It took three hackers less than a day to decipher the majority of a list of 16,000 encrypted passwords, all because of the laughably easy-to-crack passwords most of us pick to protect our online lives. The most successful guy got 90 percent of the "plains," as hackers call deciphered passwords in 20 hours; the least successful guy just 62 percent of them in about an hour. Yes, it's really that easy. But, rather than sit there, shocked at how little security passwords provide, we should use this Ars Technica article as a lesson in password security. And, the first lesson learned therein is: Never, ever use a six character password.
Rule 1: Six characters is too always too short. The very easiest and the first thing all of Ars's hackers did was guess your super weak six character passwords, via what's called a "brute force" attack. See, the most successful of the hackers, Jeremi Gosney, a password expert with Stricture Consulting Group, hacked 62 percent of the list in sixteen minutes because that's how easy it is to guess a code that's just six letters long:
Gosney's first stage cracked 10,233 hashes, or 62 percent of the leaked list, in just 16 minutes. It started with a brute-force crack for all passwords containing one to six characters, meaning his computer tried every possible combination starting with "a" and ending with "//////." Because guesses have a maximum length of six and are comprised of 95 characters—that's 26 lower-case letters, 26 upper-case letters, 10 digits, and 33 symbols—there are a manageable number of total guesses. This is calculated by adding the sum of 956 + 955 + 954 + 953 + 952 + 95. It took him just two minutes and 32 seconds to complete the round, and it yielded the first 1,316 plains of the exercise.
"Normally I start by brute-forcing all characters from length one to length six because even on a single GPU, this attack completes nearly instantly with fast hashes," Gosney told Ars.
Rule 2: So is a seven- and eight-character password, probably. After doing almost nothing to guess six-character passwords, it gets a tiny bit harder for hackers, but not much. For example, Gosney then did more of these types of guessing attacks with different permutations of longer possibilities, trying seven or eight character passwords with only lower case letters, for example. That technique takes mere seconds, and in this case revealed many additional "plains."
Rule 3: "Salting" doesn't make six character passwords strong. Many sites boast that their password protection technology uses "salting," meaning it adds random numbers to password hashes thus making it harder for hackers to figure out the original code of these shorter passwords using those brute force attacks. Turns out that's not really that true:
But the thing about salting is this: it slows down cracking only by a multiple of the number of unique salts in a given list. That means the benefit of salting diminishes with each cracked hash. By cracking the weakest passwords as quickly as possible first (an optimization offered by Hashcat) crackers can greatly diminish the minimal amount of protection salting might provide against cracking.
Plus, a lot of sites don't use salting. So, again: See rules 1 and 2.
Rule 4: Don't use real words. The least successful of the hackers, who goes by the handle Radix, guessed 62 percent of the list in about an hour, using a custom compiled dictionary of popular passwords. Just by using a publicly available list of plain text passwords, called the Rock You list, he got 30 percent of the insecure codes and all because a lot of people use the same, common words in their passwords.
Rule 5: Just make an 11 character password already. Those first few hacks done by Gosney and Radix are basically password hunting for amateurs. With a couple slightly more sophisticated techniques, bigger graphics cards, and a little more experience, even codes that follow some of the "best practices" get hacked. The very best way not to fall prey to that, however is to create super long, strings of gibberish. As this chart below shows, it gets exponentially harder to crack a code after 8 characters. Ars says use 11 just to be safe: "Readers should take pains to make sure their passwords are a minimum of 11 characters, contain upper- and lower-case letters, numbers, and letters, and aren't part of a pattern."
Image via Shutterstock by Pavel Ignatov
This article is from the archive of our partner The Wire.
We want to hear what you think about this article. Submit a letter to the editor or write to firstname.lastname@example.org.