Although in the modern world hackers have learned to crack even the most complex passwords, but more often than not to try to intruders: the password is selected based on data about you, your social networks and relatives. According to Virginia Tech Technical University, the vast majority of people choose very predictable passwords.
What passwords are considered the most popular and the most predictable?
Gradually, the most banal combinations, like qwerty and 12345, leave the past, although the latter last year confidently kept the palm of the most popular passwords. But users are still happy to use conveniently located key combinations, mistakenly believing that by combining them with numbers they strengthen the password. Specialists from Dashlane named the weakest passwords of this type (you should not even use their modified variations):
1qaz @ wsx
It is no less reckless to use brands of cars, football clubs and emotions – all these experts are among the most common passwords.
How do hacking experts work, and why are user passwords so easily decrypted?
First of all, “simple” passwords are hacked, which takes the least time, and then, like in any computer game, the hacker moves to higher levels, which require considerably more time and special skills.
For starters, the selection is based on the principle of “brute force”, which allows you to decipher more than half of passwords from one to six characters in length, including 26 latin letters of the lower and upper case, 10 digits and 33 other symbols, in total – 95. As a result, we have a very modest number of combinations, which the average desktop can calculate in minutes.
Extending the password by just one or two characters radically increases the number of options, and a complete search of all combinations will take several days. Therefore, specialists usually choose, for example, passwords consisting only of lowercase letters, up to 8 characters in length, as well as passwords from numbers up to 12 characters in length. The “brute force” method with such parameters allows us to decipher a significant percentage of long passwords.
The use of the selection method for more complex passwords is irrational, since it can drag on for years, and here the cracker is already turning to the use of specially compiled dictionary lists that are prepared on the basis of real user passwords “lit up” with various leaks. For example, the largest database of English-language passwords in recent years has “provided” the RockYou site to hackers in December 2009. As a result of a banal SQL injection, hackers managed to grab the database of more than 32 million users, including logins, passwords and other information in simple text form. RockYou’s base was immediately included in all the hacker’s “dictionaries”, which since then have been replenished many times as a result of all the new leaks, including after the break-in of the social network LinkedIn in 2012, when the “flowed” 6 more,
Bases like RockYou or LinkedIn are of particular value, because they contain real user passwords, and not just arbitrary combinations. To calculate the options, there are special rules for replacement and selection, which gives even more potential passwords. And if you analyze the subject matter of the site, the interests and professions of its users, then you can add even more subtle calculation algorithms with specific patterns and masks.
It is curious that users of large public sites, especially of all kinds of social networks, rarely bother to come up with complex passwords, naively believing that the information placed there is not of special interest to intruders. Moreover, out of 32 million RockYou passwords, 290 thousand represented a painfully familiar combination of “123456”, and several tens of thousands more – similar combinations with different number of digits. Finally, many users use the same passwords on different services, and when passwords are cracked on one site, not everyone will change it on all other sites. Therefore, dictionary selection remains one of the most powerful and effective technologies for hacking, which, according to various estimates, allows you to decrypt up to 60-70% of user passwords on any public site.
To crack the remaining array of passwords, hybrid attacks are used, combining elements of “brute force” with the dictionary selection. For example, when setting passwords, some prefer to add one of their old passwords with a length of 7-8 characters one or two digits to the beginning or the end. It is clear that from a security point of view, such passwords can not withstand any criticism. Such “habitual” ways of “improving” old passwords are well known to specialists, so such templates do not improve their stability in any way.
Another type of hybrid attacks combines “brute force” with a statistical method based on Markov chains, which allows using already obtained data on the characteristics of decrypted passwords for a particular site in order to predict possible passwords of other users.
Hybrid attacks in different versions, as well as “individual” settings of masks and templates can take a significant time, but as a result they are able to open up to 100% of passwords for a single site (average – from 60 to 90%). And if you consider that more than two thirds of user passwords are hacked by simple means in a matter of hours, providing useful information for analysis, then a talented professional can reduce the total time of hacking to a reasonable minimum.
Why are hackers hacking user passwords so easily and quickly? First of all, due to the fact that they come up with people. The usual patterns and habits are well known to professionals, and modern technology, in particular, the usual “home” graphics accelerators allow you to quickly calculate all possible combinations: for example, Radeon HD7970 is able to handle more than 8 billion options per second.
That’s why for industrial use, specialized password generators are recommended that use algorithms that do not allow to identify stable templates and prevent the possibility of hacking by “brute force” for a reasonable period of time during which the decrypted passwords will be replaced by others.
Finally, another reason is that not all public sites are really concerned with the security of user passwords, and they use simple algorithms to create hashes that would provide a low load on servers in return. Even some large sites still use the sadly proven SHA1 algorithm – its stability has not been strengthened even by the addition of “salt”, that is, a unique set of bits for each password before encryption.
After all these details, the specialized site of Intel Corporation, which “checks” the stability of passwords, causes a fit of laughter, when it issues 6 years for hacking BandGeek2014 password, selected by a professional, in the worst case, per hour.
Burglary of MD5 in turbo mode
Rainbow tables: “Rainbow” tables – this is a special type of dictionary, which contains a chain of passwords and allows you to choose a password in a few seconds or minutes with a probability of 85-99%.
Hacking hashes through a full search even on the best hardware takes quite a lot of time, especially if the password is more than eight characters long. The easiest way to increase the speed of password matching is to create a database of all hashes for a particular set of characters. In the 80s of the last century, hackers believed that when they have more powerful hardware, 640 KB of memory and a 10 MB hard drive, then such a base will become a reality and the selection of any password will turn into a minute affair. However, iron developed, and the dream remained a dream. The situation changed only in August 2003, after Philip Oeslin, Ph.D. in computer networking from the Swiss Institute of Technology in Lausanne, published his paper on the problem of choosing the optimal time-to-time ratio.
The essence of the new method is as follows. First, you must select an arbitrary password that is then hashed and subjected to a reduction function that converts the hash to any possible password (for example, it can be the first 64 bits of the original hash). Next, a chain of possible passwords is constructed, from which the first and last elements are selected. They are written to the table. To restore the password, we apply the reduction function to the original hash and look for the possible password in the table. If there is no such password in the table, we will hash it and calculate the next possible password. The operation is repeated until a password is found in the rainbow table. This password represents the end of one of the strings. To find the original password, you need to run the entire conversation again. Such an operation does not take much time, depending on the algorithm of building a chain, this is usually a few seconds or minutes. “Rainbow” tables allow you to significantly reduce the amount of memory used compared to conventional search. The only drawback of the described method is that it takes quite a long time to build tables.
How can you protect yourself? It will be best to simply use a random number generator, and then spend a little time and firmly remember a complicated password that will not be compromised.