Password Haystack – How well hidden is your needle?

chris .

With hacking being in the headlines on a weekly basis now, it is important to secure your passwords from all types of attack. There’s a lot of publicity for making sure your password is not dictionary based, but it’s equally important to make sure your password is a decent length and complexity. You may have heard the term ‘brute force’ – which refers to either manual or more commonly automated attempts to ‘guess’ a password. A brute force attack instigated online will commonly involve around 1,000 guesses per second hitting a login page. If a hacker manages to get a copy of a database, and can work on it offline, they will be able to use a ‘cracking array’ (network of computers all working together to crack a password) – which can achieve speeds of up to one hundred trillion guesses per second! Not many sites are offering two factor authentication either. Suddenly your non dictionary based password doesn’t seem quite so secure…

  • How to mitigate against these brute force attacks

Length & complexity. The longer and more complex your password is, the longer it takes the hacking system to brute force. A good way to think about it is that your password is a combination to a vault, the longer it is, the longer it will take to find the correct one. Let’s say for example you have a password of ‘submin’ – ignoring for a moment it’s a dictionary word backwards, the length of it would mean that it would take around 3.72 days to crack online (there’s a lot of large websites that have holes in their API’s which allow a hacker to repeatedly hit a login page!). If the hacker managed to get an offline copy of the database (if it was left say, on a laptop, on a train), it would take 0.00321 seconds to crack. Scary stuff for a seemingly ‘ok’ looking password. 

So, lets add an ‘$’ to that so we introduce a layer of complexity and length. Now we’re looking at a better 80.50 years for an online attack, but still a pitiful 25.32 seconds for an Offline attack if they get a copy of the database to work on.

So let’s try submin$R – length and the uppercase complexity.

Again – it is better, but not great – still worth the hacker using their time to try and get. I won’t keep adding a digit as you get the idea, but cutting to the chase, check out a 16 digit random password, with uppercase, lowercase, numbers and symbols in:

MUCH better! The current thinking is that 16 digits is a good length for a password – though also remember that hackers are constantly improving their systems so all the general figures above will creep down over time.

BUT – what a nightmare having to remember that beast of a password. Luckily there’s some fantastic tools out there such as 1Password & Lastpass – which securely help store your complex passwords and have browser extensions to enable you to input info quickly. They also both have Android/iOS/Windows apps. We’d recommend making ALL your passwords this complex and secure – including mailbox passwords which are one of the most common for brute force attacks and compromises. It’ll take some time to secure all your passwords across the internet, but in our opinion it is time well spent as once an account gets compromised, it can be extremely stressful and difficult to get back – and that’s without the financial and other implications as a result.

All the results in this post we’re generated with the fab Haystack tool at https://www.grc.com/haystack.htm

×