It’s the age-old problem that everyone faces – keeping online passwords safe. Passwords are vulnerable to brute force attacks and on the end point from key logging and phishing attacks.
Password-cracking software can quickly cycle through a range of dictionary words and combinations of these words and numeric characters, in order to guess a password. A criminal conducting a dictionary attack using an average-speed PC, could crack passwords such as “MySecret”, “BankEntry”, “MyBank9”, “RomeSky”, all in less than a minute. Other combinations of words, such as “RedCircle”, “DavePhone”, and “NeverKnow”, can all be cracked in much less than an hour. You can test your own passwords here.
Password cracking criminals know that most people add numbers only at the end of their passwords, and generally use upper case characters only at the beginning of words. So for example, “James1964”, “AliceJ19”, “Beach200”, can all be cracked in a few hours.
Criminals are also aware of the technique many people use, in replacing “E” with “3”, “S” with “$”, “l” with “1”, etc. So for example, “b3ach202”, “homeba$e”, and “1unch500”, are all cracked within an hour.
Spelling words backwards is also a technique known to password crackers. For example, spelling the word “secret” backwards and adding a couple of numbers such as “terces80”, is easily cracked in a few minutes.
Passwords are strengthened by making them longer and by avoiding dictionary words. So, for example:
“JaJwuth2” would take about 15 hours to crack
“JaJwuth2f” would take almost a month to crack
“JaJwuth2fa” would take about 5 years to crack
“JaJwuth2fapow” would only be cracked after millions of years (according to this site)
Note however, that the above estimates are based on today’s average-speed PC. There is a technique described below on how you can create and remember a difficult-to-crack password such as “JaJwuth2fapow”.
News this past weekend, is that the latest version of the password-cracking tool Hashcat, can now crack much longer passwords based on dictionary words. Simply extending the password length by combining more dictionary words is no longer secure.
Here are some guidelines for making your passwords stronger:
1. Use different passwords for different websites. In this way, if one of your passwords is compromised, it only affects one website. Using many complex passwords is only practical with the help of password manager software. You should ensure your password manager is protected against key logging attacks or else it may simply be a convenient organising tool for a key logging criminal.
2. Avoid dictionary words, people’s names and company names.
3. Use a combination of: (a) Upper and lower case characters (avoiding upper case only on the first character), (b) Numeric characters, but not only at the end, and (c) Non-alphanumeric characters (such as “$%^&*”).
4. Replacing “E” with “3”, “S” with “$”, and “l” with “1”, etc. does not add much to complexity.
5. Ensure your passwords are at least 9-12 characters long.
6. Install anti-key logging and anti-phishing software on the end point to protect passwords entered entered into all websites, not only banking passwords.
7. One technique of creating a complex password that you can remember, is to take the first characters of the words of a song or rhyme you know. So for example, “Jack and Jill went up the hill to fetch a pail of water” becomes the password “JaJwuth2fapow” which currently would be very difficult to crack.