedy against this is arbitrariness, i.e. avoiding commonly used patterns, preferably in combination with a long password. This forces criminals to use slower - and therefore less lucrative - options. The downside is, of course, that long, arbitrary passwords are particularly difficult to remember.

Conclusion

Almost everyone uses bad passwords, often unconsciously. The standard password requirements of 8 characters with forced punctuation marks and numbers promote this. They result in short passwords full of human patterns.

It is therefore advisable to use long passwords that are so arbitrary that a hacker has to try all options to find out the password.

Unfortunately, strong passwords are especially difficult for people to remember, though it is necessary. Fortunately, there are ways to make strong passwords usable in practice. You can read more about that in the next blog post.

 

""

Also read

View all current affairs