How important is password strength?

After reading yet another article about the importance of using strong passwords (mixed case, numbers and symbols), I find myself wondering - how many people’s accounts are actually hacked because their password is too weak? Anecdotally, the successful hacks I see reported always seem to be phishing, a large database containing passwords is breached, an email address is co-opted and used for “password reminders” for other accounts, a password reminder hint is common knowledge, or the old yellow sticky-note with passwords on the monitor.

Is it really worthwhile for a hacker to attack an individual account by running through a dictionary on their password? Any actual reports of this that someone can reference?

A few caveats:

  • This is a question about individual accoujnts, not password strength on something like an admin account or database where breaking the password gets you access to thousands of accounts. That is worth some extra effort to break vs an individual account.

  • I’m not talking about ridiculously weak passwords, like repeating your user name (which I know plenty of people do). I’m thinking more like the example of using your pet names and putting a number at the end (“fidofluffy1”). That would be considered weak because it doesn’t mix cases, has a single digit at the end, and is theoretically “guessable”. But will a hacker really try every permutation of passwords like this? And given that most sites now lock out the account after a number of failed attempts, is this really a significant risk?

I can crack my 4-character password in around 1.5 minutes with a brute-force cracker.
My much more secure 15-character password (the one I use to encrypt my sensitive data) would probably take many months of computation to crack.

How does the brute-force cracker work on a website? Does it just send every possible combination of characters until something works? I’d think that would be foiled by a password lockout after a number of failed attempts. And given typical web response times, it would probably take more than 1.5 minutes.

But I do agree that password length is a worthwhile consideration for the reason you mention.

Well, this is in systems you can’t access without having the server’s adresses, but one of the duties I often perform as a consultant is assist new users on their first days in the live systems.

I must go through “please don’t use [location] as your password. No, your lastname is not a good password either… is your wife’s name Marga?..” with about 80% of the people. These are people who usually can (and will) get fired if they share accounts. If anybody can tell me what’s the point of having different accounts for

  • the person who can order a brand-new Mercedes,
  • the person who can receive the brand-new Mercedes when it arrives to the factory,
  • the person who verifies that the Mercedes is, indeed, a Mercedes and indeed brand-new and in full working order,
  • the person who pays the bill from the Mercedes dealership
  • and the controller,
    each of those accounts being unable to perform the functions listed for the others,
    when all of them have identical passwords, I’d like to hear it.

I, too, am interested in the actual risk that my, say, yahoo account will be hacked by some random stranger looking for info.

I guess a strong password is always better than a weak one, given you can’t predict when someone will come looking for your data, but I think (subject to correction) that it is extremely unlikely that someone will randomly select one of your accounts to attempt to crack utilzing dictionary or similar attack.

What do people (like me) do when they have literally dozens of minor (message board accounts, informational websites, etc) passwords to remember and they all should have strong, unique passwords? I utilize a pretty unsafe method that I won’t go into, but I wonder what others do.

A typical recommendation is to have a “standard” password, and then append something related to the web site, like the company’s initials or first word of the web site. So “password1” (to use a weak example) becomes “password1cb” on your CitiBank account and “password1boa” on Bank of America.

Or use a password manager. You then need to have a backup plan in case your hard drive or thumb drive gives up the ghost.

Get a password manager like KeePass for your computer/phone a memorize a single strong password.

Every site I use has a different password, but I only need to remember: 85O9iFhrCQFI/dI4gSXq

Very few password attacks are launched against live account systems (due to lockouts). Password attacks are launched offline against stolen password files/databases/sniffed authentication traffic. And weak passwords are more likely to be identified than strong ones.

Once a password file (i.e. a file containing encrypted password data) has been obtained, a rainbow table is used to determine any matches. The size of the rainbow table increases exponentially on the size of the password and the number of characters allowed - a single-case dictionary based rainbow table is several orders of magnitude smaller (and faster to generate/search) than one for long mixed case non-words with non-alpha characters (this link sells precomputed LanMan and NT Authentication Rainbow tables, up to 80Gb in size for a 1-8 char mixed case + non-alpha password). So when a cracker starts on a database file, they will take the easier and faster option of a simple dictionary attack to compromise the many easy accounts, but long, secure passwords will not be attacked unless they specifically choose to do so with a much bigger rainbow table.


Anecdote alert:

I recently learned that my Yahoo email address which I never use anymore, was hacked. I went to log in, and I was told that my account had some suspisicous activity, and I’d have to verify that I was human. After I was verified, I was required to change my password which consisted of two small English words followed by a two digit number.

When I actually got in, I found my account had a picture of a scantily clad woman on it, that I was listed as female, and that my male avatar had been removed. I also found a few Yahoo messenger windows open, of guys asking me why I added them, and requesting more pics.

As for the data in my account: it was mostly as I left it. There were a few more emails from places I unsubscribed to but didn’t listen, a couple of SPAM in my Inbox (which is why I left Yahoo in the first place) and a couple people who apparently did not email me during the year that I had an automatic reply telling them to change my email. Even after I sent a reply, giving my new email, I would the same message back. I suspect a bot has hacked her account, too. (If mine had done that, I’d have known about it sooner.)

So I think that hacking into Yahoo accounts is serious business. to change anything on my profile, I had to type in another capcha, so even Yahoo is trying to crack down on it. I’d shut the account down,

I put all my user names and passwords in a spreadsheet that is password-protected. Within the spreadsheet, I do not write the actual names/passwords where possible - I just put hints. So, for example, I could put “wine” as the hint to my SDMB username of “amarone”. When I have to add numbers to a password, I use a limited number of these and each has a hint. So I could have wineWA which would equate to amaronennnn where nnnn is my wedding anniversary.

Quite, in the sense that it’ll most likely keep you from getting randomly attacked. It also makes even a determined attack harder and is likely to frustrate the attacker into picking on someone else.

My version of how to keep track of my passwords is a very simple algorithm.

“Password([Numerical equivalent of first two letters in service]*120)”
First and last letter of the Password-word is always capitalized - for instance, PassworD.

So, for instance, if I was a Citi Bank customer, my password would be:

Password(CI=39*120~4680) - or PassworD4680.

The stranger then uses your account to send out millions of spam messages. Since it’s from Yahoo, a domain you cannot block because it’s so popular, it will get through a lot of spam filters.

We’ve had that happen to us. Of course, this thing is done more often by phishing than by password cracking, but if they can crack it, they can use it.

I use different passwords of different strengths. I use one on sites I don’t care about, another on sites that i want a little extra security, and individual passwords on things like financial sites. When I forget, I just use the password recovery.

The best password tip for strong passwords is to think of a phrase (e.g., the lyrics to a song) and use the first letter of each word. If the word is capitalized, use a capital letter. Use numbers when they are convenient (e.g., “1” for “a” or “4” for “for”). You can then create strong passwords that are easy to remember. Also, start them with a punctuation mark: most password crackers assume the first character is a letter of number (I’d avoid “@” – often used for “a” – or slashes, asterisks, or parentheses/brackets or other character not allowed).

Personally, I don’t bother with non-aplhanumeric characters, or even mixing in upper-case characters and numerals. I find that it’s easier to use passphrases consisting of a string of lower-case words.

For better security, they should be unrelated words, and not limited to nouns, and not making grammatical sense. So

  • ‘parisinthespring’ is not so good (well-known phrase)
  • ‘springparisinthe’ is better, because it does not have grammatical structure
  • ‘banjoparisunder’ is better yet, because the words are unrelated - each word does not give much of a clue about the next. Even knowing the form that your password takes, a dictionary attack would have to try the entire dictionary for each word.

With a modest dictionary of 5,000 common words and names, a three-word password like that would still have 125 billion possibilities. That’s 37 bits, roughly equivalent to a random eight-word password starting with an upper-case letter, ending in a numeral, and having a punctuation mark randomly placed somewhere in it, and in my book ‘banjoparisunder’ is a lot easier to remember, and type, than something like ‘Ybsa&jg4’.

Ok, so I steal a database of hashed passwords. What good does that do me? At any shop with basic security requirements the password list looks like this:


Instead of:


So the issue is that a hacker can grab an one-way encrypted database but not be able to use it. The way to work around that is to precalculate all the 8 letter and number combinations into a table (generally referred to as rainbow tables) and then compare the two. We plug in “fhjfr23490234d” and we see its a hash of “money.” Now we know the real password. You can try an implementation here.

Your hash table with 16+ character passwords with numbers, letters, and symbols is huge and not feasible to generate. Or at least out of the reach of a casual hacker.

That said, passwords also are kinda like door locks. They’re there to keep people honest. Theyre too simple to do much against motivated attackers, but good enough for a first line of defense.

You don’t have to break into an account to use it as a From address to send spam. You can spoof an email address without having the password for it. In fact, it seems like wasted effort to break into accounts to use them to send spam.

Yeah, but to send it from Yahoo’s SMTP servers you need a Yahoo account.

Typically there’s a strict cap on free email server’s SMTP. Its not worth it for a spammer to setup an account only to be shutdown at 100 emails in an hour or whatever.

Maybe not with Yahoo (though coming from the Yahoo domain will make it harder to track down), but there are many other e-mail servers out there. We’ve had this sort of spamming happen to us here. NEVER GIVE YOUR PASSWORD TO ANYONE, FOR ANY REASON, folks.

Obligatory xkcd link.