Do you think you have a strong password? Have you wondered how long it would take a hacker to break into your online accounts or email? It’s easy: there are various sites – such as Randomize, Kaspersky Lab’s secure password check, and LastPass’s password checker – that help analyze the security level of a password. Some of them run locally on your machine without sending data over the internet, others don’t.
But there is a tiny problem with these password security checkers: the time they display is based on calculations for the time it takes to crack the password using a brute-force attack method. That means the attacker systematically checks all possible combinations of six letters and characters, starting with the first letter of the alphabet and ending with ‘//////’.
How Do Hackers Get My Password?
Brute force attacks are widely used by hackers to crack passwords, but this is just a part of their toolset. For example, a six-character password using a combination of letters and numbers has just 626 possible combinations (52 letters – both upper case and lower case – plus the 10 numbers, and not counting special characters). In case of an 11-character password using the same formula, that jumps to 6211 combinations. That’s out of reach by brute-force methods, so it’s time to use other techniques such as a dictionary attack or Markov chains.
In a password security experiment set up by Ars Technica, three hackers attempted to crack 16,000+ hashed passcodes, and they managed it with 90% success rate in less than a day: six passwords were cracked every minute including 16-character-long randomly generated passwords such as “qeadzcwrsfxv1331”. Here is how they did it, but first let us explain what a password hash means.
The Secrets of the Password Hash
When you enter a password, a one-way mathematical function takes your plain text password and produces a unique string of numbers and letters. That’s called the hash. For example, the “arstechnica” password resulted in the hash “c915e95033e8c69ada58eb784a98b2ed”.
With the hash information to hand, the hackers were able to crack 62% (10,233) of the hashes in 16 minutes. With a mix of a brute-force attack, a hybrid attack that combined a wordlist with brute-force attacks and statistically generated password guesses using Markov chains and other rules, they managed to reverse engineer the hashes into plain text in 15 hours.
The Importance of Password Strength
So what have we learned from this? Keeping in mind the daily occurring digital megabreaches that make millions of password hashes available to the Dark Web, it makes sense to change passwords frequently – as suggested by your password manager of choice.
The Ars Technica experiment, however, also highlighted one important aspect of password security: the longer the password is, the more time and resources a hacker needs to crack it open. For example, if you use a set of seven characters using letters such as “abcdefg”, it can be cracked in milliseconds, but that crack time jumps up to two centuries for brute-force attacks if 12 characters are used like ‘abcdefghijkl’. Not bad for just a few random letters put side by side. The time required for a brute-force attack to crack a password also increases when combining numbers and letters rather than using only letters, and additional tweaks such as combining ASCII, lowercase, uppercase and numeric characters will result in an even stronger password.
You decide the security level of the password, but anything below 12 characters can be considered weak, especially in light of this experiment. From that length and upwards you can relax for a while, but that’s also the point at which you will stop remembering passwords due to their complexity. Fortunately, password managers can help with this task, as well as password generation. Still, keep an eye on their security recommendation, and change the passwords for your online accounts regularly.
Best Password Managers of 2019