When you think of a “hacker,” what do you picture? If you’re like most people, it’s probably some kind of hoodie-wearing miscreant with black fingernail polish, a laptop plastered with snarky stickers and an array of empty energy drink cans surrounding them. If you’re like me, you probably also picture them against a backdrop of code straight out of Mr. Robot and when it comes to what they do with that laptop and how they do it… who even knows? Am I right? It might as well be magic.
As it turns out, hacking is often not that complex. Sometimes they have to make their attack strategy just a little more complicated than that but the truth is that you can prevent a lot of common attacks and keep your online accounts a great deal safer just by using better passwords. So if you are looking for a way to improve your cybersecurity, password security is where you should start.
Common Password Attacks
Trying Common Passwords
As mentioned above, one of the easiest and most common ways to hack into an account is to try common passwords or to do a little research on the intended victim and try some passwords related to that person. A 2015 survey indicated that the most commonly-used passwords are the following:
These are VERY unsecure passwords. They are easily to guess and cybercriminals will start trying to access your accounts with weak passwords like these.
We also recommend that you never use passwords that contain the following information
- Your name of the names of your family and friends
- Your birthday or those of your family/friends
- Pets names
- Places you live or have lived including cities or street names
It’s amazing how much information about a person is out there on the internet. So if your password contains information that pertains to you in a way that can be discerned from the internet or by talking to your friends, it can be easily guessed. Other types of password-cracking attacks explained on this page include:
- Brute Force
In a dictionary attack, a computer uses a wordlist (like maybe the entire English dictionary) to try and find a password that works. The computer will simply plug in every word in its word list in an attempt to find a working password. Seem impractical? Okay, hot shot.
The average English speaking adult knows somewhere between 12,000 and 30,000 words. But let’s just say we’ll use the entire Webster’s dictionary with its ~120,000 words as possible passwords. A computer can reasonable try 1000 passwords a second. So….. Yeah… Do the math. That means that the tricky word you selected thinking that it couldn’t be guessed because it has nothing to do with you… can be hacked in about 2 minutes.
So we recommend that you avoid using a single word from the dictionary as your password. You should also avoid using any commonly used word or name that might not be in the dictionary. Even if “#OnFleek” isn’t in the dictionary it can easily be added to a word list.
A hybrid attack is like a dictionary attack where the computer will add some numbers and special characters to the words in the word list.
So if you read the last section and thought you were safe with “Logjammin2003” as your password, think again!
A 4 digit number has 10,000 possible combinations (10 options for 4 digits, 10^4 = 10,000). That means a password with a single word followed by a 4 digit number can still be hacked in ~34 hours if the computer can try 1000 passwords per second.
(120,000 x 10,000) / 1000 / (60 x 60 x 24) = 33.3 hours.
Also, consider that if the attacker assumes you will probably use a year as that 4 digit number, then they don’t have to try every combination. Making assumptions about how passwords are commonly constructed can bring the attack time’s waaaaaaay down.
A mask attack is all about making the assumptions that were mentioned in the last sections and then performing a specific kind of hybrid attack based on those assumptions.
Imagine that a website requires that you have an 8-character password that uses at least 1 character from each of the following sets
- Upper case letters
- Lower case letters
- Special characters
The average person is likely to respond to that password requirement by choosing a password like “Word123!” As English speakers, we capitalize the first letter of a word in normal writing. We are also more likely to use a special character like “!” or “?” than “^” of “#.” Again, we use those characters when we write and we are familiar with them.
Attackers know this. So they make assumptions and create a mask that will limit the number of combinations they have to try in their hybrid attack. If the attacker assumes you will use a 4-character, capitalized word followed by a 3-digit number and then a single special character, the mask would look like this, “ulllnnns,” which is upper case, lower case, lower case, lower case, number, number, number, symbol.
That means the hybrid attack is looking for 1 character uppercase letter with a 3 character lowercase string, a 3 digit number and a single special character. This example will assume that there are 10 valid special characters. That means the math is as follows:
26 x 26^3 x 10^3 x 10 = 18,612 combinations
With our standard 1000 tries per second, our password which meets the minimum security requirements could be hacked in only 19 seconds.
Brute Force Attack
Finally, if none of the above attacks work, a hacker can try a brute force attack.
A brute force attack makes no assumptions. It simply tries every possible combination of allowed characters until it finds a match. This kind of attack is very effective on shorter passwords and it will even be able to hack passwords composed of randomized characters. But the length does matter. A brute force attack is not very efficient and if your password is long enough it can be impractical to hack. Take a look at the following table that shows the time it would take to brute force passwords by length and complexity. Keep in mind that this table assumes that the computer can try significantly more than 1000 passwords per second. We’ll address how this is possible in the next section, but go ahead and take a look!
Notice that the time to hack a password increases exponentially with each character added to your password. For a password that consists of randomized characters of all types, the difference between 6, 7, 8 and 9 characters is days, years, centuries and millennia!!! Also notice how much longer it takes to hack a password that contains all types of characters compared to a password of the same length that uses only lowercase characters.
So why would you ever need a random password that is 14 characters long? I hear ya… those hack times are longer than the age of the universe! Maybe you don’t need a password that long. But also keep in mind that bad guys are working on better and better technology that can try more and more passwords per second. So while this table might apply today, the hack times could be much lower next year. That said, you should be changing your password more than once a year!!
Attacks on Hashes
The discussion about these attacks so far has made the assumption that the computer that is attempting different passwords is actually sending them to the website, application or device in the same way that you would as a human being: by inserting the password into a form and then trying again if it didn’t work. This is why most of the math above assumes that the computer can only try 1000 passwords per second. The reality is that attacks can be carried out much faster if the computer doesn’t have to be limited by repeatedly submitting passwords to a web server.
Passwords are usually stored on servers in what’s called a “hash.” Hashes are essentially a form of encryption that cannot be reversed. Normally when you log in to the web site, your password is sent through a hashing algorithm and then compared to the stored hash. If it’s the same, they let you in. The reason they do things this way is so that a hacker cannot break in to the webserver and steal your passwords directly. Instead they could only steal the Hashes. However, if an attacker does steal the hashes they can attempt to “crack” them by plugging password combinations into the hashing algorithm (using the attack strategies above) and comparing the resulting hashes to the stolen ones. If there is a match, the attacker has cracked your password! This all hinges on having the hashes available but it can allow the program that is attempting to crack the passwords to try far more passwords per second.
An attacker can also shorten attack times by using “rainbow tables.” A rainbow table is just a huge list of precomputed hashes that the attacker wants to use to crack a stolen hash. If the calculation of the password combinations and their hashes was all done ahead of time, the attacker only needs to compare the stolen hashes to his huge table of hashes. If he finds a match, you’re pwned. This makes attacks on hashes lightning fast. Fortunately there is a technique called “salting” that makes this kind of attack absolutely impossible. Salting is also very easy for the server that stores the hashed passwords to employ, it's being used more and more widely, and rainbow tables are becoming a less and less viable attack strategy.
Create strong passwords
So what do we recommend in terms of a “strong” password? If you read the detailed attack strategy sections above, it may seem like it’s an impossible task to create a strong password that you can actually remember. And you’re right. It probably is. So we recommend that you do one of the following:
- Don’t use a password at all
- Don’t remember your passwords.
Saaaaaay what?!? Yeah I know, that was intentionally cryptic for effect. I have your attention though, right?
When we say “Don’t use a password at all,” what we mean to say is, “Use a passphrase instead.” A Passphrase is just a series of words that you can remember. For example, say your dentist’s office has a classic rock station turned on – the really old stuff – and you’re going to need to change your password soon. You’re not really a Rolling Stones’ fan (which in password creation terms is a good thing), but you hear “Start me up” on the radio, and inspiration strikes.
Taking the first few lyrics, “If you start me up, if you start me up, I’ll never stop,” your password becomes
A complex password that’s easy to remember (you only wish you could forget the crappy oldies station at the dentist’s office):
- Starts with a number “1.”
- It has two capital letters in it, the letter “I.”
- It has an underscore in it to add a symbol for complexity.
- AND it is 14 characters long, the maximum for an Ohio State password.
That is one way to use a passphrase – using the first letter of each word. As long as the words don’t have anything to do with you it will be pretty hard to hack. Even if someone put together a 2000 word dictionary of commonly used words and tried to hack 4 word combinations, this would take somewhere between 2.5 to 5 years to hack if the computer could try 100,000 passwords every second!! Amazing, right? And it’s pretty easy to remember.
If your password doesn’t use patterns or sentence structure, then hybrid and mask attacks won’t do any better. And brute force attacks…. Forget about it. That sucker is 14 characters long.
Again, just make sure the words aren’t predictable for you. If you are die hard Stones fan, this is a bad passphrase for you. Too easy to guess.
The possibilities are endless.
Ok, so what about the “Don’t remember your passwords” suggestion. This is really simple advice. Don’t your passwords down on a piece of paper; use a secure password manager. Read more about password managers below.
Don’t re-use passwords
It is also really important that you never, ever use the same password or passphrase in more than one place. That means every web login you have and every device you have should have its own unique password. You might think that sounds insane, but here’s the deal. If a cybercriminal gets one username and password combination that works on one website, the first thing they are going to do is try that same username and password on other sites. They even have programs that will help them check out hundreds of popular sites in seconds.
If you reuse passwords, you run the risk that someone hacks that nano-brewery whose newsletter you subscribed to… You know, the start-up company that spent zero dollars on security but, God bless ‘em, their beer is freakin delicious… you run the risk that a hacker could steal your password from them. Then, as a result, they gain access to your bank accounts. Yeah, pretty much dancing right around all that security implemented by your bank. So don’t reuse passwords anywhere!!
Use multifactor authentication
Multifactor authentication (MFA) adds an incredible extra layer of security for your account logins. It’s free and easy to use and will make it nearly impossible for an attacker to compromise your accounts.
Consider your password reset questions
Have you ever forgotten your password and locked yourself out of an account? Most people have at some point. But I bet it wasn’t so hard to get back on track with your account, was it? Odds are, you just had to answer some security questions correctly and then the account allowed you to set a new password. Or maybe they sent an e-mail to the address they have on file and that e-mail contained a link where you could reset your password. No big deal right?
Have you ever considered how easy it would be for a cybercriminal to answer those security questions and then change the password to your account? Or to break into your email and change the password for other accounts that use that email for password resets? Most people don’t consider the security surrounding password resets when they think about strong passwords. But really, your password is only as strong as the process required to change it.
So for accounts that send password reset e-mails, the solution is simple. Lock down that e-mail account. Make sure it has a strong password that is not shared with any other account. Also make sure that you enable Multifactor Authentication whenever it is offered. If you do those things, you don’t really need to worry about someone breaking into your e-mail account. You still need to make sure that you don’t leave your computer screen unlocked while logged into your e-mail. So be careful about that too! Seriously though, your e-mail account is arguably the most important account to keep secure because it is often used to validate other accounts and to reset passwords. So we highly recommend that you take steps to keep it really secure.
Many security questions are way to easy like, “Where did you go to high school?;” “What was the mascot?;” “What’s the name of your favorite pet?;” “What color was your first car?;” “What’s the name of your favorite teacher?” The list goes on.
Well, let me ask you a different question… Which of those questions can’t be guessed by doing a little bit of research on you? …That’s right, none of them. So then how should you answer these questions to keep your account secure? Sometimes the account won’t give you an alternative recovery option, so what do you do?
How about not answering them truthfully? There is no reason you have to give the correct answer to the question or even an answer that makes sense. The answer to, “What is your favorite pet’s name?” could certainly be “The shutters on my house are green.” Now that is not going to be easy for an attacker to guess. You just have to remember how you answered the question, that’s all. And to do that, you could use a password manager. Usually password managers will let you write down secure notes where you can include the question and the answer. Then they will be encrypted and you will neither have to worry about remembering them nor about forgetting them. How nice is that!?
If you use a password manager to store your security questions and answers, you might as well take things one step further and make it really impossible to guess the answers. Why not just use a very long, random password as the answer? If you don’t have to remember the answer to each question, then it doesn’t really matter how complex they are. But it does make things really hard on an attacker. They will never be able to guess a 30-character randomized string in literally a million years. The only drawback to using randomized strings for your security questions is that they might be hard to speak over the phone to a technician. So use the wrong answer technique if the security questions are for verifying your identity via telephone call security.
Don’t write down your passwords
This might sound like a no-brainer but a lot of people do it. Some vendors even sell "Password Saver" notebooks for that very purpose! If you write down your passwords, someone will be able to get into you accounts if they find where you’ve written them down. A post-it note on the underside of your keyboard is not as sneaky as you think it is. People will find that. Also be aware that e-mail and online file storage services are not secure ways to store passwords. If you can't remember your passwords and need to write them down, please consider using a password manager.
Use a password manager
In today’s world it is essentially impossible to have strong passwords that are unique for every account and remember them all. But not to worry!! There is hope! A password manager can help!
A password manager is an application that…well, it helps you manage your passwords.
With any password manager, you enter the username and password of each one of your accounts into the manager. You can also store the URL of web-based accounts. The manager keeps these passwords secure by encrypting them with a very strong encryption algorithm that is impractical for any bad guy to break. When you want to log into one of your accounts, you decrypt the account credentials by… logging in to the password manager with a password.
What?!?! You need a password for your passwords?
Yes! But it’s great because it’s the only one you have to remember. All of the other passwords will be securely stored for you until you need them. You don’t have to worry about remembering them or forgetting them. Ever. And they can be really secure passwords, since you don’t have to be able to remember them.
Password managers will also let you store secure notes and other data. So you can put your credit card payment information, your driver’s license number and other important information in it as well. Really, any important information that you want to keep secure and that you don’t want to have to remember can be stored in this tool.
Sometimes password managers provide you with additional tools to help you stay secure. For example, some will perform a security assessment on your entire list of passwords. It will tell you which passwords are weak and which ones are old enough that they need to changed. Sometimes they will even monitor for leaked credentials on the dark web and make you aware of when your account credentials might have been compromised in a breach.
We recommend that you consider a password manager if you feel like you cannot practice good password security without one. There are a bunch of free options and some that require payment. We recommend doing some research and selecting a reputable password manager that has the features you need.
Password managers can really be a great security tool. But like most things, there are some finer points to keep in mind.
The Master Password
There is that one password you do have to remember. The one that gives you access to the password manager. You have to be really vigilant about keeping this password secure. Don’t write it down anywhere. Make sure it is strong and choose a password manager that supports multifactor authentication -- and then enable the MFA feature. To be very clear, you should enable MFA for your password manager or you should not use a password manager. If someone gains access to your password manager, they will have access to you entire online life and identity. Don’t freak out. You can totally keep it secure. You just have to make sure you use a good master password and back it up with MFA. Also make sure your password reset options are secured.
Two kinds of password managers
There are two kinds of password managers and they each have some advantages and disadvantages. The two kinds are:
- Online Password Managers
- Local Password Managers
Many people will tell you that local password managers are more secure. And they are probably right. A local password manager is installed on one device and its stored data never leaves that device unless you personally input the data into webpage (e.g. when you use the password manager to log into an account). What this means is that attackers would have to first gain access to your physical device before they could steal your encrypted passwords or attempt to log in and see them in plain text. So that does give you some extra security. The downside of a local password manager is that if you ever need to log in to an account and you don’t have the computer that has the password manager installed on it with you… well then you’re SOL.
I’m going to renege a little bit on the idea that you have to use MFA with any password manager. If you are using a local password manager, then you may not need MFA. Since you can only log in from the device it’s installed on, you sort of already have a portion of the extra security offered by MFA. And because local password managers don’t need an internet connection, they may not even offer MFA. So don’t rule out a local password manager if it doesn’t offer MFA. But if it does, we still recommend that you enable it.
An online password manager is a service where the encrypted data is actually stored on a webserver and sent to you when you need it. The upside is that you can access your stored data from anywhere. The downside is that a successful attacker can too, and they don’t need your device to do it. This is why MFA is so important.
With good online password managers, the data will be sent to you encrypted so that it really is only ever decrypted on the machine you logged in from. So, in that regard, there is not exactly a fundamental security difference between online and local password managers. There is a little bit more of an opportunity for there to be a security flaw when the data is stored on a remote server and sent across the internet. Online password managers are still widely used, so don’t throw out the baby with the bath water.
Online password managers and potentially some local password managers use browser plugins to allow you to automatically insert your passwords into the appropriate web pages. This can be very convenient because you don’t have to type in your passwords. However, it can also open up your password manager to security bugs associated with plugins. You shouldn’t let this rule out the use of a password manager, but it’s something to be aware of when you are researching what is available. Odds are, the password security posture that you will reasonably be able to maintain with a password manager will outweigh its downsides.