But there is a tiny problem with these password security checkers: the time they display is based on calculations for the time it takes to crack the password using a brute-force attack method. That means the attacker systematically checks all possible combinations of six letters and characters, starting with the first letter of the alphabet and ending with ‘//////’.
How do hackers get my password?
Brute force attacks are widely used by hackers to crack passwords, but this is just a part of their toolset. For example, a six-character password using a combination of letters and numbers has just 626 possible combinations (52 letters – both upper case and lower case – plus the 10 numbers, and not counting special characters). In case of an 11-character password using the same formula, that jumps to 6211 combinations. That’s out of reach by brute-force methods, so it’s time to use other techniques such as a dictionary attack or Markov chains.
In a password security experiment set up by Ars Technica, three hackers attempted to crack 16,000+ hashed passcodes, and they managed it with 90% success rate in less than a day: six passwords were cracked every minute including 16-character-long randomly generated passwords such as “qeadzcwrsfxv1331”. Here is how they did it, but first let us explain what a password hash means.
The secrets of the password hash
When you enter a password, a one-way mathematical function takes your plain text password and produces a unique string of numbers and letters. That’s called the hash. For example, the “arstechnica” password resulted in the hash “c915e95033e8c69ada58eb784a98b2ed”.
With the hash information to hand, the hackers were able to crack 62% (10,233) of the hashes in 16 minutes. With a mix of a brute-force attack, a hybrid attack that combined a wordlist with brute-force attacks and statistically generated password guesses using Markov chains and other rules, they managed to reverse engineer the hashes into plain text in 15 hours.
The importance of password strength
So what have we learned from this? Keeping in mind the daily occurring digital megabreaches that make millions of password hashes available to the Dark Web, it makes sense to change passwords frequently – as suggested by your password manager of choice.
You decide the security level of the password, but anything below 12 characters can be considered weak, especially in light of this experiment. From that length and upwards you can relax for a while, but that’s also the point at which you will stop remembering passwords due to their complexity. Fortunately, password managers can help with this task, as well as password generation. Still, keep an eye on their security recommendation, and change the passwords for your online accounts regularly.
István F.
Adam B.
User feedback