Although the bottom right section of our computer tells us that the year is 2012, many have forgotten some basic security measurements and threat passwords just like they did 10 years ago. With hackers getting smarter and computers becoming more powerful each day, the circle of those who can crack a Windows or online password has extended to such reach, that safeness may well become an illusion; unless you are smart.
Recent studies and the launch of new tools have unveiled that those who choose plain passwords to services, such as paid websites, games, Windows and pretty much every other place that let’s people pick whatever they wish to use, are in imminent peril. Fortunately, this situation can be easily adverted by choosing a tougher password and by keeping an eye opened at all times.
Password cracking: threats all around
When users sign up to a service, regardless of its nature, most of them usually pick rather simple passwords, because they are easier to remember and easier to type. Unless the targeted service doesn’t explicitly ask for a password with special characters, number, spaces or capitalized letters, the majority of people will pick a plain password, with a maximum character number of eight. In other cases, the chosen word is something simple to guess or easily hinted by someone who knows the user, in person.
Easy or complicated, passwords can be cracked unless the system is secure enough. Usually, attackers resort to three, rather simple principles, explained below:
- Brute Force – cracking a password using brute force means trying every possible combination of characters until one proves to be right. This method is highly used because it requires minimum knowledge and effort. For someone that has a high computational system, almost any password within the eight characters margin can be cracked in less than six hours.
One of these systems is the 25-GPU cluster presented by ArsTechnica, and it’s capable of generating 350 billion guesses each second. Combining that kind of power with efficient algorithms and a dictionary of most used terms, the team demonstrating performances have managed to crack 90% of 6.5 million passwords registered on LinkedIn.
Moreover, a PC running a single AMD Radeon HD7970 GPU can obtain 8.2 billion password combinations each second. Combine that with powerful, but free software that can hast the process and password crackinga becomes a home-possible task.
- Dummy guesses – some users rely on dummy words instead of real passwords, such as “computer”, “password”, “Microsoft”, “Britney” or any other modification through the use of special characters. Usually, a dictionary with these used terms is assembled and introduced into the brute-force algorithm, simplifying the whole cracking process. Another extension of the dummy guess can be used by persons close to you, in case the password is something close like the name of your dog, the social security number or other stuff like that.
- Keyloggers and other infections – a clean computer is a safe working environment, in any circumstances. Probably, the simplest way to find out a password (and any other sensitive information) is through the use of a keylogger. Once installed on the victim’s computer, this software will remember vital things, like passwords, conversation logs and other stuff worth stealing – all of these without leaking a sign. A story worth sharing happened about six months ago, when my 27-character password for Yahoo Mail was hacked through the use of such a program and it happen to you, especially if you’re using Internet Explorer.
Solutions and defensive tactics
- Use powerful passwords – usually, systems permitting users to choose simple passwords have the technological means to encode it in such ways that it would be hard for someone to crack their code. Unfortunately, you can never be sure so whenever you pick a password, chose one that has special characters (! , ; * & ), numbers, capitalized letters or even spaces. Another must is the length of the word – choose 9 letters or more, because the number of possible combinations for a nine character string is so high, that it would take years for someone to crack it (at least for now).
- Be smart – act before attackers by changing passwords frequently (once at three months would be alright) and by using dynamically passwords whenever the service allows it. Big companies, such as banks and well-established gaming companies (Blizzard, for example) sell tokens that generate one-time passwords that expire after 30 seconds, all for security sake.
- Don’t pick the same password for different accounts – a recent study claims that although the average user maintains around 25 different accounts, he only has 6.5 passwords for them. So, to avoid mass cracking, chose different passwords for each account. My favorite tactic for this case is to pick the same key-string for each service, while adding its name at the end of it. Ex: [email protected], [email protected]
- Be careful where you log – do not log into vital services, like bank accounts and such, while being in a public coffee shop or at the library computer; the machine can be infected or someone may eavesdrop the wireless connection.
- Keep a clean computer – make sure you cannot be attacked from your own back-yard, by installing a good anti-virus solution that comes complete with tools effective against spyware attacks, malwares and other rogues. The best options are developed by Kaspersky, BitDefender and ESET.