In the spirit of DEF CON and a week of hacking, Tech Talker covers one question he gets asked all the time: How do you "crack" a password?
Essentially, a hacker has to be very very patient and try thousands, millions, billions, and sometimes even trillions of passwords before they find the right one. There are a few ways hackers go about this to increase the probability that they can find your password. These include:
Mask/Character Set Attacks
Let's talk more about each of these.
Dictionary attacks are just what they sound like: you use the dictionary to find a password. Hackers basically have very large text files that include millions of generic passwords, such as password, iloveyou, 12345, admin, or 123546789. (If I just said your password, change it now!!!)
Hackers will try each of these passwords --which may sound like a lot of work, but it’s not. Hackers use really fast computers (and sometimes even video game graphics cards) in order to try zillions of passwords. As an example, while competing at DEFCON this last week, I used my graphics card to break an offline password, at a speed of 500,000 passwords a second!
Mask/Character Set Attacks
If a hacker can’t guess your password from a dictionary of known passwords, their next option will be to use some general rules to try a lot of combinations of specified characters. This means that instead of trying a list of passwords, a hacker would specify a list of characters to try.
For example, if I knew your password was just numbers, I would tell my program to only try number combinations as passwords. From here, the program would try every combination of numbers until it cracked the password. Hackers can specify a ton of other settings, like minimum and maximum length, how many times to repeat a specific character in a row, and many more. This decreases the amount of work the program would need to do.
So, let's say I had an 8 character password made up of just numbers. Using my graphics card, it would take about 200 seconds--just over 3 minutes--to crack this password. However, if the password included lowercase letters and numbers, the same 8 character password would take about 2 days to decode.
If an attacker has had no luck with these two methods, they may also "bruteforce" your password. A bruteforce tries every character combination until it gets the password. Generally, this type of attack is impractical, though--as anything over 10 characters would take millions of years to figure out!
As you can see, cracking a password isn’t as hard as you may think, in theory--you just try trillions of passwords until you get one right! However, it's important to remember that finding that one needle in the haystack is sometimes next to impossible.
Your best safety bet is to have a long password that is unique to you, and to whatever service you’re using. I’d highly recommend checking out my episodes on storing passwords and creating strong passwords for more info.
Well, that’s it for today! Be sure to check out all my earlier episodes at quickanddirtytips.com/tech-talker. And if you have further questions about this podcast, or want to make a suggestion for a future episode, post them on Facebook.com/QDTtechtalker.
Until next time, I’m the Tech Talker, keeping technology simple!
Photos of hacker with hoodie, password, and hacker with floating words courtesy of Shutterstock.