Everyone has terrible passwords

Earlier this year, GCHQ’s National Cyber Security Centre division issued a report that stated the most commonly used passwords include words such as ‘password’, ‘liverpool’ and ‘123456’.

This is a worrying headline, but depressingly, not a surprising one to anyone who follows web security. This article will try to explain why having ‘password1’ as your password really is a TERRIBLE idea, and how to keep your passwords safe online.

Major websites (and lots of smaller ones) are getting attacked and hacked every single day – large companies such as Equifax, Talk Talk, LinkedIn and Adobe have all had their password databases stolen in the last few years. When they are breached, the attacker will generally end up with a list of hashes. Hashes are pseudo-encrypted versions of your passwords, which are used to obscure your password. They work by taking your password as an input, and making them look random. However, they’re not random, as the same input text will always produce the same output hash.

So the password `password1` will always generate:

E38AD214943DAAD1D64C102FAEC29DE4AFE9DA3D

However, if you change the input text even slightly to `Password1` (uppercasing the first letter) then the result hash will look completely different:

70CCD9007338D6D81DD3B6271621B9CF9A97EA00

It is therefore mathematically impossible given just the hash, to reverse and get back to the original password. These properties make hashes great for storing passwords.

However, not all hashing protocols are created equal, and some are considered very weak. Despite this, a number of big companies and websites still use lower quality hashing algorithms (such as MD5 and SHA1). Given this knowledge, the attacker will then (having acquired the stolen hash list) attempt to guess various passwords, at scale. With specialist software and powerful computer hardware, it’s not unrealistic to say attackers can attempt to guess password hashes at a rate of tens or hundreds of BILLIONS per second.

Which means, if your password is something basic, such as an 8 letter, all lowercase password, then this will be guessed very quickly.

Hackers use numerous techniques for guessing passwords. These range from basic to more complex, time-consuming methods. For example…

Brute Force Attacks

Brute force attacks take a certain character set and length and attempt every possible combination of those characters at this length. So, if attempting to get an 8-character all-lowercase password, the algorithm will attempt:

`aaaaaaaa`

Then it will try:

`aaaaaaab`

Followed by:

`aaaaaaac`

This will continue until it has tried every possible combination of the lowercase letters. Then the attacker will give it different characters sets (“8 lowercase letters, 1 number”, “1 uppercase letter, 7 lowercase letters, 1 number” etc). This will successfully get a lot of poor-quality passwords, but as the character sets get longer (9/10 characters or longer) and with lots of different characters (uppercase, lowercase, numbers, symbols etc) the effectiveness of this method starts to drop off.

Dictionary Attacks

Dictionary attacks work by taking a list of possible passwords, generating hashes for everything in that list, then comparing that to the stolen list of hashed passwords.

These password lists contain hundreds of thousands, or millions of words (the entire English dictionary, brand names, city names, countries, common first names, swear words etc). This means that if your password is a whole word (such as a city name, a person’s name etc), it is likely that it is on one of these password lists, and therefore would be cracked almost instantly. This means that a password like:

`johannesburg`

Despite being 12 characters long, is still probably a weak password, as there’s a good chance this exists on password lists like these.

Dictionary Text Manipulation

Hackers can (and will!) go even further with dictionary attacks, by making alternate versions of all the passwords on the list. These are based on common behaviours that people exhibit when writing passwords, such as:

Capitalising the first letter – `johannesburg` to `Johannesburg`
Adding a number at the end – `johannesburg` to `johannesburg1`
Swapping letters for common substitutes – `johannesburg` to `johanne5burg`

This, in combination with an extensive dictionary, makes it possible to guess very varied passwords, and makes passwords that traditionally would be considered very secure, relatively easy to crack.

To see this in action, this Computerphile video goes through the process in some detail.

In my next article, we’ll talk about how to ensure you have a password that a nefarious cracker can’t guess!

Written by:

Jordan Peck Senior Data Analyst

Category:

What we think

Date:

06/11/2019

You may also like

What we think

  

/  13 Nov 2019

Facebook Pay: yay or nay?

Facebook’s bid for world domination levelled up this week with the announcement that Facebook Pay would shortly be rolling out to users in the US, with the intention of the service going global over time. Facebook Pay will be enabled within Faceboo

Read more

What we think

  

/  07 Oct 2019

World Mental Health Day: let’s talk

Ahead of Word Mental Health Day on 10th October, we wanted to take a bit of a deeper look into the focus of this year – suicide prevention. The figures from 2018 are worrying. For the first time since 2013, deaths by suicide in the UK significan

Read more