We have all experienced the frustration that comes from being told that we entered the wrong password. The problem is, a password that can be memorized is a password that can be hacked.
When 3.3 million passwords were analyzed to determine the most common ones in 2014, 0.6 percent were 123456. And using the top 10 passwords, a hacker could, on average, guess 16 out of 1,000 passwords.
Below are some examples of real VIP passwords that were cracked and leaked onto the internet along with how long (on average) it would take to crack the password.
Since 2014, people have become more security-aware. Better password standards have also been enforced by many companies that require users to create passwords that are a minimum of 8 characters, include upper and lower case letters, and use at least one number and special character; however, the problem of password memorization still remains.
There are two common methods of password cracking that are used: Brute Force Attacks and Dictionary Attacks
Brute Force Attack: An attempt to gain access to an account by submitting all possible combinations of letters (upper and lowercase), numbers, and symbols in a recursive manner.
- Brute force attacks are often powered by graphics processing units (GPU’s) which, lately, have become a hot commodity due to the dawn of VR/AR and bitcoin mining.
- The legendary (and free) Hashcat password-cracking suite can make 300,000 guesses per second (with common hardware)
- Another popular free (and very powerful) password cracking tool is Cryptohaze
- If you have an Nvidia GPU and want to play around with hacking some things you can download and install it using the install script that our team wrote: http://bit.ly/install-cryptohaze
Dictionary Password Attack: Large lists of known-passwords are attempted against an account.
- When major cybersecurity breaches occur, the passwords (or hashes of those passwords) from compromised company databases usually find their way into the hands of the global hacking community. This further boosts the ever-increasing power of dictionary attacks.
- One of the most powerful password dictionaries ever released is named “RockYou”.
- Feel free to download the RockYou password database from Pastebin (provided by William Thompson’s hacker alias, h8rt3rmin8r): https://pastebin.com/MnRaVEAL
Additional innovations in hacking technology have also begun to gain widespread use, such as machine learning and artificial intelligence systems which can actually predict (with an uncanny level of accuracy) the types of passwords humans are likely to construct. Precautions can be taken against even the most sophisticated password cracking techniques:
- Never use passwords generated by your own brain (use something like passwordsgenerator.net)
- Never use passwords shorter than 18 characters
- In general, if it can be memorized it can be cracked
- Never use the same password on more than a single online account
- Check the strength of your password with this online tool: http://password-checker.online-domain-tools.com/
The most common rebuttals that people have against using a new randomly generated password for every account is “how am I going to keep track of all these passwords” and “it’s so annoying to have to type in such a long line of gibberish”. Well, there’s an app for that. Several of them actually. Here are some of our recommendations:
Dashlane (Paid): A password manager that syncs across all your devices. It will automatically fill in your login details on saved websites. While this feature is similar to what Google Chrome offers, if your device gets hacked, stealing your browser cookies wouldn’t reveal your passwords. Additionally, if a website that you use gets hacked, Dashlane will alert you immediately and recommend changing your password.
Keepass2Android (Free): A client-side password manager app that will store all of your passwords. This service does not sync across devices, but it does make it easy to store and access passwords wherever you are.
Both of these services come with a random password generator. So you don’t have to type in a long string of random characters and hope there are no errors.
We are not affiliated, associated, authorized, endorsed by, or in any way officially connected with the third-party entities named herein, or any of its subsidiaries or its affiliates. Any third-party entity names, as well as related names, marks, emblems, and images, may be registered trademarks of the respective parties.
The use in this website and/or in related content of trademarked names and images is strictly for editorial and research purposes, and no commercial claim to their use, or suggestion of sponsorship or endorsement, is made by ResoNova International Consulting, LLC. No attempt has been made to identify or designate all words or terms to which trademarks or other proprietary rights may exist. Nothing contained herein is intended to express a judgment on or affect the validity of legal status of, any word or term as a trademark, service mark, or other proprietary marks.