Finding A Password In A Haystack

Finding A Password In A HaystackPasswords are the bane of our online existence.  We need them to get into our banking systems, buy songs from iTunes and go into Facebook.  But we also have to remember them.

Security experts warn us not to use the same password for multiple accounts, since if one gets hacked, they’re all hacked.  But we do because it’s easier to remember one than many.  They also warn us to make them more complex than 123456 (the most commonly used password, by the way) so hackers can’t crack them in a second.  Yet it’s amazing how many people use “password” or their username as their password.

If you do a Google search on “password cracker”, it comes up with almost 10,000,000 hits; Bing has about 1.5 million.  There are thousands of tools and scripts out there to automate cracking a password that run on Windows, Linux, MacOS and even DOS.  Many of these are billed as tools to help you recover a forgotten password, but many are just hacking tools in disguise.

So why do people crack and steal passwords?  Simple.  It’s makes them money.  People do it, because it’s big business.  

There are three common ways for someone to crack a password.

  1. Dictionary attacks – an automated tool will search through common words or phrases that are likely to be used as passwords.  Looking for words like “password” and “123456” are simple examples.
  2. Social engineering – using something about you to guess your password.  If someone finds information about you on Facebook or another site, they will try your dog’s name, birthdate or other personal information, since those are common passwords.
  3. Brute force attack – trying every possible combination of letters, numbers and symbols until the password is found.  Automated tools can do this faster than any person typing on a keyboard.

According to research studies done on bad password practices, about 42% of passwords only use lowercase letters.  37% use numbers and letters and about 4% had special characters in them.  So what do you think the hackers will try?

Steve Gibson, noted security expert and co-host on the Security Now podcast, has come up with a great tool and webpage to explain how to develop and remember a better password.  The Password Haystacks tool shows how you and I can create passwords that are easier to remember and harder to crack.  Steve recommends using what he calls padding to turn an easy password into one that’s hard to crack.

The calculator shows how much more time a brute force attack will take as you make your password longer and a bit more complex.  As the page notes through an example, the calculator is not a password strength meter, because even though “123456” may have over 1,000,000 possible guesses, a dictionary attack would crack it almost instantly.

Brute force attacks search through the letters of an alphabet, numbers and special characters or symbols that one could type.  If you used the roman alphabet or ASCII printable characters, you would have 95 choices of things to type.

26 lowercase letters + 26 uppercase letters + 10 numbers + 33 symbols = 95 characters

If you added Arabic, Chinese, Russian, Greek and other character sets, the attack space would grow very large, but many sites only using ASCII characters.  If a website does not use Unicode as its coding system, there may be difficulties dealing with non-ASCII characters.

The best passwords should have a combination of lowercase letters, uppercase letters, numbers and symbols.  According to Gibson, once you satisfy this rule, password length is what matters.  This makes sense, since each time you add a character, the complexity increases by an order of magnitude.

Here’s an example:

If I use “password”, it would take 2 seconds to crack, assuming 100 billion guesses per second; the latest Intel Core i7 chip can achieve over 100 billion operations per second (GFLOPS).  If I capitalize the “P”, then guessing time goes up to 9 minutes.  Here’s what happens if I continue to add characters based on the rules above:

  • Password1 – 1.59 days
  • Password1$ – 19 years
  • Password1$] – 18 centuries
  • Password1$]] – 1,740 centuries
  • Password1$]]] – 165,000 centuries


Now this is solely based on a brute force attack with no dictionary or other logic.  This exercise shows that just adding different combinations of characters and making a password longer, makes it that much harder to crack.  The important thing to take away is that you can create a password with something easy to remember and then pad it with characters that make it hard to guess with a password cracker.

Try something as simple as iLovemywife<2> or ilovemy3Kids;;.  According to the calculator, it would take 15,670 centuries to crack using a system that had one hundred trillion guesses per second.  That might be possible using a large array of cloud-based computing systems or a super computer.  Even with more hackers using cloud-based systems to crack passwords, that is still a pretty strong password.

I look at password creation the same way I look at locking my front door.  If I don’t lock the door, anyone can break into my house.  If I lock it, I’ll deter the large majority of people.  If I use some of these simple ideas to create a password that I can remember with a little padding, I will deter most of the hackers out there.


Photo credit Sketcher1Jedi

Book a meeting