We all think our passwords are more or less secure. We use multiple variations or letters, numbers and symbols and change them on a regular basis. We keep passwords carefully hidden on a spreadsheet or Post-it notes, all to keep cybercriminals from getting into our business. But the fact is, over 80 percent of all data breaches today are still password-related.
There’s two primary methods of password hacking: Brute Force and Password Guessing. And of the two, password guessing is more prevalent and successful than brute force attacks. Rather than trying every possible combination of letters and numbers – the method behind a brute force attack – hackers have an easier time guessing someone’s password. And they’re after just about every industry, from healthcare and government to fintechs and payment processors.
In reality, it’s not whether your password is hackable. All passwords are. The question is, how long would it take and is worth the time of cybercriminals. That’s where password entropy comes into play. Since a brute force attack is a very orderly attack, the more disorder you have in your password, the better. You’re better off with a random combination than your birthday combined with your dog’s name.
Read on to learn more about password hacking, what it is and how you can prevent it.
With five lower case characters, an online attack could guess your password in a little over an hour. However, by introducing say a capital letter, a number, and a special character, that time rises to about one and a half months..
With seven lower case characters, a brute force attack would consume about three months. But if you introduce those other random characters, it skyrockets up to an average of eleven centuries. Taking it a step further, at eight characters the online crack time goes to 1,000 centuries which is effectively long enough to be considered near impossible under current computing capabilities.
That said, if the hacker is able to do an offline or massive cracking array scenario, the password can again be deduced in a matter of hours. As such, even though the typical minimum password length is eight characters, what you use as your password matters even more.
Simplicity Opens the Door
Every attempt to get your password will begin with guessing. According to a released hack file of five million passwords, we know what the most common passwords are, so hackers will typically start there.
For example, here are the top passwords from 2019:
Pretty shocking, right? It’s easy to see how a sophisticated career hacker could have a great deal of success with password guessing. There’s still a large amount of people, businesses and governments that simply don’t have good passwords.
So if a hacker is building a password list, it will include all of those plus versions of them with common substitutions. For example, variations of “password” include things like “Password,” “p@ssword” or “pa$$w0rd.” The most common practice is to capitalize the first letter of a password and put a number and/or special character at the end to meet complexity requirements.
If a hacker is directly targeting you, they could easily find out personal details that you’ve freely posted in a blog, Internet forum or social media. Important dates in your life, favorite sports team, pet names, hometown and schools — all those can be exploited by hackers to build a comprehensive password list.
Phrase it Out
We’ve thus far shown that at minimum, passwords should be a complex blend of at least eight characters. Passphrases are the easiest way to achieve these goals with the added benefit of being easier to remember.
There are a number of ways to generate a passphrase:
You could use a phrase consisting of a song title like, Tiptoe through the tulips — but then its possible a hacker could have a password list that contains every song title ever made.
Another approach would be to pick random, but somehow themed, words and string them together like, Bird elephant giraffe horse — but this is potentially susceptible to a modified dictionary attack.
Our recommendation is to take a phrase you can easily remember and adjust it a bit.
For example, you might be an avid gardener so you would start with something like:
I love to grow things in my backyard
Make a few adjustments and it becomes:
That password contains 14 characters, including four numbers, one capital letter, and one special character. It’s fairly easy to remember but virtually impossible to guess, and would take literally millions of years to guess using a brute force attack.
Password security falls solely on you. If you’re not taking it seriously, your personal information or business systems and data could be at risk. Understand the risk of using simplistic or common passwords, and start using paraphrases today.
Get A Free Cyber Risk Report
Hackers don’t rest, neither should you. Identify your organization’s cybersecurity weaknesses before hackers do. Upon filling out this brief form you will be contacted by one of our representatives to generate a tailored report.