When incidents like ‘Heartbleed’ happen, the focus often turns to advice written about what to do: “be sure to immediately change your passwords…”, “Follow these 10 tips to stay safe online…”, etc. You’ve seen these types of stores, but you might not understand what it takes to create a “safe” password, and the math behind that process.
Usually these safety warnings and security tips seem to fall on deaf ears. Data from previous password breaches show that people are still routinely using common passwords like “password” “qwerty”, “letmein”, or even “123456.” There’s math behind why passwords like those are are weak and why others, like “p@s$w0rdD0gB1t3” are strong. The good news is that creating more secure passwords might be as simple as adding two more characters.
You can watch a quick video on passwords here.
Organizations usually store passwords in one of two ways:
- Plain Text – Plain text storage means that an intrusion of the database would give away complete login details, full username and password – not a good idea.
- Hashes – Hashes provide an extra layer of security because the actual text of the password is not stored.
Hash operations are one-way mathematical formulas that take input, like a password or other at-risk data, and transform it into a hash (see example table below). The beauty of the hash is that it’s very difficult to get the original password from just the hash value. You are able to turn a password into a hash very easily, but it’s impossible to turn a hash into a password. It’s a one-way street.
Systems typically store passwords as one-way hashes, like the ones above, so when a user tries to log in using their password that login text is transformed into the corresponding hash and cross referenced against the hash stored in the system for that user.
How Do Hackers Get Passwords?
Sometimes a hacker will exploit a vulnerability in the system and get access to the data in the table above. The hacker has his hands on the usernames and the password hashes but needs the actual password to login in to the account.
Remember, it’s impossible to go backwards from the hash to password. The hacker’s only option is to “go forward”. He needs to guess the password as many times as he needs to while performing the same hash-producing mathematical operation (with computer-generated guesses) on a variety of passwords until the right hash is produced.
For example, using firstname.lastname@example.org, the hacker might perform the hash operation on the commonly used password, like “Password”, and get the following result: “dc647eb65e6711e155375218212b3964”, which according to the table above is not a correct hash match, thus not the right password. The hacker’s computer keeps trying and trying, with billions of random and commonly known passwords (called a dictionary attack) until it arrives at “Password1” using our example above, matches the hash in the table above:“2ac9cb7dc02b3c0083eb70898e549b63.” Now the attacker knows that email@example.com’s password is “Password1” and the attacker can now log into that account with that username and password combination. Although this may seem laborious, a computer can easily guess over 1 billion passwords per second.
You can see, from a SQL Server database development perspective, how easy it is to hash a list of words.
How Long Does It Take To Crack Your Password?
The short answer: it depends. Let’s just say very quickly, if your password is weak.
- If your password is eight characters long and all lower-case, like “password,” it would take a hacker 3.5 minutes to guess it.
- Changing one of those lowercase characters to an uppercase character, like “Password,” means it would take him almost 15 hours.
- Replacing any letter with a special character and keeping the uppercase character, like “P@ssword,” means it would take the hacker 70 days to guess your password.
- If you added a single character to “P@ssword” to form “P@ssword1” it would take the hacker 18 years to guess the password.
- If you added two characters to “P@ssword,” to form “P@ssword11” it would take the hacker 1,707 years to guess the password.
And so forth until you arrive at some astronomical numbers.
See the table below:
| ||8 character||9 character||10 character||11 character||12 character|
|LC||208 seconds||90 minutes||39 hours||42 days||3 years|
|LC & UC||14 hours||32 days||4.5 years||238 years||12,394 years|
|LC & UC & Digits||2.5 days||.5 years||26 years||1,650 years||102,304 years|
|LC & UC & Digits & SC||70 days||18 years||1,707 years||169,546 years||15,091,334 years|
LC = lowercase
UC = uppercase
SC = special characters (!@#$%^&*, etc.)
You’ll see the larger values in the bottom right corner of the table. If your password is 12 characters long, contains uppercase and lowercase characters, a digit and a special character it may take over 15 million years for a hacker to guess your password. This is the simple math behind blanket recommendations to increase your password complexity.
NOTE: The math in the above assumes the hacker is randomly generating password guesses. If they are using a dictionary of common words or common passwords, these times could be significantly faster.
What Makes a Password Secure?
Above, we tackled the basics about password storage, the value of hashes and then calculated how long it takes a hacker to get your password using brute force cracking – as quickly as 3.5 minutes in some cases. What we hope you got out of that information is that the longer and more complex your password is (complex as defined as containing an uppercase character, lowercase character, number and special character) the longer it takes a hacker to crack your password.
A 12-character password with each of those elements would take as long as 15,091,334 years to crack with a single computer.
For many people, 15 million years of “protection” might create better peace-of-mind. However, the unfortunate reality with online passwords is that even these long and complex passwords are susceptible to cracking. Here’s why:
- In order for a password to be considered secure, it needs to be truly random and unique.
What Is Truly Random?
Many people often choose a base word for their password, like “password,” and transform it to be logically “complex.” So they’ll replace letters with special characters or digits and add some capitalizations. So a password that was “password” becomes P@55w0rD. In fact, if each letter could be one of an uppercase, lowercase, or special character, there are 6,561 (38) versions of “password” – which is far from an unbreakable amount.
Thus, a hacker using a brute force technique isn’t just going to start with “aaaaaaaa” and go down the list, “aaaaaaab”, “aaaaaaac”, etc. He is going to apply intelligence to the cracking. That intelligence most often involves using common base words, known as a dictionary attack. So not only will he try cracking the very simple “password” but also all 6,561 versions, to include the complex “P@55w0rD”.
There are approximately 220,000 dictionary base words, meaning that even if you added up to three extra digits to your transformed, base-word-based password and formed something like “P@55w0rD123,” a computer would take about 26 minutes to crack it – no matter how long the password is. With complete randomness in a password, hackers can’t make common base word assumptions about your password and cut down the brute force space.
But that’s not all. A secure password must also be unique.
What Is Unique?
Unfortunately, some companies still store actual text passwords in their databases instead of the hashes so if a hacker gets into the system, he now has more base words to add to his roster. So if you use the same password, or even base word, for two accounts and one of those is compromised, no matter how long or random it is, that hash and password are now known. The hacker can then log in to any account that you are using the same password for. This also means that if someone else uses your password, or some version of it as outlined above, you could be compromised.
What Do I Do?
- Make sure all of your passwords are truly random.
- Make sure none of your passwords are used by anyone else or re-used by you.
How do you do something that seems so complicated? Let’s assume for a moment that all 7 billion people in the world have 100 online accounts and have used a different password for each. That means we would need 700,000,000,000 truly unique passwords in the world. In order for there to be less than a .0001% chance that you have the same password as someone else, you’d need to choose from 7 quintillion passwords, that’s 7,000,000,000,000,000,000. That may sound like a lot, and that’s because it is. If you’re using a Standard English keyboard (94 characters) that’s a 16 character password, which would take 1 quadrillion years to brute force crack, and can’t be circumvented by a shortcut.
Since you cannot control what companies do with your password, we recommend having at least a 16 character truly random and unique password so the hacker can’t leverage someone else’s password to figure out yours and has to do the hard work (read 1 quadrillion years) to figure it out.
How is anyone supposed to remember such complex passwords?
The obvious answer is online password managers. Which is what everyone recommends but usually never tell you why. Using these simple services you only have to remember one password, and make it really good! The only shortcut to getting to your password now is to gaining physical access to your computer itself – another security issue all together. The online password manager software remembers the rest for you. In fact, it might even be more convenient for you since you now only have to remember one password. And it’s more secure than your average web site.
Since each solution has their own advantages and work for different platforms, it’s difficult to recommend just one you for you specifically. Try a few for yourself and see which package you prefer. Once you have installed and configured the software, you will find they are easy to use and help keep your internet experience a safer and more secure experience.
This is a quick list of popular password managers.