How Id Hack Your Weak Passwords

http://lifehacker.com/5505400/how-id-hack-your-weak-passwords

Lifehacker

1 of 4

1/15/2011 1:03 PM

How Id Hack Your Weak Passwords

http://lifehacker.com/5505400/how-id-hack-your-weak-passwords

How Id Hack Your Weak Passwords

Internet standards expert, CEO of web company iFusion Labs, and blogger John Pozadzides knows a thing or two about password securityand he knows exactly how he'd hack the weak passwords you use all over the internet. Photo remixed from subcircle. Note: This isn't intended as a guide to hacking *other people's* weak passwords. Instead, the aim is to help you better understand the security of your own passwords and how to bolster that security. We originally published this piece back in March, but in light of our recent security breach, it seemed more applicable than ever. If y ou inv ited me to try and crack y our password, y ou know the one that y ou use ov er and ov er f or like ev ery web page y ou v isit, how many guesses would it take bef ore I got it? Let's see here is my top 10 list. I can obtain most of this inf ormation much easier than y ou think, then I might just be able to get into y our e-mail, computer, or online banking. Af ter all, if I get into one I'll probably get into all of them. 1. Y our partner, child, or pet's name, possibly f ollowed by a 0 or 1 (because they 're alway s making y ou use a number, aren't they ?) 2. The last 4 digits of y our social security number. 3. 123 or 1234 or 123456. 4. "password" 5. Y our city , or college, f ootball team name. 6. Date of birth y ours, y our partner's or y our child's. 7. "god" 8. "letmein" 9. "money " 10. "lov e" Statistically speaking that should probably cov er about 20% of y ou. But don't worry . If I didn't get it y et it will probably only take a f ew more minutes bef ore I do Hackers, and I'm not talking about the ethical kind, hav e dev eloped a whole range of tools to get at y our personal data. And the main impediment standing between y our inf ormation remaining saf e, or leaking out, is the password y ou choose. (Ironically , the best protection people hav e is usually the one they take least seriously .) One of the simplest way s to gain access to y our inf ormation is through the use of a Brute Force Attack. This is accomplished when a hacker uses a specially written piece of sof tware to attempt to log into a site using y our credentials. Insecure.org has a list of the Top 10 FREE Password Crackers right here. So, how would one use this process to actually breach y our personal security ? Simple. Follow my logic: Y ou probably use the same password f or lots of stuf f right? Some sites y ou access such as y our Bank or work VPN probably hav e pretty decent security , so I'm not going to attack them. Howev er, other sites like the Hallmark e-mail greeting cards site, an online f orum y ou f requent, or an e-commerce site y ou'v e shopped at might not be as well prepared. So those are the ones I'd work on. So, all we hav e to do now is unleash Brutus, wwwhack, or THC Hy dra on their serv er with instructions to try say 10,000 (or 100,000 whatev er makes y ou happy ) dif f erent usernames and passwords as f ast as possible. Once we'v e got sev eral login+password pairings we can then go back and test them on targeted sites. But wait How do I know which bank y ou use and what y our login ID is f or the sites y ou f requent? All those cookies are simply stored, unencry pted and nicely named, in y our Web browser's cache. (Read this post to remedy that problem.) And how f ast could this be done? Well, that depends on three main things, the length and complexity of y our password, the speed of the hacker's computer, and the speed of the hacker's Internet connection. Assuming the hacker has a reasonably f ast connection and PC here is an estimate of the amount of time it would take to generate ev ery possible combination of passwords f or a giv en number of characters. Af ter generating the list it's By John Pozadzides

2 of 4

1/15/2011 1:03 PM

How Id Hack Your Weak Passwords

http://lifehacker.com/5505400/how-id-hack-your-weak-passwords

just a matter of time bef ore the computer runs through all the possibilities or gets shut down try ing. Pay particular attention to the dif f erence between using only lowercase characters and using all possible characters (uppercase, lowercase, and special characters like @#$%^&*). Adding just one capital letter and one asterisk would change the processing time f or an 8 character password f rom 2.4 day s to 2.1 centuries. Remember, these are just f or an av erage computer, and these assume y ou aren't using any word in the dictionary . If Google put their computer to work on it they 'd f inish about 1,000 times f aster. Now, I could go on f or hours and hours more about all sorts of way s to compromise y our security and generally make y our lif e miserable but 95% of those methods begin with compromising your weak password. So, why not just protect y ourself f rom the start and sleep better at night? Believ e me, I understand the need to choose passwords that are memorable. But if y ou're going to do that how about using something that no one is ev er going to guess AND doesn't contain any common word or phrase in it. Here are some password tips: 1. Randomly substitute numbers f or letters that look similar. The letter o' becomes the number 0, or ev en better an @' or *'. (i.e. m0d3ltf 0rd like modelTf ord) 2. Randomly throw in capital letters (i.e. Mod3lTF0rd) 3. Think of something y ou were attached to when y ou were y ounger, but DON'T CHOOSE A PERSON'S NAME! Ev ery name plus ev ery word in the dictionary will f ail under a simple brute f orce attack. 4. May be a place y ou lov ed, or a specif ic car, an attraction f rom a v acation, or a f av orite restaurant? 5. Y ou really need to hav e dif f erent username / password combinations f or ev ery thing. Remember, the technique is to break into any thing y ou access just to f igure out y our standard password, then compromise ev ery thing else. This doesn't work if y ou don't use the same password ev ery where. 6. Since it can be dif f icult to remember a ton of passwords, I recommend using Robof orm f or Windows users. It will store all of y our passwords in an encry pted f ormat and allow y ou to use just one master password to access all of them. It will also automatically f ill in f orms on Web pages, and y ou can ev en get v ersions that allow y ou to take y our password list with y ou on y our PDA, phone or a USB key . If y ou'd like to download it without hav ing to nav igate their web site here is the direct download link. (Ed. note: Lifehacker readers love the free, open-source KeePass for this duty, while others swear by the cross-platform, browser-based LastPass.) 7. Mac users can use 1Password. It is essentially the same thing as Robof orm, except f or Mac, and they ev en hav e an iPhone application so y ou can take them with y ou too. 8. Once y ou'v e thought of a password, try Microsof t's password strength tester to f ind out how secure it is. By request I also created a short RoboForm Demonstration v ideo. Hope it helps Another thing to keep in mind is that some of the passwords y ou think matter least actually matter most. For example, some people think that the password to their e-mail box isn't important because "I don't get any thing sensitiv e there." Well, that e-mail box is probably connected to y our online banking account. If I can compromise it then I can log into the Bank's Web site and tell it I'v e f orgotten my password to hav e it e-mailed to me. Now, what were y ou say ing about it not being important? Of ten times people also reason that all of their passwords and logins are stored on their computer at home, which is saf e behind a router or f irewall dev ice. Of course, they 'v e nev er bothered to change the def ault password on that dev ice, so someone could driv e up and park near the house, use a laptop to breach the wireless network and then try passwords f rom this list until they gain control of y our network af ter which time they will own y ou! Now I realize that ev ery day we encounter people who ov er-exaggerate points in order to mov e us to action, but trust me this is not one of those times. There are 50 other way s y ou can be compromised and punished f or using weak passwords that I hav en't ev en mentioned. I also realize that most people just don't care about all this until it's too late and they 'v e learned a v ery hard lesson. But why don't y ou do me, and y ourself , a f av or and take a little action to strengthen y our passwords and let me know that all the time I spent on this article wasn't completely in v ain.

3 of 4

1/15/2011 1:03 PM

How Id Hack Your Weak Passwords

http://lifehacker.com/5505400/how-id-hack-your-weak-passwords

Please, be saf e. It's a jungle out there. EDIT: Y ou might also want to listen to my interv iew on Connecticut Public Radio about password security . How I'd Hack Y our Weak Passwords [One Man's Blog]

Follow us to see the most popular stories among y our f riends -- or sign up f or our daily newsletter below. Get Lif ehacker in y our inbox:

Lifehacker on Facebook
Like 167,549 people like Lifehacker.

email address Join

Ah

Guillermo

Phyo

Karl

Teresa

Facebook social plugin

Archives Advertising

Legal Report an Issue FAQ

Original material is licensed under a Creative Commons License permitting non-commercial sharing with attribution.

4 of 4

1/15/2011 1:03 PM