Bad Password!

The new bogeyman of malware, that is, malicious programs secretly installed on your computer, is raising the fear level amongst users. Note that “Fear Level” and “Awareness” are not the same thing. One will not get control of something so much out of fear as they will out of better knowledge and awareness of it.

Broadly speaking, one of the weakest points in security is the use of insecure passwords. In earlier times it was a common joke that if you needed someone’s password all you had to do was look through their desk until you found the post-it they’d written it on. That’s not so common these days, any more than going through dumpsters will turn up anything useful, but the evolution of technology for cracking security might surprise you.


How Your Passwords Can Get Stolen

From time to time, you hear of “data breaches” in corporate data centers, such as large retail chains, banks and credit agencies. These come about from a relentless and continual probing and poking by criminal hackers looking for vulnerabilities. Occasionally they find a way in and may, before the good guys find the breach and close it, grab a file or two. A really good haul may provide account names and passwords for several millions. A password file itself is useless. Passwords are never stored in plain text, but the other account information may be. The passwords will have been encrypted first and the result is unreadable gibberish (technically referred to as “hash”) which is virtually un-crackable. This means, not impossible, but prohibitively time consuming to yield any value.

But, there is another way around this. The hackers have the same encryption tools. All that needs to be done is guess what the password is, run it through the encryption and see if the resulting hash matches the hash in your password file.

Brute Force Attack

Not long ago, conventional wisdom was that an eight character password composed of upper and lower case letters plus digits and special characters was enough complexity to stall a hacker. This is just not true anymore. If you add this up you get: 26 plus 26 (upper and lower case alphabet) plus 10 digits gives you 62 possible characters. The resulting number of possible passwords is 98 Septendecillion (62 to the power of eight, for the eight character in the password), which would be written out as 98 followed by 54 zeros.

A “brute force” attack to crack passwords is simply that: try every one of those combinations until one get a match. This sounds prohibitively time-consuming, but it is not. A machine optimized for cracking passwords can be built from readily available parts, and when running can test billions of passwords per second. Result: all combinations of eight character passwords can be run in about seven minutes.

Dictionary Attack

To speed up the process, hackers employ another method first before resorting to full-on brute force, and that is to first use words found to be commonly used in passwords, which are added to a dictionary list. Added to this is information about you personally that can be mined (not even really hacked) from social media accounts: pet names, birthdays, boyfriend/girlfriend/wife/husband names are very common examples and are early targets.

The practice of substituting characters to “randomize” the password (such as P@ssw0rd$) is a poor defense since the dictionary will decode these in virtually no time.

Reusing Passwords in Multiple Accounts

Once your password has been cracked from one breach, it is now available for use everywhere.

Just don’t reuse passwords.

The Solution

You really should get a password manager. I don’t recommend using the built-in browser tools, although they are light-years ahead of using nothing. My favorite, Bitwarden, a free open-source manager, is covered in some detail in my article Password Manager

Once you have your password manager in place, take the time to upgrade every account you use to a unique password, preferably using random generated values from the password manager (ten or more characters). When your bank or other institution informs you of a breach they suffered, you only have the one account to be concerned with.

Now that you are aware of the risks and how to protect yourself from them, you can operate confidently in a potentially hazardous environment.

Mark Thomas is a Data Solutions Master. He is always happy to receive inquiries on any topic. He can be reached here.

Leave a Comment

Your email address will not be published. Required fields are marked *