TLDR; Summary
With Halloween just around the corner, I have a question for you: What scares you the most and how are you addressing it? For many people, it is having their person identity stolen. And this often happens because of weak passwords.
Professional password cracker Jeremi Gosney explains how password complexity (entropy) is not nearly as important as using a different password for each and every account that you have. Read this article to learn what you should do to protect yourself.
Password Entropy
I recently read an article about how a professional password cracker goes about cracking passwords. The observations he made may startle you.
The computer science measure of how hard a password is to crack is something called “entropy.” Password entropy is a measurement of how unpredictable a password is. The longer the password, the more entropy it has. But it is also based on the character set used (which is expansible by using lowercase, uppercase, numbers as well as symbols) as well as password length.
Most of us don’t have passwords that pass the entropy test. According to Diceware creator Arnold Reinhold, a 6 phrase password has 77.5 bits of entropy, meaning that it is only “breakable by an organization with a very large budget, such as a large country’s security agency.” You can calculate the entropy of a password using this formula:
E = log2(RL)
- E stands for password entropy.
- R stands for possible characters within the password.
- L stands for the number of characters in your password.
Obviously, that doesn’t mean much for most of us, so the simple explanation is that you increase entropy by adding more character types (upper and lower case, numbers, and symbols), and by increasing the length. The formula is explained in detail at: https://www.pleacher.com/mp/mlessons/algebra/entropy.html.
If you want to find out if your password is strong enough to prevent hacking, use this password entropy calculator. Aim for a score of at least 60. Here is the direct link to the calculator.
If you prefer a more visual representation of how secure your password word, take a look at the table created by Hive Systems.
But, Jeremi Gosney, a renowned password cracker, gave a talk at a hacker conference recently and declared that entropy was overrated. The most important feature of a strong password these days, he said, was uniqueness—having a different password for each account. I can testify to that as I have a strong password for my Netflix account, but it was recently hacked, and I’m sure it was because I was using the same password on multiple accounts (not any more!).
The most important feature of a strong password these days is uniqueness—having a different password for each account. Click To TweetHere’s the thing: When a password cracker is attempting to crack a password, they often have a database of passwords. This database is almost never in plain English. Instead, it is a list of MD5 hash values, which are scrambled values to make it worthless to humans. You can generate a hashed value at https://www.md5hashgenerator.com/.
The only way to crack a password is essentially to play a guessing game, where you run password guesses through the same hash algorithm that was used to produce the hashes in the database, and you compare the results. If you end up with two hash values that are the same, then we know what the password was. This process can of course be automated, using a freely distributed program called hashcat. While billed as a “password recovery tool,” its real purpose is to simply crack passwords.
There are dozens of major password leaks every year. These leaks are distributed on the dark web as databases or dictionary files, which are used as the seed files for people using the hashcat process mentioned above. This has made it possible for crackers to break 96 percent of all passwords within a week. Gosney explains, “Typically, the passwords that we can crack aren’t the ones that are generated by machines. Where we find the most success as password crackers is targeting passwords that are generated by humans, because humans across the globe still tend to think alike.”
People tend to pick something they are interested in: a sports team, a hobby, the city they live in, their kid’s or pet’s names, etc. When password complexity policies require an uppercase character and a number, 99 percent of the people on this planet are going to put the uppercase character in the first position and the number in the last position. A special character? – Just add a ! or # to the end. We are making it easy for crackers to guess our passwords.
Most passwords are stolen through phishing attacks, malware, or looking over someone’s shoulder. So length and complexity don’t matter. Using unique passwords for each account is what matters because it prevents the attacker who has stolen one of your passwords from accessing more than one of your accounts. According to Gosney, “Having a password manager create a unique, machine-generated password for every sign-in service is by far the best way to do it.”
Obviously, this means that you cannot remember all these complex passwords, so you need a way to store them. Your browser can remember your passwords, but this is not a very safe solution. Web browsers are fairly easy to break into, and lots of malware, browser extensions and even honest software can extract sensitive information from them. Instead, you should save passwords in a stand-alone password manager. Here are 2 options that I recommend:
- Keeper: https://webstoresltd.com/keeper
- 1Password: https://webstoresltd.com/1password
If you found this information helpful, please leave use a positive review at https://webstoresltd.com/google, and share this article with a friend!
Greg Jameson has been writing blog articles on ecommerce and internet marketing for over 10 years. Learn more about Greg at https://webstoresltd.com/about/
Guest Posting
