Everyone has terrible passwords
Earlier this year, GCHQ’s National Cyber Security Centre division issued a report that stated the most commonly used passwords include words such as ‘password’, ‘liverpool’ and ‘123456’.
This is a worrying headline, but depressingly, not a surprising one to anyone who follows web security. This article will try to explain why having ‘password1’ as your password really is a TERRIBLE idea, and how to keep your passwords safe online.
Major websites (and lots of smaller ones) are getting attacked and hacked every single day – large companies such as Equifax, Talk Talk, LinkedIn and Adobe have all had their password databases stolen in the last few years. When they are breached, the attacker will generally end up with a list of hashes. Hashes are pseudo-encrypted versions of your passwords, which are used to obscure your password. They work by taking your password as an input, and making them look random. However, they’re not random, as the same input text will always produce the same output hash.
So the password `password1` will always generate:
However, if you change the input text even slightly to `Password1` (uppercasing the first letter) then the result hash will look completely different:
It is therefore mathematically impossible given just the hash, to reverse and get back to the original password. These properties make hashes great for storing passwords.
However, not all hashing protocols are created equal, and some are considered very weak. Despite this, a number of big companies and websites still use lower quality hashing algorithms (such as MD5 and SHA1). Given this knowledge, the attacker will then (having acquired the stolen hash list) attempt to guess various passwords, at scale. With specialist software and powerful computer hardware, it’s not unrealistic to say attackers can attempt to guess password hashes at a rate of tens or hundreds of BILLIONS per second.
Which means, if your password is something basic, such as an 8 letter, all lowercase password, then this will be guessed very quickly.
Hackers use numerous techniques for guessing passwords. These range from basic to more complex, time-consuming methods. For example…
Brute Force Attacks
Brute force attacks take a certain character set and length and attempt every possible combination of those characters at this length. So, if attempting to get an 8-character all-lowercase password, the algorithm will attempt:
Then it will try:
This will continue until it has tried every possible combination of the lowercase letters. Then the attacker will give it different characters sets (“8 lowercase letters, 1 number”, “1 uppercase letter, 7 lowercase letters, 1 number” etc). This will successfully get a lot of poor-quality passwords, but as the character sets get longer (9/10 characters or longer) and with lots of different characters (uppercase, lowercase, numbers, symbols etc) the effectiveness of this method starts to drop off.
Dictionary attacks work by taking a list of possible passwords, generating hashes for everything in that list, then comparing that to the stolen list of hashed passwords.
These password lists contain hundreds of thousands, or millions of words (the entire English dictionary, brand names, city names, countries, common first names, swear words etc). This means that if your password is a whole word (such as a city name, a person’s name etc), it is likely that it is on one of these password lists, and therefore would be cracked almost instantly. This means that a password like:
Despite being 12 characters long, is still probably a weak password, as there’s a good chance this exists on password lists like these.
Dictionary Text Manipulation
Hackers can (and will!) go even further with dictionary attacks, by making alternate versions of all the passwords on the list. These are based on common behaviours that people exhibit when writing passwords, such as:
Capitalising the first letter – `johannesburg` to `Johannesburg`
Adding a number at the end – `johannesburg` to `johannesburg1`
Swapping letters for common substitutes – `johannesburg` to `johanne5burg`
This, in combination with an extensive dictionary, makes it possible to guess very varied passwords, and makes passwords that traditionally would be considered very secure, relatively easy to crack.
To see this in action, this Computerphile video goes through the process in some detail.
In my next article, we’ll talk about how to ensure you have a password that a nefarious cracker can’t guess!
Written by:Jordan Peck Senior Data Analyst
Category:What we think
You may also like
/ 16 Dec 2019
The link between Margaret Thatcher and safe passwords
Passwords are generally accepted by the security community to not be a particularly good way of securing online accounts or sensitive information. This is mostly because of the way that society have been taught to create 'safe' passwords, i.e. by usiRead more
/ 25 Nov 2019
Targeting in a cookie-less world
Due to both GDPR and the introduction of 3rd party cookie restrictions from browsers such as Safari, Firefox and Chrome, fuelling targeted advertising with 3rd party cookie tracking may soon be a thing of the past. The ICO (Information CommissioneRead more