Friday, October 11, 2013

Passwords? We don't need no steenking password. Actually, we do.

by Ray Daniel

The best thing about being a mystery writer with a hacker protagonist is that it has completely changed my attitude about cyber crime. While most people are horrified to learn that password hacking has become so easy that children literally do it for fun, I tend to think “Excellent I can use…”
Oh wait. You didn’t know that password hacking has become so easy that children can literally do it for fun? Um…Well…Sadly it’s easy.

You just go to the web, download a stolen password database (I just found one in two minutes with Google) and then download some password cracking software ( oclHashcat-plus will do) and bingo…you’re a hacker.


Password Hacking 101

Hacking passwords is a relatively simply process. You start with a file full of encrypted passwords that look like this: 5f4dcc3b5aa765d61d8327deb882cf99. Then you encrypt test words such as password and compare the encrypted test word to the password you’re trying to crack. If the encrypted test word matches the password, then you’ve cracked that key.

Once you’ve got that process in place you just need to pick good test words. Short passwords of six characters or fewer are easy. With today’s computers you can literally try all possible passwords: aaaaaa, aaaaab//////. There’s no way to make a strong short password since all short passwords are equally weak.

For longer passwords you try, or your software tries, other tricks. For example you try password then passw0rd then pa55w0rd. Then you start mixing and matching other words and other letters.

Once you’re done playing around, you start trying passwords from a dictionary. While people imagine hackers using the Oxford English Dictionary, that approach has become passe. Today’s hackers use dictionaries of already hacked passwords. It turns out that we users are not all that creative.

Protecting Yourself

Given the fact that password files get stolen every day, and that good hackers can break of 90% of the passwords in many of these files, how can you be secure online?

The first thing to do is to find out whether your favorite sites support two-step verification. Google and Facebook both provide this sort of system.

With two-step verification, you type your password into the site and then the site texts an additional password to your phone. This way the password is useless without the phone.

Another thing you can do is to buy a password tracking system such as 1Password or lastpass.com. These systems remember your passwords for you and can generate virtually unhackable random passwords. The beauty of this approach is that a password hacked from one site cannot be used on another.

The last thing you can do is just create passwords that are not based on words. Use phrases instead. For example, consider “With great power comes great responsibility.” You can munge this into “wgr8pcgr8r.” where the gr8 spells “great”. No dictionary will be able to guess that password. The period at the end is a nice touch that makes the password longer.

My final piece of advice on keeping your password safe: never send all your password information to that nice disgraced prince who emailed you from Africa. It turns out that he doesn’t actually send you millions of dollars.

No comments: