You think your password is secure? Read this – Telegraph Article on password cracking
Rock you Cracked = 14 million passwords released
In 2009, a minor gaming website called Rockyou.com was hacked; although you’ve probably never heard of the site, the hack has probably affected you or someone you know. Almost every genuine hack over the last three years can be traced back to the Rockyou leak.
The reason it was so significant is it totally changed the way hackers do business. Before Rockyou, hackers had to build word lists of potential passwords using traditional dictionaries; the 14 million or so Rockyou passwords provided an instant database showing how people actually construct their passwords.
We’re all familiar with the hoops passwords make us jump through – requiring both letters and numbers, the use of upper-case and lower-case letters, a minimum number of characters, and the use of punctuation. Of course,we’re all human, so we want passwords to be easy to remember while fulfilling these arcane rules.
The list leaked from RockYou confirmed our grammatical bias: upper case letters tend to start words, while special characters or numbers come at the end. One of the most common ways to combine letters and numbers memorably was to add names & dates together – so Patton1945 or Napoleon1815 were common, for example.
Publicly available data makes this even easier; for example, databases are available containing the name of every Facebook user. These, when combined with every 4-digit number combination and a dictionary list of common words will break as many as 40 per cent of internet users’ accounts within minutes. This creates an even greater problem, as many people reuse passwords, meaning one crack can compromise multiple accounts.
Most people have multiple different internet accounts; collecting data and monitoring user activity through these accounts is at the core of many websites’ business models. The temptation to reuse important passwords for trivial sites that require a sign-in, like price comparison sites, restaurant bookers, dating sites or online shops, is almost irresistible. Of course, many of these sites are far from secure.
The Rockyou leak started a chain reaction; a huge number of sites have been hacked since, releasing even more password data. Equally, technology has advanced enormously. The sort of PC you can buy in Currys can attempt 8.2 million password combinations per second. Cryptographic feats that were the stuff of legend in the Second World War could be done on your iPhone; the sort of 16-digit passcodes thought uncrackable during the Cold War are now within the reach of cracking by skilled hackers with low budgets. Goodness only knows what state-sponsored outfits in the US or China can do.
If you look in the lists of passwords and usernames leaked online, it’s fairly easy to find yourself; with the huge amount of websites we sign up to these days, it’s almost inevitable that at least one of the sites where you have an accounts has been hacked in the last two years. I was able to find my own cracked username and password (taken from a hacked wargaming forum) with a little diligent searching. The biggest damage that could be done to me from that leak is losing control of my forum account; if I’d reused that password elsewhere, it could have been catastrophic.
Of course, each character you add to your password ramps up the time it takes to crack; adding even one letter can take crack time from hours to days, putting you into the category of not “unbreakable” – I doubt such a thing exists – but simply not worth the hassle.
The current best advice is to have passwords composed of 20 characters, with no real words, and your gobbledegook has to include upper and lower case letters, symbols, numbers and punctuation, all randomly scattered through the word. On top of that, you need to have a different password for every site you use and change your password for all of them every three months.
Even if you are the kind of Marvo the Memory man who can maintain that routine, you could still easily lose your accounts to a keystroke logging programme or, more artfully, to what we in English newspapers call a “blag”, where a site is tricked into giving out secret information, usually through the site’s “I’ve lost my password” function.
As the wonderful comic site XKCD said, we’ve now reached a point where computers find it easier to crack passwords than humans find it to remember them. Until someone works out a better system, cracking will remain an everyday part of online life.