Password Hacking Basics

How are passwords hacked? What do the hackers actually do? What techniques do they use and how can you prevent your passwords from being cracked?

How Passwords are cracked

Dictionaries: Millions of passwords have been hacked and they have been uploaded and shared on the Internet. So, there are dictionaries of not only words, but also of a million or so passwords. There are smaller dictionaries and dictionaries of just words, and dictionaries of words converted into leet speak (changing e to 3 t to 7 etc.). So, a good hacking program will have a half dozen or more dictionaries.
Algorithms: After examining all those passwords, hackers began making programs that used the dictionaries to replicate the passwords:

Single words or any of the million already cracked passwords
Substituting numbers for some letters (like 5hopping for shopping)
Inserting capital letters (like 5hoPPing)
Adding numbers at the end (like 5hopping6458) or beginning
Combining 2 words
Combining 3 words
Remember, some passwords in the dictionary will consist of 2 or 3 words. Therefore, even a 4 or 5 word password might not survive a combination attack
And more...

Force the hacker to use Brute force

A good password is a long password that has never been used and cannot be broken down into 2 or 3 passwords that have been used and uses a system never before used. The easiest way to do this is to let your passwords manager generate a long random password.

Once you have a password that is not crackable using any algorithm or combination of dictionaries, the cracker will be forced to use brute force. If your password uses all four character types (upper case, lower case, numerals, and symbols), and is more than 15 characters, it will essentially be uncrackable. I prefer longer ones because I don't want to have to change it in a few years when cracking programs get better. If you can't or don't use all 4 types, just make it longer.

So, what about passwords I must type?

So, how do you make up those very few passwords (like the password to your password safe) that you must type?

Understand the keyboard. Think about how hard it is to type the password. Lots of shift keys can make a password harder to type. Switching from numerals or symbols to letters and back can make typing on a phone or tablet more difficult. Know your hardware.
If you know more than one language use them. A couple words from one language and a couple from another doesn't seem to be something hackers are doing.
People often use the system of the first letter of a sentence. So, the sentence, "I love to make long passwords" could become Iltmlp. Of course, you cannot use a sentence anyone else has used. So, you cannot use a famous movie or TV quote. I suggest just using such a sentence as the first word in a longer sentence if you don't know multiple languages.
Stick in some padding to make it longer. So to Iltmlp we can add 9999 for Iltmlp9999
Now a second word: appleSauce
But we want more padding and symbols, but not at the end where everyone puts them, so we'll stick them after the 9999 and use ;;;; since semicolons are easy to type. This gives us a password of Iltmlp9999;;;;appleSauce - So we have 24 characters. If we needed to type on a phone, we only need to switch once to the number/symbols section and it is pretty easy to type. Hopefully, no one has used that yet, so it won't be in any dictionary, and won't be easy to put together from 2 dictionaries.

This gives you an idea of how to go about creating a long password that will force the crackers out of their dictionaries and algorithms and into brute force, and be long enough to withstand it. This is an example only. The important rule is make sure it cannot be in any dictionary or combination of dictionary words or simple algorithm based on words or passwords, like adding some numbers and a symbol at the end. I suggest always adding some padding, a few words, and at least some word or words not in an English dictionary.

Date: March 2017

This article is licensed under a Creative Commons Attribution-NoDerivs 3.0 Unported License.

Keeping clients' computers safe and profitable for over 30 years

Home Forms About Current Newsletter subscribe Search All Articles Browse by Category Security Internet Mobile Business Hardware Fun		Password Hacking Basics How are passwords hacked? What do the hackers actually do? What techniques do they use and how can you prevent your passwords from being cracked? How Passwords are cracked Dictionaries: Millions of passwords have been hacked and they have been uploaded and shared on the Internet. So, there are dictionaries of not only words, but also of a million or so passwords. There are smaller dictionaries and dictionaries of just words, and dictionaries of words converted into leet speak (changing e to 3 t to 7 etc.). So, a good hacking program will have a half dozen or more dictionaries. Algorithms: After examining all those passwords, hackers began making programs that used the dictionaries to replicate the passwords: Single words or any of the million already cracked passwords Substituting numbers for some letters (like 5hopping for shopping) Inserting capital letters (like 5hoPPing) Adding numbers at the end (like 5hopping6458) or beginning Combining 2 words Combining 3 words Remember, some passwords in the dictionary will consist of 2 or 3 words. Therefore, even a 4 or 5 word password might not survive a combination attack And more... Force the hacker to use Brute force A good password is a long password that has never been used and cannot be broken down into 2 or 3 passwords that have been used and uses a system never before used. The easiest way to do this is to let your passwords manager generate a long random password. Once you have a password that is not crackable using any algorithm or combination of dictionaries, the cracker will be forced to use brute force. If your password uses all four character types (upper case, lower case, numerals, and symbols), and is more than 15 characters, it will essentially be uncrackable. I prefer longer ones because I don't want to have to change it in a few years when cracking programs get better. If you can't or don't use all 4 types, just make it longer. So, what about passwords I must type? So, how do you make up those very few passwords (like the password to your password safe) that you must type? Understand the keyboard. Think about how hard it is to type the password. Lots of shift keys can make a password harder to type. Switching from numerals or symbols to letters and back can make typing on a phone or tablet more difficult. Know your hardware. If you know more than one language use them. A couple words from one language and a couple from another doesn't seem to be something hackers are doing. People often use the system of the first letter of a sentence. So, the sentence, "I love to make long passwords" could become Iltmlp. Of course, you cannot use a sentence anyone else has used. So, you cannot use a famous movie or TV quote. I suggest just using such a sentence as the first word in a longer sentence if you don't know multiple languages. Stick in some padding to make it longer. So to Iltmlp we can add 9999 for Iltmlp9999 Now a second word: appleSauce But we want more padding and symbols, but not at the end where everyone puts them, so we'll stick them after the 9999 and use ;;;; since semicolons are easy to type. This gives us a password of Iltmlp9999;;;;appleSauce - So we have 24 characters. If we needed to type on a phone, we only need to switch once to the number/symbols section and it is pretty easy to type. Hopefully, no one has used that yet, so it won't be in any dictionary, and won't be easy to put together from 2 dictionaries. This gives you an idea of how to go about creating a long password that will force the crackers out of their dictionaries and algorithms and into brute force, and be long enough to withstand it. This is an example only. The important rule is make sure it cannot be in any dictionary or combination of dictionary words or simple algorithm based on words or passwords, like adding some numbers and a symbol at the end. I suggest always adding some padding, a few words, and at least some word or words not in an English dictionary. Date: March 2017 This article is licensed under a Creative Commons Attribution-NoDerivs 3.0 Unported License.
		I attempt to provide reliable information, but make no warranty as to the accuracy or safety of these articles. I disclaim all legal responsibility for what following these instructions may do. Follow my advice at your own risk