Understanding the threats and popular password cracking methods

You don’t need someone’s password to access their personal information, steal their identity or just ruin their day. Attacking someone’s password, however, is very common and it may be the first step that an unethical person takes to mess with your life. I would just like to discuss some of the ways that a criminal might try to access your documents or online accounts.

Through Trickery (Phishing)

With the ‘anonymity’ of the internet, everyone can pretend to be anybody. Anyone can easily contact you with some type of story designed to trick you into sharing your personal information. These communications will usually come in the form of emails, instant messages, links on social networks, and maybe even some phone calls. Regular people are able to send you an email that looks just like the emails that you have been receiving from your bank, eBay, PayPal, and so on. Probably the most popular storyline in any of these communications is that there is some type of fraudulent activity or other problem with your online account. An official looking email is usually sent out in a spam-like fashion, and it’s purpose is to ‘alert’ you to this (fake) problem with your account. Now that you’re worried about the account that’s in (fake) jeopardy, you will be encouraged to click on a link so that you can be taken to the website where you can resolve this issue. This is what’s known as phishing (and with good reason) – basically the criminal is casting a line and waiting for a sucker to take the bait.

When you click on the link that’s supplied in the email (or other communication) – you are usually taken to a counterfeit website that looks exactly like your online bank, stock broker, email provider, or whatever company the crooks are pretending to be. This website is fake and has only one purpose; to capture your login or other sensitive information. Everything relies on you being flustered by the original alert in the first communication. The criminals want you to concentrate on trying to fix this ‘problem’ or ‘fraud’ that is associated with your account, so that you aren’t paying attention to anything else. Once you’re good and frantic, the link directs you to the website that looks exactly like what you’re used to and you just start entering whatever information it prompts you for. This information goes directly to the hooligans behind these fake emails and website. They use your information to login to the real website and access your identity and/or financial data.

Read my other article to learn how to protect your information.

Venturing a guess

The closer you are to a person, the easier it is to guess their password. I know that you think you’re pretty smart and you have an original password, but as Tyler Durden would tell you – you are not a beautiful and unique snowflake. Most people use the same crap when it comes to creating passwords.

When guessing a password, you might as well start with names. People like to use the name of their pets, lovers, children, friends, relatives, and so on. Names would also include your favorite celebrity, sporting team, athletes, school, city, etc. Once you’ve failed with the name game, numbers are your next best bet. People might use important dates, digits of their social security number, license plates, or even the ridiculously stupid ‘123′ and such. When you come up short with numbers alone, you should try a combination of important names and numbers. After that, you can try passwords comprised of one word or something short and very simple like qwerty, password, passcode, admin, love, letmein, money, secret, or even a swear word. If your password isn’t one of the guesses mentioned above, I applaud you.

Like I said, the more you know about a person – the easier it is to guess their password. Criminals don’t necessarily need to know you on a personal basis in order to obtain this type of information though. A lot of background information can be found on the web for free and almost anything else that can’t be found, is available for under $50. To a criminal, it might be worth the $50, depending on what they can get after they have your online accounts.

Keep in mind that most websites require the use of at least one number in your password. This means that most people will simply add a 0 or 1 to the beginning or end of their password. Obviously, any guesses would need to conform to your account’s specific password requirements. What I mean is that if the website requires that your password be at least 6 characters long and include at least 1 number – all of the guesses would be adjusted to meet that criteria.

Read my tips for choosing better passwords.

Brute Force Attacks

Imagine that your password consisted of only 1 lower-case letter in the English alphabet. A piece of brute force software would systematically attempt all of the 26 possibilities until it found your password. For the sake of argument, we’ll say that this program can attempt 1 password a second. This means that in a maximum of 26 seconds, your password would be cracked. While it may only take 1 second if your password was the letter ‘a’ – assuming that the brute force started guessing from A and finished with Z.

Now, let’s pretend that you upgraded your password of 1 lower-case letter to a 10 character password consisting of upper and lower-case letters. There are 26 lower-case letters and 26 upper-case letters, so each of the 10 characters in your password would contain 1 of these 52 available characters with the possibility of having duplicate characters. To see how long this would take to crack we’ll start with what we know so far. (a) = 52 and (b) = 10. We’ll say that this evil person is able to attempt 1,000,000 passwords per second, which isn’t uncommon (against a password hash) – and he’s working with only one computer. These assumptions give us (c) = 1,000,000 and (d) = 1. Now that we have everything we need, let’s figure out the maximum amount of time that it will take for our criminal friend to crack our 10 letter password with the brute force method. The formula goes like this, (a) to the power of (b) divided by (c) which is divided again by (d).

Our calculation shows that the brute force could take a maximum of 144,555,105,949 seconds. This is an equivalent of 2,409,251,766 minutes, 40,154,196 hours, 1,673,092 days or 4,584 years. For comparison, a password containing 6 lower-case letters would only take 5 minutes to brute force with the same attempts per second. Keep in mind that your password is likely to be solved before the very last attempt; and the bad guy could always use multiple computers to cut down on the time that it would take to run the brute force.

Read my other article to learn how to create stronger passwords.

Dictionary Attacks

Somewhat similar to brute force attacks, dictionary attacks will attempt to guess your password by submitting word after word from a huge list. Dictionary attacks will usually result in a faster completion over the brute force method because it only guesses passwords that are more likely to exist rather than every single possible combination of letters, numbers and symbols. Since most people choose simple passwords that are fewer than 8 characters – these passwords are usually very easy to predict. All a crook needs to do is create and maintain a custom list of common passwords (with a few variations of each) and then unleash it on some unsuspecting target.

Don’t let the word ‘Dictionary’ fool you – it’s more of a custom list that is downloaded off of the internet or created by the criminal performing the attack. The password ‘iloveben’ wouldn’t be found in your common dictionary, but it might be included on a list used for dictionary attacks. The beauty of a dictionary attack is that the criminals can tailor their list to a particular person or websites that they want to attack. If the bad guy is trying to gain access to an administrator account on some website about butterflies, the bad guy can simply import butterfly related words and phrases to the password list being used for the attack.

Read my other article to learn how to create stronger passwords.

Password Reset

It appears that this method may be the easiest one that someone can use to gain access to your online accounts. We have all used the “Forgot your password?” option at one point or another. This is where the website that you’re trying to access will ‘do you a solid’ and email your old password to you or hook you up with a new password after you answer some security questions. The trouble with this reset function is that the security questions are usually pretty dumb. Anyone would be able to reset your password if he/she can find out the name of your dog, where you attended school, where you were born, what streets you’ve lived on in the past or some other trivial crap.

This is where your extravagant blog posts or information on myspace, Facebook or Twitter come into play. You have probably already posted something about every answer to your each of your security questions without even thinking twice about it. People have even started stockpiling this information by sifting through webpages and social networks to build databases of common pet’s names, and related content that they can then sell to information-hungry criminals.

Read my other article to learn how to be safer online.

Recording your keystrokes

As the name suggests, a ‘keylogger’ will maintain a log of the keystrokes made on a given computer. This means that whenever you type your login information, it is recorded and stored on your computer for later review or secretly transmitted to the person who wants to steal this information. Keyloggers are very common on public computers (such as those in an internet cafe) and work computers.

It could be a piece of software that pretty much runs invisibly on your computer. Most of the time, you will not see a keylogger program running on your taskbar or system tray. Sometimes keyloggers are hidden inside of other programs or renamed to look like other software, which makes it hard for a human to detect. These keyloggers could accidentally be installed by you, your family members or perhaps a friend. Another possibility is that someone intentionally installed the keylogger on your computer.

Another type of keylogger is a little piece of hardware that is physically connected to your computer. It could be as simple as a USB stick that is plugged into on the back of your computer or it could be located inside of the computer case. Just imagine an unscrupulous computer technician working at your local repair shop, attaching a keylogger to every computer that comes his/her way. Whenever you take your computer in to get fixed, he/she downloads your keystrokes and then accesses your accounts or sells the information.

I suggest you download the free trial version of AVG Internet Security and scan your computer.

Final Ramblings

Once you have read how these criminals attack your password, it’s pretty easy to figure how to prevent them from doing so.

Find a strong internet security suite to protect you from spam emails, fake websites and keyloggers. Don’t download any programs attached to communications from suspicious sources. Don’t click any links in any private messages that are notifying you of a problem with your account. If you think that there might be a real problem with your account, manually type the website’s address into your browser and login to fix it. Don’t tell anyone your login information; even if they say that they are some official person working at some official company. Companies will never ask you for that kind of information, they already have access to it and they can even reset it if they need to.

Create long passwords that use as many different characters as possible. Use a different password for every account that you have. If you need help remembering these passwords, you should definitely get your free copy of RoboForm and / or the portable version, RoboForm2Go.

I would recommend that you use strong passwords for your security questions, but that’s because I keep them saved in my SafeNotes with RoboForm. If you don’t want to use random characters for your answers, I might suggest that you lie to them. Tell them anything else that’s easy to remember, as long as it isn’t the real name of your dog. =)

If you have the time – read this next article on creating and maintaining good passwords.