Password security is important to you.

While performing computer repair and virus removal in the Cordova, AK area, I often find problems caused by insecure passwords.  Password security is essential for every computer user.

It helps to think of passwords as physical keys, like you use to lock your home or vehicle.  Having an insecure password is like leaving your front door unlocked.

A password that is a single word or simple combination of words is vulnerable to a dictionary attack.

One of the problems with password security is that computer users are lazy.  We don’t want to come up with a complicated, complex (and more secure) password because it’s a bit harder to remember than 123456. Unfortunately, if it’s super-easy to remember, it’s also super-easy to guess.

Take a look at this list of 500 common passwords.  (it seems common for users to use vulgar language in their passwords; this is reflected here)  Do a text search of the page (CTRL+F in most web browsers) and see if your password is in the list.  If it is, I strongly encourage you to change your password immediately.  Of course, I’m encouraging all users to change their passwords, but you most of all.

One way of “hacking” a password is to use a dictionary attack.  An attacker tries a list of known words or common passwords until one of them works. The word “dictionary” in this case does not mean that the list is limited to only words you would find in a common book of definitions; it simply indicates that a list of possibilities is used.  Although it is true you will not find a definition for “password123” in any dictionary, rest assured that even the most basic dictionary attacks are unlikely to be thwarted by the simple pattern tossed on the end of the word.

If your password is a single word found in a dictionary, you are definitely vulnerable to this type of attack.  However, lists used in dictionary attacks also use combinations of words, as well.  This means that blue is a terrible password, but blueblack isn’t much better.

Increase complexity to slow brute force attacks.

Another method of password cracking is known as a brute force attack.  In this type of attack, all possible passwords are attempted until the correct one is guessed.  Because this process takes much longer, it is usually only attempted after exhaustive dictionary attacks have failed.

This audio clip provides a humorous example of how a brute force attack works.  In the clip from Family Guy, Stewie tries to call his mother but doesn’t know the number.

Obviously, this type of attack can take some time, especially when being done by a human.  When it comes to password cracking, though, a computer will be doing the work, and the number of attempts in a second is limited only by the processor speed of the computer(s) doing the work.  In the case of guessing a ten-digit phone number, there are only 10,000,000,000 different possible number combinations.  This may seem like a large number, but modern computers can attempt every possible ten-digit combination of the integers 0 through 10 in a relatively short period of time.

The way to protect against a dictionary attack is to make sure that your password does not appear in any dictionary.  For a brute force attack, the strategy is different.  You need to make your password so complex that it will take an impossibly long time to crack.

How to make your password more complex.

Two of the elements that contribute to password complexity are character set and length.  The character set is simply all of the possible options for a single character of your password.  In the phone number example above, the size of the character set is ten.  Each character of the unknown can only be one of ten different integers.

The length of the password literally exponentially affects its complexity as shown below:

number of possible passwords = character set^length

A password that is made up of only lowercase letters has a character set of 26.  If it’s made up of both lowercase and uppercase letters, the character set is 52.  Add one or more integers, and another ten possibilities increases the character set 62.  With punctuation included, an additional 30 possible characters increase the total set to 92.

To include all of these different categories of characters, a password must be at least four characters long.  For example, the password aB!3 has a character set of 92.  Contrast that to the simple, lowercase able, which only has a character set of 26.  Using the math above, we can see that a computer trying to guess aB!3 would be chugging through 71,639,296 possible options.  Note that at any time the computer could stumble upon the correct answer and not need to go through the entire list.  If we’d only used able, the character set of 26 with a four-character length would have only provided 456,976 possibilities. Obviously, using a larger character set will increase complexity.

Now we can see how increasing the length of a password dramatically (again, exponentially) increases its complexity.  If we were to add just one character to our aB!3 password, the number of possible options would jump from 71,639,296 to 6,590,815,232!  Getting better, but still not good enough.  A set of high-powered computers crunching away at that number of possibilities should still be able to arrive at the correct answer at some point.  Imagine if the password were 13 characters long.  There would be more than 3.38 x 1025 (or more than 33,825,307,600,000,000,000,000,000 or 33.8 septillion) different possible character combinations.  Now that’s some decent complexity!

Use different passwords for every site.

Of course, coming up with just one good password isn’t enough.  You should be using different passwords for every site you use.  Imagine if your cars, house, filing cabinets, gym locker, bike lock, mailbox, and every other lock you ever used worked from just one key.  If someone steals that one key, they’ve got complete access to everything.  You should treat your passwords the same.

Now I know that you are likely thinking I’m crazy, expecting you to come up with a secure, 13-character password for every site you use.  Sound impossible?  It’s not! In a future post, I’ll teach you about LastPass and how it can solve ALL of these password problems for free!