Hackers can crack your password in 10 minutes
It certainly makes for a good headline doesn’t it?
Even though that’s not what Business Week used as the lead for their article about password security last month, it might as well have been.
The article lists off a bunch of password combinations including length (from 6 to 9 characters) and complexity (with or without upper/lower case and with or without special characters) and then gave the approximate times it would take a dedicated hacker to crack those passwords.
The first combination, 6 all-lowercase characters with no numbers, change of case or special characters, can supposedly be guessed in as little as 10 minutes. That claim is designed to scare you as well it should.
The last combination, 9 mixed-case characters with numbers and special characters will take a mind-blowing 44,530 years to crack.
Okay then, case closed right? Everyone just needs to use this combination for their password – or even the slightly less secure 8 character version which will still take 463 years to break – and the hackers will be out of business and we’ll all sleep peacefully knowing our precious Facebook status updates can’t be hijacked by some jerk.
While I would love it if things were that simple, I was skeptical after reading the article and decided to reach out to a security expert for a quick sanity check.
Marc Fossi, Executive Editor, Internet Security Threat Report over at Symantec spoke to me by phone and helped shed some light on the whole password security issue.
The bottom line for Fossi? “There’s no single silver bullet for security.”
“Security is a process,” he says and by that he means that if you’re taking comfort in the fact that you have one of those 44,530 year passwords, you should be thinking bigger-picture.
The fact is, most successful password hacks aren’t hacks at all. They’re the result of malware infecting your computer through a variety of means – perhaps you opened an infected email attachment, or loaded a file of a USB key that had been previously altered or you grabbed a BitTorrent file that had been seeded as a honey-pot. The list, sadly, is long and varied. However it happens, it’s this virus sitting silently inside your PC that is the real thief and threat. It can track every keystroke you make on your keyboard and hand-deliver it to the waiting hacker who simply has to read through the resulting text to find exactly what s/he’s looking for.
And thanks to our own lazy habit of password re-use, which Fossi flags as a serious problem, that one password maybe the only one the hacker needs to gain access to your financial institution(s), email or corporate intranet.
Suddenly that crazy 9 character string of nonsense doesn’t seem so safe does it?
In case you haven’t already guessed, and there really should be no surprise here – Fossi suggests using an security product such as Symantec’s Norton 360. There are other options as well ranging from the free AVG and Avast! to monthly paid options from your ISP.
But even the combination of strong passwords and a comprehensive security suite can’t provide 100% protection. Especially in our wireless world of Wi-Fi. Unlike with many password-protected websites which often limit the number of incorrect login attempts, thus keeping the brute-force method somewhat at bay, there is no such protection on most home Wi-Fi routers, leaving them open to a hacker in a car with a powerful laptop. Fossi notes that even the outrageously long times cited in the Business Week article could be cut in half or much more with today’s modern quad-core processors. Worse yet, if the hacker has access to a network of cloud-based computers, the total number of CPUs that could be brought to bear on the cracking of your password could number in the hundreds. The article simply doesn’t say what machinery was used to come up with those numbers.
So while there may not be a “silver bullet”, there are still some best practices when it comes to keeping your data from prying eyes:
– Definitely use a “strong” password of at least 8 mixed-case letters with numbers and special characters. It may not provide complete protection but it is far better than a simpler password.
– Having trouble remembering that combination? Use what Fossi calls a “pass-phrase” instead of a password: Take the first letters from the words in an eight-word phrase that is easy for you to remember, for instance “Honey Can You Please Take Out The Trash” and convert it into: HcYpT0T# (note the “O” from “Out” is now a zero and “Trash” has become the # sign).
– Use anti-virus software, keep it up to date, and make sure you scan ALL files and attachments
– If you have Wi-Fi at home, make sure to use WPA2 as the security protocol – it is FAR more secure that the older WEP and WPA protocols
– Change your passwords regularly. Even if a hacker manages to get one of your passwords, it may be days, weeks or months before they get around to trying it – hey they deal in volume after all – by that time you will have moved on and they’ll be locked out.
Readers, do you have any suggestions to add to this list?
That 10 minutes is based on how many tries a second. And what about the old fashioned 3 tries and you’re locked out for an hour even if the 4th etc is the right one and 3 lockouts and then locked out for a day. And a nice e-mail to the user to inform them of the attempt. Using just alpha you get 26 to the power of the password length combinations.
If the companies allow hundreds of login attempts a minute then they are not doing their job in security. These stupid ‘strong password’ rules just make people forget their passwords.
If someone uses a joe password or other stupid password it’s their fault if their bank account gets emptied. upper case etc rules don’t do much to stop these attempts. Lockouts do. Better still some sort of a cookie or other unique to your computer item would also be good. ie you logged in from an Ontario IP an hour ago and this attempt is from China. Wake up security people. An remember KISS Keep it simple stupid.
What if I don’t want cookies stored in my computer? Also, what if I have a shared email, that multiple people use?
You really don’t have a clue about security. That is why there are professionals. If your simple minded solution worked so well we would not have issues with corporate security, perhaps you should give up complaining about something you cleary don’t understand.
IT security is best left with REAL professionals. Complain all you like, it probably means that your security is tighter than most others. You should appreciate it. Not condmen it.
Try the ID Ten T test and perhaps you will understand.
Good advice Simon.
Especially with Facebook, I have trained my kids (& hubby) to change the password regularly. This is a really simple way to be proactive.
Among other programs, we have also found Spybot to be particularly helpful. On more than one occasion it has found things that Norton missed.
I use a password management software like RoboForm with a 10-character master password to keep track of dozens of updateable account login usernames and passwords.
Along with this a daily updated antivirus program and a software firewall provides reasonable security.
Thanks for The tip 0n remembering My master Password. :)
I use a fingerprint reader…no passwords to remember. No keystrokes to be recorded.
Only slight disadvantage to the reader is when I go to another computer to login on a password protected site, I have no idea what my password is.
That is where Roboform (or similar) comes in real handy. You have all your passwords and sites on USB memory stick and only have to remember 1 master password.
Back to finger print reader…You should register more than one finger as well. I cut my finger that I use for the reader and could not logon to any password protected sites, so now I know why they suggest registering more than one finger for use on fingerprint reader.
Some laptops have a fingerprint reader built in or you can purchase one separately to use on your computer at very reasonable prices.
I am currently a cracker of computers – hackers are ones who hack or modify the physical elements of something in order to obtain, delete, or alter information. Crackers are the ones to worry about. (Please note I use this skill for a companies security system – checking, attempting to crack, etc.).
Crackers have multiple tools to obtain information from another computer, and the easiest being an infected link that you may one day click on that remotely, and invisibly, installs a program which logs all of your keystrokes, takes video capture of your screen, etc.
There are more complicated methods as well, that, for the most part, work better, such as SQL Injection (Where applicable), and sometimes even Keygens. All in all, from a Professional Crackers point-of-view, change your passwords often, but don’t sweat over it. Don’t open emails and, especially attachments from people you are not familiar with.
REMEMBER – Files that can infect your computer and track your every move can be put into word documents, video files, web links, applications, etc. I am NOT trying to scare anyone, but just take some general caution to avoid being a victim of one of todays crackers.
On a side note, it is sad that these programs, which can detect, track, and send files to remote IP addresses are readily available all over the internet, especially via Torrent downloading. It is getting to the point where almost anyone can be a cracker…. How sad.