“Incorrect password.” Those horrible, dreaded words. You’re logging into something you don’t use often, you think you remember the password but you’re just not sure, so you go for broke and . . . nope. You try your second guess and . . . nope. You try your third guess and . . . still nope. Now you have to reset your password, which just adds to the time and frustration, even more so when the app lets you know that it needs a minimum of ten characters, have a mix of upper- and lowercase letters, at least two numbers, and a special character thrown in for good measure.
It's frustrating and, while I think most of us intuitively know it’s important, I think we also wonder just how important it actually is. Well, the answer is: very. We’re going to take a look at why and how password complexity can help thwart hackers from getting your info, and we’re going to also take a look at password variety.
What is the deal with all the complexity? Why do we need to have a minimum number of characters? Why do we need special characters, letters, numbers, etc.? Well, first of all, it makes the password harder to guess. If I were a bad guy and I decided I wanted to login to your bank account, I would try obvious things like birthdays, pet names, etc. A lot of this has to do with tools and technology. There is software out there that can crack passwords in seconds. Do you understand me? Seconds. Let’s take a look.
How Does it Work?
When you create a password, the server and database work to convert your password into something known as a hash. It’s a form of encryption that can’t be reversed. In other words, a computer can’t analyze your password hash and reverse-engineer what the password is. If I were to write a message to you that says: SOCAT TEA OT EVOL I, you might eventually be able to figure out that I simply reversed the sentence. Once you figured that out, you would simply write the message backwards to get my original phrase: I LOVE TO EAT TACOS.
With a password hash, this is impossible. The hash cannot be reversed. However, if a hashing algorithm is known (and many of them are), then it isn’t too difficult to learn which hashes apply to certain passwords. Let’s just say, for example, that the hash for “password1” is “23$5thijnbk”, and so now anytime I’m trying to crack passwords and I come across this hash, I’ll know that the password is “password1.” Well, there are hundreds of thousands of password hashes that are known, and they exist in lists known as dictionaries. This is actually the definition of what's called a "dictionary attack" - a hacker uses software that runs through this dictionary until it finds a match. You may have also heard the term "brute force attack," which essentially means the same thing.
However – and this is where I tend to geek out on all of it – simply adding a single number to a word can create an entirely new hash. So if the hash for “password1” is 23$5thijnbk, the hash for “password12” might be something like 7DFthjcmdj#, which would be completely different from the hash for “password2”! By using a combination of upper- and lowercase, numbers, and characters, you are increasing your chances of thwarting a brute force attack. Let’s see this in action.
So here, I created a user, billy, and gave him the password 1234. Next, I ran a tool called John the Ripper against his password hash file:
It took 4 seconds. Think about that. So let’s give Billy a more complicated password, say, password1, and run John the Ripper again:
This time, 5 seconds. Let’s do one more, but make it longer and more complicated: troml41!igtbg. Thirty seconds in, nothing:
Two minutes in:
I’ll spare you more screenshots and let you know that I let it run for 10 minutes, and it still hadn’t cracked the password. Now, obviously we want passwords that take longer than ten minutes to crack, but hopefully you get the idea of the exponential change that comes with password length and complexity. Just by adding some randomness and a bit of length, we went from four seconds to more than ten minutes.
Why Does it Work?
People who are far more clever than I have derived mathematical equations to determine how much time it will take to crack passwords of varying lengths. For example, while a four-character, numbers-only password takes four seconds to crack, a thirteen-character, numbers-only password will taker upwards of four minutes to crack. An eighteen-character password made up of only numbers, on the other hand, will take nine months to crack. Take a quick look at the following chart, created by Hive Systems, and you’ll notice that our last password we made would take 2 million years to crack (give or take a decade, I’m sure).
So why does this happen? Think about it this way. If I use only four numbers – let’s say 1-4 – and I only use each number once, I have twenty-four possibilities:
1,2,3,4 1,4,3,2 2,4,1,3 3,2,4,1 4,2,1,3
1,2,4,3 2,1,3,4 2,4,3,1 3,4,1,2 4,2,3,1
1,3,4,2 2,1,4,3 3,1,4,2 3,4,2,1 4,3,1,2
1,3,2,4 2,3,1,4 3,1,2,4 4,1,2,3 4,3,2,1
1,4,2,3 2,3,4,1 3,2,1,4 3,2,1,4 4,1,3,2
That is twenty-four hashes it would have to check through; that's pretty easy for a computer. If we add a fifth number, however, the possibilities go up to 120 variations. Still quick work for a computer, but a significant jump in the number of possible hashes the computer has to check against. If we used all ten digits, one time each, we would have 3,628,800 different possible passcodes. Can you begin to see what would happen if we added in lowercase letters? We just added another twenty-six characters to the equation. Lower- and uppercase? That’s another twenty-six. And if we add special characters and reuse letters or numbers? Yeah . . . possible combinations are astronomical.
When it comes to password security, length is far more important, but combine length with complexity, and your password will be virtually uncrackable. If you’re going to only use numbers, I strongly recommend at least eighteen characters. Start adding in some letters and symbols, and you can comfortably get away with a ten-character password. But there’s another component to this that is vital: reuse of passwords.
How to Keep Track
Let’s be real: we need passwords for virtually everything now. Applying for a job? Need a profile with a password. Checking your bank accounts, emails, or retirement funds? Password. Want to order online from your favorite restaurant? Password. Checking out Pinterest, IG, or a Discord server? Passwords, passwords, passwords. It’s tempting – and we all do it – to use the same password for multiple apps and websites. But here’s the thing: if all of your accounts use the same password, and someone discovers or cracks that password, you can pretty much kiss your money/apps/social media goodbye. I cannot stress how important it is to have different passwords for each app or service you use.
Oh, and you shouldn’t write them down, either.
“So, hold up,” you’re no doubt thinking, “how am I supposed to remember all these passwords, especially if they’re not supposed to be easy?” And that is the question we all want answered because it's seemingly impossible. However, there are several ways to attack this.
The first is to use a password vault. There are many of these on the market, some of them free (or as an add-on to a paid service), but the biggest issue with them is that, well, they can get hacked. Data breaches happen, and there’s no reason to believe that a password vault is immune. To be sure, the good ones have tight security, and you’re probably safe, but hacking tools and hacking methods are constantly evolving and having all of your passwords stored in one space is not that much safer than having them written down on a post-it next to your laptop.
One method that I like is to come up with an algorithm that you can use to devise quasi-random passwords, but all you need to remember is a key word or phrase that will let you know what the password is. You can write that phrase or word down, and now you don’t have to remember your passwords – you just have to know the algorithm that you created. Let’s take a look at what I mean.
Say you decide to start with a word, then you want to add a number sequence, followed by two special characters. So you establish the following rules:
1) The word can be 3-4 letters, but the second letter must be uppercase; all other letters are lowercase.
2) The word is followed by three numbers in descending order.
3) The numbers are followed by the special characters that correspond with the last two numbers in your sequence.
4) The last character is going to be an uppercase letter, and you’ll pick the letter to the right of the last letter in your word.
Let’s say you pick “rEd” as your word: it's three letters, with the second letter uppercase (Rule 1). Now, you’re going to pick three numbers, in descending order, starting with whatever number you want (Rule 2). Let’s start with 8. So now our password is: rEd876
Tough to guess, but only 1 second to break. But now you want to add your special characters (Rule 3). Remember, you pick the last two numbers in your number sequence, and add the special characters above those numbers on your keyboard, in this case, &^. So now we have rEd876&^. Tough to guess, but now we’re at an 8 hour hack, according to the Hive table. So let’s add that final uppercase (Rule 4). The last letter of your word is “d,” and the letter to the right of that is “F.” So now your password is: rEd876&^F, which will be virtually impossible to guess, and take roughly 3 weeks to crack. But how do you remember this?
Easy. You know the algorithm, so all you have to do is remember the word and number sequence. How do you do that? Leave a note that says RedTeam8. You can even leave “Facebook: RedTeam8” if you wanted, and no one who discovered it would ever be able to log into your Facebook unless they knew your algorithm.
And they won’t, because your algorithm is yours, right? Right?!
If this seems too complicated for you (and, I'll admit, it seems complicated on paper), a buddy of mine suggested using a longer phrase that only you will know, but you aren't likely to find anywhere else. So, as an example, let's say you lost your wedding ring, and needed to order a new one. You might, therefore, use, "Reordergoldcircle." This is already sixteen characters long and has a special character. If you want to make it longer, add an extra number to the end, say "Reordergoldcircle13.", and you've got yourself an impossible password to crack, but you'll remember it fairly easily, yet you can safely leave a reminder (such as "wedding band") that will jog your memory, but won't give out your actual password.
Now, with all of that said, I would be horribly remiss if I didn’t recommend Multi-Factor Authentication. Have you ever been asked to set up a phone number, then had a “code” texted to you after you logged into something? That’s called Multi-Factor Authentication. Yeah, it’s annoying, but think about it this way: you have an extra layer of protection designed to keep that person out, because if anyone does happen to guess or crack your password, you’ll be notified that he or she is attempting to log in. I once had my Netflix breached, but since I made up an algorithm (not the example I gave!) and set up MFA, it hasn’t been an issue.
As the world gets more and more connected, we are experiencing higher levels of convenience than ever before, but that convenience comes at a price, usually security. By making stronger passwords – passwords that are both complex and long – you can do your part to keep your data and personal information safe.
Comments