OCS banner and logo
Keeping clients' computers safe and profitable for over 25 years



Home Forms About Current Newsletter subscribe 
Search All Articles

Browse by Category


powered by pmc2m

 

Password Hacking Basics

How are passwords hacked? What do the hackers actually do? What techniques do they use and how can you prevent your passwords from being cracked?



How Passwords are cracked

  • Dictionaries: Millions of passwords have been hacked and they have been uploaded and shared on the Internet. So, there are dictionaries of not only words, but also of a million or so passwords. There are smaller dictionaries and dictionaries of just words, and dictionaries of words converted into leet speak (changing e to 3 t to 7 etc.). So, a good hacking program will have a half dozen or more dictionaries.
  • Algorithms: After examining all those passwords, hackers began making programs that used the dictionaries to replicate the passwords:
    • Single words or any of the million already cracked passwords
    • Substituting numbers for some letters (like 5hopping for shopping)
    • Inserting capital letters (like 5hoPPing)
    • Adding numbers at the end (like 5hopping6458) or beginning
    • Combining 2 words
    • Combining 3 words
    • Remember, some passwords in the dictionary will consist of 2 or 3 words. Therefore, even a 4 or 5 word password might not survive a combination attack
    • And more...

Force the hacker to use Brute force

A good password is a long password that has never been used and cannot be broken down into 2 or 3 passwords that have been used and uses a system never before used. The easiest way to do this is to let your passwords manager generate a long random password.

Once you have a password that is not crackable using any algorithm or combination of dictionaries, the cracker will be forced to use brute force. If your password uses all four character types (upper case, lower case, numerals, and symbols), and is more than 15 characters, it will essentially be uncrackable. I prefer longer ones because I don't want to have to change it in a few years when cracking programs get better. If you can't or don't use all 4 types, just make it longer.

So, what about passwords I must type?

So, how do you make up those very few passwords (like the password to your password safe) that you must type?
  • Understand the keyboard. Think about how hard it is to type the password. Lots of shift keys can make a password harder to type. Switching from numerals or symbols to letters and back can make typing on a phone or tablet more difficult. Know your hardware.
  • If you know more than one language use them. A couple words from one language and a couple from another doesn't seem to be something hackers are doing.
  • People often use the system of the first letter of a sentence. So, the sentence, "I love to make long passwords" could become Iltmlp. Of course, you cannot use a sentence anyone else has used. So, you cannot use a famous movie or TV quote. I suggest just using such a sentence as the first word in a longer sentence if you don't know multiple languages.
  • Stick in some padding to make it longer. So to Iltmlp we can add 9999 for Iltmlp9999
  • Now a second word: appleSauce
  • But we want more padding and symbols, but not at the end where everyone puts them, so we'll stick them after the 9999 and use ;;;; since semicolons are easy to type. This gives us a password of Iltmlp9999;;;;appleSauce - So we have 24 characters. If we needed to type on a phone, we only need to switch once to the number/symbols section and it is pretty easy to type. Hopefully, no one has used that yet, so it won't be in any dictionary, and won't be easy to put together from 2 dictionaries.

This gives you an idea of how to go about creating a long password that will force the crackers out of their dictionaries and algorithms and into brute force, and be long enough to withstand it.  This is an example only. The important rule is make sure it cannot be in any dictionary or combination of dictionary words or simple algorithm based on words or passwords, like adding some numbers and a symbol at the end. I suggest always adding some padding, a few words, and at least some word or words not in an English dictionary.




Date: March 2017


Creative Commons License
This article is licensed under a Creative Commons Attribution-NoDerivs 3.0 Unported License.

 
 
  Please direct questions/suggestions about website to the webmaster