Passwords
Love them or hate them, have one or have hundreds of them; you'll need to use passwords for the rest of the foreseeable future. (Despite people trying to move on from them.) And while the thought of all the accounts you have, with all their hopefully varied passwords might make your head spin, they provide an essential service to us… keeping out prying eyes.
Recently, someone I know mentioned their password characteristics to me. I wasn't shocked, because I've heard worse – but I thought, I wonder just how long it would take to break into something with that many characters including only those types.
So I did some digging and found that there are wildly varying results on any one particular password. Presumably websites have been up for a while, and the march of progress has left behind their computational statistics.
L3tm31n! For example (no, that wasn't the password in question above), rates at 9 hours on How Secure Is My Password?, while on Gibson Research Corporation it ranges from over 2 centuries to just over 1 minute (depending on the scenario).
Regardless of that, there are two primary ways to break through a password wall: Brute force and Dictionary Attack.
Brute Force tries every possible combination until it gets through.
Dictionary Attack basically throws words and variants thereof at it until one of them fits. This idea has been modified to include classic phrases, verses from religious texts, movie titles, etc, etc. As well as all their misspellings, obvious character replacements and passwords from known real passwords found in data breaches. (That's right, L3tm31n! isn't the secure password you might think it is.)
A creative hacker might just mush the two techniques together as well, creating a third option which will no doubt get to password2020 just as fast as it gets to password2021.
The key to hold out until the next password change is to go for length.
As the Gibson Research Corporation implies a password that is simple looking, long password is more secure than a shorter, complex password. This is why you should move your focus from passWORDS to passPHRASES. (This is also the reason why there is a modified dictionary attack.)
Since we're using these examples, let's plug them into have i been pwned's Pwned Passwords. At the time of writing:
- L3tm31n! has been seen in data breaches almost 150 times to date,
- password2020 has been seen almost 203 times,
- password2021 has been seen almost 20 times.
If you haven't heard of have i been pwned, it's a collection of all the known data breaches and lists that have come to light, which have been curated and pulled into a nifty website by fellow Australian Troy Hunt, so that anyone can check to see if their email address or passwords known in the land of hackers.
NB. The above noted techniques assume that there is an online system which they're trying to get into. If they happen to have the database then there are other options as well – like Rainbow Tables – but this is outside of what I'm writing about here.