Resources for this article submitted by Paul Geary ~ Pall Spera Tech Support
We are lucky enough to have a techno-guru on the Pall Spera Team who takes the time to educate us not only by assisting when we are in a bind (at the drop of a hat, might I add), but also when he finds valuable information to share and thus improve our own techno-literacy.
Did you know that absolutely no human interaction is required in order to uncover your passwords? Those who use technology for less than admirable causes can decipher a 5-digit alpha-numeric password in less than 15 seconds; fewer than 3 minutes if it contains special characters.
Fear not, for our techno-guru Paul provides the wisdom and awareness we need via an article found on LifeHacker.com. First, you must know that there is a very simple reason hackers so easily gain access to passwords: Most passwords are too weak. For instance, though you may think that choosing your child’s name is safe because hackers do not know your family, think again. According to the article, “Every name plus every word in the dictionary will fail under a simple brute force attack.”
See if you can recognize your “password habits” in this list of most commonly used passwords:
- Your partner, child, or pet’s name, possibly followed by a 0 or 1.
- The last 4 digits of your social security number.
- 123 or 1234 or 123456.
- Your city, or college, football team name.
- Date of birth – yours, your partner’s or your child’s.
Once it has been determined that you do not fall within this category, identifying your password(s) is still merely a matter of elimination. Here is how it goes:
- You probably use the same password for lots of stuff.
- Though some sites, such as your Bank, have pretty decent security, other sites like any online forum you might use or e-commerce site you’ve visited might not, making it a perfect doorway for hackers.
- All that remains to do from this point is to unleash Brutus, wwwhack, or THC Hydra with instructions to try hundreds of thousands of different usernames and passwords as fast as possible.
- Once several login+password pairings have been identified (and they sure will be), they are test them on targeted sites.
- How do they know which sites you visit? The crumbs of course, those unencrypted and fully named cookies stored on your Web browser.
Ha! But you must understand that the time it takes to decipher your passwords increases exponentially with every digit and character you add. Remember the 5-digit password example mentioned earlier? A 10-digit, alpha-numeric, lower-case password will require nearly 4 ½ years to decipher, and chances are you might have remembered to change it in the meantime.
LifeHacker.com suggests these guidelines to increase the privacy of your passwords:
- Randomly substitute numbers for letters that look similar. The letter ‘o’ becomes the number ‘0′, or even better an ‘@’ or ‘*’. (i.e. – m0d3ltf0rd… like modelTford).
- Randomly throw in capital letters (i.e. – Mod3lTF0rd)
- Think of something you were attached to when you were younger, but DON’T CHOOSE A PERSON’S NAME! Every name plus every word in the dictionary will fail under a simple brute force attack.
- Maybe a place you loved, or a specific car, an attraction from a vacation, or a favorite restaurant?
- You really need to have different username / password combinations for everything. Remember, the technique is to break into anything you access just to figure out your standard password, and then compromise everything else. This doesn’t work if you don’t use the same password everywhere.
- Since it can be difficult to remember a ton of passwords, you can use one of the following: Roboform or KeePass.
- Once you’ve thought of a password, try Microsoft’s password strength tester to find out how secure it is.
Not convinced? Here is the time it takes for a computer, not a person, only a computer, to break a password: