There are 2 primary methods to hack passwords: Brute Force and Password Guessing. Of the 2, believe it or not, it is easier to guess someones password than to try every combination of letters, numbers and symbols. In a brute force attack, password attempts would progress from: a, b, c; to aa, ab, ac; to aaa, aab, aac; and so on.
The core question is not, Can my password be hacked?, but rather How long would it take?. Thats where password entropy comes into play for our (the users) benefit. Loosely defined, entropy is disorder. Since a brute force attack is a very orderly attack, the more disorder you have in your password = better.
With 5 lower case characters, an online attack would get your password right in an average of 1 hour, 21 minutes. However, by introducing say a capital letter, a number, and a special character, that time rises to around 1.5 months.
With 7 lower case characters, a brute force attack would consume ~3.2 months, but if you introduce those other random characters, it rockets up to an average of 11 centuries! Taking it even further, at 8 characters the online crack time goes to 1,000 centuries which is effectively long enough to be considered near impossible under current computing capabilities.
That said, if the hacker is able to do an offline, or massive cracking array scenario, the password can again be deduced in a matter of hours. As such, even though the typical minimum / safe password length is 8 characters, what you use as your password matters even more.
Simplicity Opens the Door
Every attempt to get your password will begin with guessing. According to a released hack file of 5 million passwords, we know what the most common passwords are, so hackers will start there.
Top passwords for 2016:
123456, password, 12345, 12345678, football, qwerty, 1234567890, 1234567, princess, 1234, login, welcome, solo, abc123, admin, 121212, flower, passw0rd, dragon, sunshine, master, hottie, loveme, zaq1zaq1, password1
4% of the passwords were 123456! Thats 200,000 people in the sample set with that password!
So if a hacker is building a password list, it will include all of those plus versions of them with common substitutions. For example, variations of football include Football, Football1, Football1!, F00tb@ll1, etc. The most common practice is to capitalize the first letter of a password and put a number and/or special character at the end to meet complexity requirements.
If a hacker is directly targeting you, they could easily find out personal details that you’ve freely posted in a blog, Internet forums, or on social media. Important dates in your life, or favorite sports team, food, animal, actor, or your hometown and schools — all those can exploited by hackers to build a comprehensive password list.
Phrase it Out
We’ve thus far shown that at minimum, passwords should be a complex blend of at least 8 characters. Passphrases are the easiest way to achieve these goals with the added benefit of being easier to remember.
There are a number of ways to generate a passphrase:
You could use a phrase consisting of a song title like, Tiptoe through the tulips — but then its possible a hacker could have a password list that contains every song title ever made.
Another approach would be to pick random, but somehow themed, words and string them together like, Bird elephant giraffe horse — but this is potentially susceptible to a modified dictionary attack.
As such, our recommendation is to take a phrase you can easily remember and adjust it a bit. For example:
You might be an avid gardener so you would start with something like:
I love to grow things in my backyard
Make a few adjustments and it becomes:
1luv2pl@ntF00d (Do not use this password!)
That password contains 14 characters, including 4 numbers, 1 capital letter, and 1 special character. Its fairly easy to remember but very hard to guess, and would take an average of 750,000,000,000,000,000 years to brute force!
With a little bit of practice, you can make a hackers job a LOT more difficult. Implement Passphrases today!