Don’t Be Cracked: The Math Behind Good Online Passwords
When breaches happen, the focus often turns to advice about what to do: “be sure to change your passwords immediately…” “ Follow these 8 tips to stay safe online…” You’ve seen them all. Unfortunately, these warnings and tips seem to fall on deaf ears. Data from previous password breaches shows that people are still routinely using common passwords like “password” “qwerty” or “123456.” There’s math behind why passwords like those are are weak and why others, like “p@s$w0rdD0gB1t3” are strong. The good news is that creating more secure passwords might be as simple as adding two more characters.
The Basics: Password Storage & Hashes
Organizations usually store passwords in one of two ways – 1) as plain text or 2) as hashes. Plain text storage means that an intrusion of the database would give away complete login details, full username and password – not a good idea. Hashes provide an extra layer of security.
Hash operations are one-way mathematical formulas that take input, like a password, and transform it into a hash (see table below). The beauty of the hash is that it’s very difficult to get the original password from just the hash. You are able to turn a password into a hash very easily, but it’s impossible to turn a hash into a password. Think of a broken window. You can turn a window into shattered glass, but it’d be near impossible to turn that shattered glass back into a window. It’s a one-way street.
Systems typically store passwords as one-way hashes, like the ones above, so when a user tries to log in using their password, that text is transformed into the corresponding hash and cross referenced against the hash stored in the system for that user.
How Do Hackers Get Passwords?
Sometimes a hacker will exploit a vulnerability in the system and get access to the data in the table above. The hacker has his hands on the usernames and the password hashes but needs the actual password to login in to the account.
Remember, it’s impossible to go backwards from the hash to password. The hacker’s only option is to “go forward” as many times as he needs to. “Going forward” means the hacker is performing the same hash-producing mathematical operation (with computer-generated guesses) on a variety of passwords until the right hash is produced.
For example, using email@example.com, the hacker might perform the hash operation on the commonly used password “Password” and get the following result: “dc647eb65e6711e155375218212b3964,” which according to the table above, is not a correct hash match, thus not the right password.
The hacker’s computer keeps trying and trying and trying again, with billions of random and commonly known passwords until he arrives at “Password1” which, here, matches the hash in the table above:“2ac9cb7dc02b3c0083eb70898e549b63.” Now he knows that firstname.lastname@example.org’s password is “Password1”. Although this may seem laborious, a computer can easily guess over 1 billion passwords per second.
How Long Does It Take for a Hacker to Get Your Password?
The short answer: it depends, but very quickly if your password is weak.
- If your password is eight characters long and all lower-case, like “password,” it would take a hacker 3.5 minutes to guess it.
- Changing one of those lowercase characters to an uppercase character, like “Password,” means it would take him almost 15 hours.
- Replacing any letter with a special character and keeping the uppercase character, like “P@ssword,” means it would take the hacker 70 days to guess your password.
- If you added a single character to “P@ssword” to form “P@ssword1” it would take the hacker 18 years to guess the password.
- If you added two characters to “P@ssword,” to form “P@ssword11” it would take the hacker 1,707 years to guess the password.
So on and so forth until you arrive at some astronomical numbers. See the table below:
|LC||208 seconds||90 minutes||39 hours||42 days||3 years|
|LC & UC||14 hours||32 days||4.5 years||238 years||12,394 years|
|LC & UC & Digits||2.5 days||.5 years||26 years||1,650 years||102,304 years|
|LC & UC & Digits & SC||70 days||18 years||1,707 years||169,546 years||15,091,334 year|
LC = lowercase
UC = uppercase
SC = special characters (!@#$%^&*, etc.)
Note the bottom right corner of the table. If your password is 12 characters long, contains uppercase and lowercase characters, a digit and a special character it may take over 15 million years for a hacker to guess your password. This is the simple math behind blanket recommendations to increase your password complexity.
NOTE: The math in the above assumes the hacker is randomly generating password guesses.
So What Makes a Password Secure?
Above, we tackled the basics about password storage, the value of hashes and then calculated how long it takes a hacker to get your password using brute force cracking – as quickly as 3.5 minutes in some cases.
What we hope our readers got out of what’s above is that the longer and more complex a password is (complex as defined as containing an uppercase character, lowercase character, number and special character) the longer it takes a hacker to crack.
A 12-character password with each of those elements would take as long as 15,091,334 years to crack with a single computer.
For many people, 15 million years of “protection” might create better peace-of-mind. However, the unfortunate reality with online passwords is that even these long and complex passwords are susceptible to cracking. Here’s why:
In order for a password to be considered secure, it needs to be truly random and unique.
What Does it Mean to Be Truly Random?
Many people often choose a base word for their password, like “password,” and transform it to be logically “complex.” So they’ll replace letters with special characters or digits and add some capitalizations. So a password that was “password” becomes P@55w0rD. In fact, if each letter could be one of an uppercase, lowercase, or special character, there are 6,561 (38) versions of “password” – which is far from an unbreakable amount.
Thus, a hacker using a brute force technique isn’t just going to start with “aaaaaaaa” and go down the list, “aaaaaaab”, “aaaaaaac”, etc. He is going to apply intelligence to the cracking. That intelligence most often involves using common base words. So not only will he try cracking the very simple “password” but also all 6,561 versions, to include the complex “P@55w0rD”.
There are approximately 220,000 dictionary base words, meaning that even if you added up to three extra digits to your transformed, base-word-based password and formed something like “P@55w0rD123,” a computer would take about 26 minutes to crack it – no matter how long the password is. With complete randomness in a password, hackers can’t make common base word assumptions about your password and cut down the brute force space.
But that’s not all. A secure password must also be unique.
What Does it Mean to Be Unique?
Unfortunately, some companies still store actual text passwords in their databases instead of the hashes so if a hacker gets into the system, he now has more base words to add to his roster. So if you use the same password, or even base word, for two accounts and one of those is compromised, no matter how long or random it is, that hash and password are now known. The hacker can then log in to any account that you are using the same password for. This also means that if someone else uses your password, or some version of it as outlined above, you are compromised.
So What Do I Do?
1) Make sure all of your passwords are truly random.
2) Make sure none of your passwords are used by you or anyone else.
How do you do that? Let’s assume for a moment that all 7 billion people in the world have 100 online accounts and have used a different password for each. That makes 700,000,000,000 truly unique passwords in the world.
In order for there to be .0001% chance that you have the same password as someone else, you’d need to choose from 7 quintillion passwords, that’s 7,000,000,000,000,000,000. That may sound like a lot, and it is. If you’re using a Standard English keyboard (94 characters) that’s a 16 character password, which would take 1 quadrillion years to brute force crack, and can’t be circumvented by a shortcut.
Since you cannot control what companies do with your password, we recommend having a 16 character truly random and unique password so the hacker can’t leverage someone else’s password to figure out yours and has to do the hard work (read 1 quadrillion years) to figure it out.
How is anyone supposed to remember 100 truly random and unique, 16 character passwords?
Online password managers. Which is what everyone recommends but never tell you why. Using these services you only have to remember one password, and make it good! The only shortcut to getting your password now is to get access to your computer itself – another series of articles all together. The online password manager remembers the rest for you. In fact, it might even be more convenient for you since you now only have to remember one password. And it’s more secure.
They each have their own advantages and work for different platforms so it’s difficult to recommend just one. Try a few for yourself and see which you prefer.