Hey friends! Baba here with another blog post!
It has been a little while since my last post; between hurricane Ian, the holidays, and some well-needed time off, I am back and ready to share again with the world. Sometimes we just need a little bit of time to reset our brains and get back into the mindset. Never be afraid to step away from something if you are feeling some burnout!
Today we are talking about a very important subject, albeit a point of contention for some end users: PASSWORDS. It has a love/hate relationship with most people, and it seems like it always needs to be changed! More importantly, we’re going to talk about how you may very well still be using a weak password, even with complexity.
Buckle up, this is a longer read! But hopefully by the end of this, you all can have a greater respect for your password, and a desire to make the best password you can!
“Weak?! But I use upper-case, lower-case, numbers, and symbols!”
Nowadays, you’d be hard-pressed to find a website that doesn’t require that your password include at least some of those. And if you’re in the habit of making your passwords complex, that’s awesome! But there is another side to passwords that I think is even more important: uniqueness. Whether or not a password is unique, really boils down to how easy it is to guess. Not only how easy is it for a person to guess, but how easy it is for a computer to guess. I’m going to go over two examples showing how a password can seem unique, but is in fact easy to guess.
Example 1 – George gets targeted by an attacker…
For this example, I’m going to introduce you to George. George hates it when his password expires. He especially hates it when he has to keep track of them. George is also an executive at a major financial services company. In this digital age he has numerous systems he has access to, so he decides to make his password something that’s easy for him to remember. Growing up, his nickname from his mom was “Jellybean”. He was also born in 1978. So, he makes his password almost anywhere “jellybean78”. George tries to sign up for a new website, and gets prompted for a password. He of course picks his go-to password when suddenly he sees:
“Passwords must include:
- Upper-case Letters
- Lower-case Letters
- Numbers
- Special Symbols”
In what he thinks is a clever Eureka! moment he chooses the password “Jellybean78!” and it lets him through. Any time he comes across a site that requires it, he puts in the same capital J and exclamation mark.
Little does he know; a hacker and identity thief have his eyes on getting George’s accounts and using them to their advantage.
The hacker looks to social media for clues. They come upon his Facebook profile, which is viewable by anyone. Right away they find his email address, and look through his post history. Two weeks ago, George’s mom posted on his wall saying that on this day in 1978 her “Jellybean” was born. They continue through George’s social media, finding any/all identifying pieces of info.
The hacker tries to sign in anywhere he can; using combinations of hobbies, favorite vacation spots, etc. to make a list of potential passwords. They already know that most of these sites require complex passwords. “People love capitalizing just the first letter, and the exclamation mark is common too” they think to themselves. They also know that birth years are a go-to when needing to add numbers. After several days of attempts, the hacker finally signs into a website using “Jellybean78!”.
Thanks to his LinkedIn profile, which was also public, they know that George works for 1st Bank of Winchestertonfieldville. Before George even has a chance to notice what is going on: the hacker has requested a digital version of his bank card, got into his email for his confirmation number, and empties his bank account into bitcoin. Sending it all straight to the hacker. By the time George is able to try and fix the situation, the money is long gone.
This story is obviously exaggerated, but tactics like this are what hackers use to take over accounts. It ultimately didn’t matter that George had capital letters, numbers and symbols in his password. If someone can look into your personal life even a little, and figure out your password, it wasn’t a good password. If it’s easy to remember, there’s a good chance it’s easy to guess.
Now, onto our next story…
Example 2 – There are a lot of jellybeans in 78…
In this example, we’re going to learn a bit about two types of attacks: Brute Force Attacks and Dictionary Attacks.
Brute Force Attacks are when a hacker manually puts in commonly used passwords in rapid succession. Things like: qwerty, 123456, password, and all combinations of such. These passwords can be cracked in literally no time at all, and should never be used. This requires no research by the hacker, they can purchase email lists on the Dark Web and try them in combination with the “obvious” passwords. If you ever get an email from a website saying they saw strange log-in attempts from a new place, they are likely using either this tactic or the technique below.
Similar to Brute Force Attacks are Dictionary Attacks. A Dictionary Attack is where hackers use specialized software that can attempt massive amounts of logins in a short period of time, using Dictionary Lists/Databases. These lists are real world lists of passwords that people have used in the past, added together and compiled in a single file that can be referenced. And I’m willing to bet there are plenty of passwords in these massive lists (sometimes many, many Gigabytes large text files) that include jellybeans.
These tools also have the ability to add capitalization and other things to passwords to fulfil complexity requirements. Depending on the power of the computer using these techniques, the hacker can try tens of thousands to MILLIONS of passwords per SECOND and beyond! If you have a password that includes common words or phrases, it is likely in a list somewhere, waiting to be cracked.
Hive Systems has a great chart showing just how fast a hacker can brute force a password using this software (check out the full article here):
A password with 8 characters, with upper-case/lower-case/numbers/symbols can be brute forced in only 39 minutes. This is a very common password complexity requirement. Doing any less than that means it can be cracked nearly instantly.
Notice, though, how quickly it jumps up as you continue to make it more complex and unique. Simply adding 4 more characters to that password add 3 THOUSAND years to crack it. That is a small price to pay for a virtually unbreakable password.
Closing Thoughts
Using just a couple of situations, we have shown very real circumstances someone could be in where a “complex” password is not enough. My theory and motto for passwords is: the best password is one even you don’t know. Password management tools like Lastpass, Dashlane, and several others have become popular for all the same reason. Randomized passwords take predictability out of the equation. You can’t guess a random string of letters, numbers and symbols with capitals thrown in as well. Nobody can “study” you and learn it through personal information. It can only be guessed through brute force, and now you know just how hard that can be if it’s both unique and complex.
I strongly recommend that everyone try some form of password management and try to go for passwords you don’t know. I also suggest using multi-factor authentication as much as possible. That way even if they do get your password, they’ll need your phone/email/etc. to get in as well. As technology gets more advanced, so do the tools that criminals use to undermine it. And they know this, so it’s vital that we do everything we can to keep two steps ahead of them.
I hope this helped to shed some light onto the intricate world that is passwords, and our constant fight for secrecy with them. Next time you make a new account, remember to ask yourself:
“How easy is it for a computer, and the person using it, to guess this password?”
And if you’re doing it right you can easily say:
“Eh, at least 3000 years.”
Thanks for reading everyone, talk to you next time!
-Baba out!
Leave a comment