digg

Facebook Connect Join Digg About

How I’d Hack Your Weak Passwords

onemansblog.com Great info to know.. Thanks again John.....

Who dugg this? Made popular Mar 27, 2007

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

168 Comments

show profanity settings
expand all
  • Akaji, on 10/12/2007, -2/+219Oh, good, he wouldn't guess 12345. Me and my luggage are safe for now...
  • TheAstronomer, on 10/12/2007, -5/+137What's that vibrating in your bag? Nine times out of ten it's an electric razor, but every once in a while...
  • CAPSLOCKISCOOL, on 10/12/2007, -8/+130After 10 minutes of loading:

    If you invited me to try and crack your password, you know the one that you use over and over for like every web page you visit, how many guesses would it take before I got it?

    Let’s see… here is my top 10 list. I can obtain most of this information much easier than you think, then I might just be able to get into your e-mail, computer, or online banking. After all, if I get into one I’ll probably get into all of them.

    1. Your partner, child, or pet’s name, possibly followed by a 0 or 1 (because they’re always making you use a number, aren’t they?)
    2. The last 4 digits of your social security number.
    3. 123 or 1234 or 123456.
    4. “password”
    5. Your city, or college, football team name.
    6. Date of birth - yours, your partner’s or your child’s.
    7. “god”
    8. “letmein”
    9. “money”
    10. “love”

    Statistically speaking that should probably cover about 20% of you. But don’t worry. If I didn’t get it yet it will probably only take a few more minutes before I do…

    Hackers, and I’m not talking about the ethical kind, have developed a whole range of tools to get at your personal data. And the main impediment standing between your information remaining safe, or leaking out, is the password you choose. (Ironically, the best protection people have is usually the one they take least seriously.)

    One of the simplest ways to gain access to your information is through the use of a Brute Force Attack. This is accomplished when a hacker uses a specially written piece of software to attempt to log into a site using your credentials. Insecure.org has a list of the Top 10 FREE Password Crackers right here.

    So, how would one use this process to actually breach your personal security? Simple. Follow my logic:

    * You probably use the same password for lots of stuff right?
    * Some sites you access such as your Bank or work VPN probably have pretty decent security, so I’m not going to attack them.
    * However, other sites like the Hallmark e-mail greeting cards site, an online forum you frequent, or an e-commerce site you’ve shopped at might not be as well prepared. So those are the ones I’d work on.
    * So, all we have to do now is unleash Brutus, wwwhack, or THC Hydra on their server with instructions to try say 10,000 (or 100,000 - whatever makes you happy) different usernames and passwords as fast as possible.
    * Once we’ve got several login+password pairings we can then go back and test them on targeted sites.
    * But wait… How do I know which bank you use and what your login ID is for the sites you frequent? All those cookies are simply stored, unencrypted and nicely named, in your Web browser’s cache. (Read this post to remedy that problem.)

    And how fast could this be done? Well, that depends on three main things, the length and complexity of your password, the speed of the hacker’s computer, and the speed of the hacker’s Internet connection.

    Assuming the hacker has a reasonably fast connection and PC here is an estimate of the amount of time it would take to generate every possible combination of passwords for a given number of characters. After generating the list it’s just a matter of time before the computer runs through all the possibilities - or gets shut down trying.

    Pay particular attention to the difference between using only lowercase characters and using all possible characters (uppercase, lowercase, and special characters - like @#$%^&*). Adding just one capital letter and one asterisk would change the processing time for an 8 character password from 2.4 days to 2.1 centuries.



    Password Length |All Characters | Only Lowercase
    | |
    3 characters | 0.86 seconds | 0.02 seconds
    4 characters | 1.36 minutes | 046 seconds
    5 characters | 2.15 hours | 11.9 seconds
    6 characters | 8.51 days | 5.15 minutes
    7 characters | 2.21 years | 2.23 hours
    8 characters | 2.10 centuries | 2.42 days
    9 characters | 20 millennia | 2.07 months
    10 characters | 1,899 millennia | 4.48 years
    11 characters | 180,365 millennia | 1.16 centuries
    12 characters | 17,184,705 millennia | 3.03 millennia
    13 characters | 1,627,797,068 millennia | 78.7 millennia
    14 characters | 154,640,721,434 millennia | 2,046 millennia


    Remember, these are just for an average computer, and these assume you aren’t using any word in the dictionary. If Google put their computer to work on it they’d finish about 1,000 times faster.

    Now, I could go on for hours and hours more about all sorts of ways to compromise your security and generally make your life miserable - but 95% of those methods begin with compromising your weak password. So, why not just protect yourself from the start and sleep better at night?

    Believe me, I understand the need to choose passwords that are memorable. But if you’re going to do that how about using something that no one is ever going to guess AND doesn’t contain any common word or phrase in it.

    Here are some password tips:

    1. Randomly substitute numbers for letters that look similar. The letter ‘o’ becomes the number ‘0′, or even better an ‘@’ or ‘*’. (i.e. - m0d3ltf0rd… like modelTford)
    2. Randomly throw in capital letters (i.e. - Mod3lTF0rd)
    3. Think of something you were attached to when you were younger, but DON’T CHOOSE A PERSON’S NAME! Every name plus every word in the dictionary will fail under a simple brute force attack.
    4. Maybe a place you loved, or a specific car, an attraction from a vacation, or a favorite restaurant?
    5. You really need to have different username / password combinations for everything. Remember, the technique is to break into anything you access just to figure out your standard password, then compromise everything else. This doesn’t work if you don’t use the same password everywhere.
    6. Since it can be difficult to remember a ton of passwords, I recommend using Roboform. It will store all of your passwords in an encrypted format and allow you to use just one master password to access all of them. It will also automatically fill in forms on Web pages, and you can even get versions that allow you to take your password list with you on your PDA, phone or a USB key.
    7. Once you’ve thought of a password, try Microsoft’s password strength tester to find out how secure it is.

    Another thing to keep in mind is that some of the passwords you think matter least actually matter most. For example, some people think that the password to their e-mail box isn’t important because “I don’t get anything sensitive there.” Well, that e-mail box is probably connected to your online banking account. If I can compromise it then I can log into the Bank’s Web site and tell it I’ve forgotten my password to have it e-mailed to me. Now, what were you saying about it not being important?

    Often times people also reason that all of their passwords and logins are stored on their computer at home, which is save behind a router or firewall device. Of course, they’ve never bothered to change the default password on that device, so someone could drive up and park near the house, use a laptop to breach the wireless network and then try passwords from this list until they gain control of your network - after which time they will own you!

    Now I realize that every day we encounter people who over-exagerate points in order to move us to action, but trust me this is not one of those times. There are 50 other ways you can be compromised and punished for using weak passwords that I haven’t even mentioned.

    I also realize that most people just don’t care about all this until it’s too late and they’ve learned a very hard lesson. But why don’t you do me, and yourself, a favor and take a little action to strengthen your passwords and let me know that all the time I spent on this article wasn’t completely in vain.

    Please, be safe. It’s a jungle out there.
  • fxmcleod, on 10/12/2007, -0/+103interesting, and now watch as we explain:
    "How we'd crash your server"
  • a3r0, on 10/12/2007, -1/+88Hey, if you type your digg password in the comments, it comes out as stars! Look:

    ********

    Try it!
  • kidc, on 10/12/2007, -2/+78Digg responds with its own article: "How we'd crash your weak server"
  • cinnix, on 10/12/2007, -0/+55Yup, thats so that they can check their Digg history tomorrow when the server is back, and read the article.
  • mstrike, on 10/12/2007, -2/+48iloveboys69

    Hey you lied to me!
  • draebor, on 10/12/2007, -35/+78In Soviet Russia, password cracks YOU.
  • CAPSLOCKISCOOL, on 10/12/2007, -2/+43hunter2

    do you guys really see stars?
  • mikeazorin, on 10/12/2007, -2/+37Is there a cat stepping on your shift key as you type?
  • elvenseven, on 10/12/2007, -1/+36- I tried setting my hotmail password to penis.
    - It said my password wasn't long enough. :(

    http://bash.org/?136524
  • THX8612, on 10/12/2007, -0/+32I knew you guys were going to burn me for trying to be cute.
  • THX8612, on 10/12/2007, -1/+29Your right it works


    p@ssw0rd

    Wait, what?
  • ilkeryoldas, on 10/12/2007, -1/+28hah.. I'm save with qwerty!
  • BadgerAttack, on 10/12/2007, -3/+30HA! you forgot the classic abc123
  • inactive, on 10/12/2007, -1/+25or "notmypassword"
    that's notmypassword.
  • StickWST, on 10/12/2007, -3/+26Social Bookmarking mother ***** do you USE IT?!
  • tuxidomasx, on 10/12/2007, -0/+22dugmirror has been droppin the ball lately
  • Roger, on 10/12/2007, -1/+22*****, how'd you guess my password?

    Guess its back to "letmein".
  • hijinks, on 10/12/2007, -3/+22i know this canadian who on his webserver made the following test account and wondered why his server got hacked

    user: test
    pass: test
  • JamesWilson, on 10/12/2007, -2/+21"If I cracked your weak passwords"
  • inactive, on 10/12/2007, -3/+22EAIEAEAEAIEA?
  • nogami, on 10/12/2007, -1/+19Well, one of the notes here is that thieves might try and crack an account by blasting it with a big dictionary attack...

    Don't know what kind of security those sites might have, but if I was writing the code, more than about 5 or 10 bad passwords within a couple minutes would probably be grounds for blocking the IP at least temporarily - or requiring an email validation to unlock the account.

    And that ends that particular threat. Just lock the account after a certain number of bad guesses, or send a warning email to the rightful owner.
  • jpozadzides, on 10/12/2007, -2/+17You're not kidding. :-) This is the third time in the last few weeks that one of my articles hit the Digg homepage.

    I've already purchased a much, much more powerful 64 bit dual processor beast of a machine, but had some difficulty with the Wordpress migration and didn't get it moved off this old crappy server just yet. :-(

    I guess I need to make it a little higher priority... but damn, it always happens when I least expect it... and I don't even make a dime off this blog! :-)
  • Rayor, on 10/12/2007, -5/+20 hey, if you type in your pw, it will show as stars
    ********* see!
    hunter2
    doesnt look like stars to me
    *******
    thats what I see
    oh, really?
    Absolutely
    you can go hunter2 my hunter2-ing hunter2
    haha, does that look funny to you?
    lol, yes. See, when YOU type hunter2, it shows to us as *******
    thats neat, I didnt know IRC did that
    yep, no matter how many times you type hunter2, it will show to us as *******
    awesome!
    wait, how do you know my pw?
    er, I just copy pasted YOUR ******'s and it appears to YOU as hunter2 cause its your pw
    oh, ok.

    Gotta love http://bash.org
  • OhROFL, on 10/12/2007, -0/+13duggmirror ~ Terrell Owens

    (Dropping the ball for all you non-football people)
  • shlolz, on 10/12/2007, -1/+13I can't bElive thAt!
  • istatic, on 10/12/2007, -1/+13diggler131
  • hiPpymIck, on 10/12/2007, -0/+12psychology of password choice..
    http://psychologytoday.com/articles/pto-20020101-000006.html
  • clickmyface, on 10/12/2007, -0/+12Capslockiscolo quoted the article early on in the comments. Scroll up.
  • mstrike, on 10/12/2007, -0/+10In the field of being a computer fixing monkey, oddly enough I get at least one person a day who has their password as "corvette." Pretty weird.
  • MisterCookie, on 10/12/2007, -0/+10Duggmirror didn't catch it.
  • ThreeDee912, on 10/12/2007, -3/+12great hint...

    EA Games?
  • CAPSLOCKISCOOL, on 10/12/2007, -4/+13Ophcrack cracks windows passwords http://ophcrack.sourceforge.net/
  • Rayor, on 10/12/2007, -0/+9Damn it! I wish digg wouldn't disable editing while you were in the middle of it!
  • krinthekuz, on 09/16/2008, -0/+8and don't forget rainbow tables which are available for many ciphers on bittorrent networks. and seeds are NOT substantive protection against rainbow tables. if the seed is any function f(n), and g(n) is the inverse of f(n), then the table just needs to have g(n) applied before searching for the value. if the seed function is not reversible, then it's essentially a new custom cipher which subjects you to the strengths and weaknesses of security in obscurity. in other words, seeds may protect you from script kiddies who use rainbow tables, but any real hacker with rainbow tables will break in without any problem.
  • ProtonageNet, on 10/12/2007, -0/+8I don't like the numbers on this.. Use gigabytes worth of rainbow tables to get a complex special character password cracked within minutes.
  • THX8612, on 10/12/2007, -11/+19therE wAs this company I used to do tEch support for. And would you bElive thAt they used "p@ssw0rd' as an internal universal network password. I refusE to sAy who this comapny is. Just that "It's in thE gAme."
  • musicaltech, on 10/12/2007, -2/+10Don't suppose we could get his input on how to set up a server in case it's dugg next, can we?

    @capslock

    Thanks :)
  • afreakinninja, on 10/12/2007, -0/+7"God", "love", "money"? What the *****? Nobody uses those passwords. That was invented by a writer for a ***** movie.
  • DrDabbles, on 10/12/2007, -1/+7Sadly, he's a little behind the times. It would take that long to generate passwords, sure. But using a rainbow table against a hash would work far more effectively. Of course, that assumes access to a hash. This could, naturally, be come by fairly easily. Either using a sniffer, back door, etc., I could watch your hash flow over the network.

    Hacking has lost its black art. Now, everybody relies on a script or toolkit. Why not be creative? Bundle attacks. Sure, it's harder and takes more real world skill, but the results would be far better. Scripters get crumbs. Real hackers get data.
  • antdude, on 10/12/2007, -3/+9Not anymore. ;)
  • Daniel001, on 10/12/2007, -2/+8That article is a very long-winded way of making some pretty obvious points.
  • Phlag, on 10/12/2007, -0/+6It wouldn't, but there are plenty of sites that don't have such protection features. And after your password is compromised from one of these less secure login services, you're screwed, unless you use multiple passwords - which is one of the major recommendations of this article.
  • electrophile, on 10/12/2007, -0/+6not to mention the lock to the air shield!
  • ohthehumanity, on 10/12/2007, -4/+9How id bury your server
  • briankealer, on 10/12/2007, -0/+5@fxmcleod

    I was just going to say that. He needs to focus on getting a real server instead of thinking about how to hack weak passwords.
  • a3r0, on 10/12/2007, -5/+10Hey, don't worry guys, it shows as stars to everyone but you!

    You guys can go ******** my ********ing ********!

    Haha! I'm not swearing, its my password!
  • ryancxx, on 10/12/2007, -0/+5A quantum computer server can
  • Fetching more discussions...
    Show 51 - 100 of 164 discussions

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...

© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.