How easily can a hacker break your password.

Hmm… I’d say pretty much the same as taking random letters, except that they’d be weighted somewhat towards more common letters, which doesn’t make much of a difference.

That’s what I teach my students to do - take a song lyric or poem and use the first/last letters, with modifications. The first lines of the Gettysburg Address would yield a password like: 4Sa7YaoFB4. A snap to remember and damn-near bulletproof.

I do this using works that I have written myself so they are easy for me to remember and almost impossible for anyone else to figure out. I was never sure why the correcthorsebatterystaple method was an improvement over this, either in ease of remembering or difficulty of hacking.

This is the way to go.

Passwords aren’t that hard to crack with password cracking software. Especially if your password is “password”.

The hackers use a vast botnet of machines to crack the password in parallel. Viruses, trojans, and malware all allow hackers to have access to a lot of machines. And any device connected to the internet is also vulnerable, like routers, smart light bulbs, smart door bells, etc. The hacker may be using thousands of machines at the same time to crack the passwords, which means they can find passwords pretty quickly. And they may be comparing it to hundreds of compromised user databases at the same time. They’re not trying to break the password for the ‘mamazappa’ account. They are encrypting all possible password combinations and comparing it to all the encrypted passwords they have access to.

Basically, they encrypt a string like “mackdonna shoehorn butterhorse” and then look for any matches in the password databases. If they find any matches, they hand the login info off to another process to start hacking the accounts while the cracking process keeps working on breaking passwords.

I imagine the whole thing is pretty automated once they have the user database. Hand the database off to to a botnet and wait for the accounts to trickle in. No cost to the hacker since he’s using other people’s computers for the botnet.

Because a lot of systems you can’t USE a password like 4Sa7YaoFB4 You need to use 2 special characters as well, and it makes it hard for people to remember.

You remember yours because you are smart and picked a long password that is easy for you to remember and hard to crack. The correcthorsebatterystaple method is a way for people who don’t know long strings of literature to just have 4 simple actual words that are easy to remember, but hard to crack.

But doing it this way takes an extremely long time. Most malicious actors won’t be wasting their time brute-forcing hard to crack passwords when there are many other ways to grab passwords from insecure systems with users who have “password” as their password.

As mentioned by filmore, passwords are usually stored as a hash value - a mathematical mapping that converts the password into a nearly unique value in a specified number space, and is one-way. You cannot (easily) reverse the hash.

However, there is a technique called a Rainbow Table which can partially precompute reverse hash values. Rainbow tables are large and computationally expensive: a md5 mixed-alphanumeric+numbers of length 1-9 characters rainbow table is 690Gb, and takes many hours of computing time.

However: most password systems also use a technique called salt. Salt are random characters added to the beginning of the password before hashing to make it longer. The salt for a user is stored with the user data - it does not need to be secret, it just needs to make the password longer, so that reversing the hash requires a much larger rainbow table. The salt should be unique to each user, if all the users on a site had the same salt, an attacker could compute a Rainbow Table based on the common salt.

The Diceware/XKCD approach trades complexity for length - longer passwords are good, but four dictionary words are also simpler (all lowercase, no special symbols/numbers). It is a balancing act between a bunch of factors.

These days, most password hash attacks have to use a dictionary approach to deal with salt, and only attack the most common passwords (common passwords, common dictionary words, common leetified words, between 2000 and 20000 attempts).

But the main rule of hacking is - if you have a password, try it everywhere. So unique passwords is a must for every site.

I’m really liking the discussion here and don’t want to derail it. I have opened a thread in IMHO asking for recommendations for a good password manager. It can be found here:

Recommend a Good Password Manager/Vault (2017 Edition).

Thanks in advance. You may now return to your regularly-scheduled nerdery.

Not that hard. Just remember that your password string has a 4 and a 7 in it, and end the string with $&.

The thing is most people don’t take even the slightest of precautions with their passwords, and are therefore easy targets for hackers.

The key, though - as per filmore’s most excellent post - is to have a unique one of those for every website you visit. If you have some fancy string of letters and use it everywhere and it gets exposed once, you done.

Of course. But the point is, you can pick a poem/song/whatever you like, and just go through it line by line as needed for passwords. Everybody has some work they have memorized to that degree, be it Shakespeare or Eminem.

LOL, have you ever dealt with computer users?? :slight_smile:

True. But systems that take that into account can usually protect users from themselves.

I have doubts that the global pool of well-known poems and lyrics is large enough to make this a good password pool. There are less than a million words in the complete works of Shakespeare, and even if a phrase was picked at random with variations made it is maybe a billion possibilities.

And of course at least 5% of people will pick “2bon2btitq” and think they are being so unique because of the "2"s. :slight_smile:

Sure, if the hackers know that’s what you are using as a source. But why should they? And why limit yourself to “well-known” poems? Pick an obscure song by a group that only you seem to like, or something else unknown. The idea is to have a handy memory crutch that can generate dozens of passwords that are reasonably uncrackable and doesn’t have to be written down anywhere.

It is a whole lot bigger than a billion possibilities. It is much bigger than the number of subatomic particles in the universe. Permutations get unimaginably large very quickly even if you just limit yourself to Shakespeare themes (and there is no reason to do that).

“2bon2btitq” is not a bad password if you thought of it yourself but we can skip that one because you just listed it. It is an abbreviation for a famous line in Hamlet. However, you can still make it just as easy to remember and virtually uncrackable by adding some other elements. How about “Romeo2bon2btitq1616”.

That password is all about Shakespeare but it doesn’t refer to any specific line or theme. It is made up of the name of one of his most famous characters, an abbreviation for a line in a different play and his year of death. There is no way anyone or any computer is guessing that in any reasonable amount of time even though it isn’t hard to remember. You can also increment the year by one every time you are forced to change your password.

I’ve only got a few sites where I really need hard security. Mostly banking and email. Then there are medium sites such as here, Skype and social networks and then a bunch of low level stuff. For the low level stuff, who really cares if my NY Times account gets hacked? I doubt someone is going to be that dedicated to hack anything other than financial things and your email, which can be used to recover passwords.

I’m fortunate enough to have lived in foreign countries and speak Japanese fluently and some Chinese so there is an endless combination of words which would not be in an English dictionary, but are easy for me to remember.

If this is a Windows pc, there are linux boot disks which allow you to remove the password. Not hard to find or use.

Slee

It was a Mac, and he had his user account encrypted with FileVault. I was lucky to retrieve his password hash from an old backup (at least, I hoped it was his current password hash), without that, there would be no way to crack the encryption. As it was, I gave up after a week of trying.

I saw a pretty good password formula a while back. It creates a unique password for every site you use it on, but they are easy to remember.

  1. Create a three or four letter string that is meaningful to you. For example, let’s assume my uncle’s initials are ‘ctr’. Pick one position and capitalize it. So now I might have ‘ctR’.
  2. Pick a four digit string that is meaningful to you. For example, my very first phone number ended in 4908.
  3. Create a three or four letter string based on the site you are visiting and capitalize one position in it. For example, I might be visiting Chase Bank, so I now have ‘chAs’.
  4. Pick one special character. Let’s use !.

Now…put them together in exactly the same order for every password. So let’s say that I use my three letter string, followed by the special character, followed by my site string, followed by my numbers. I then wind up with a unique password for Chase Bank that is: ctR!chAs4908. If I also have an account at Wells Fargo, it would be: ctR!weLl4908.

The end result is a string greater than 8 characters long, containing upper and lower case, numbers and special characters. According to https://howsecureismypassword.net/, it would take about 34,000 years to crack that password (for whatever that is worth :D)