Hackers steal the storage of the passwords on a vulnerable system. These passwords are encrypted in the form of a hash, but once I have these hashes, which I can grab using tools like Pwdump, Airodump-Ng and the Meterpreter, I can take as much time as I need to crack your password.
The Best Way to Make Your Password Less Appetizing
Ideally, you should choose a random set of characters that is the maximum length that your account or system will accept. The fundamental rule of password cracking is that the longer the password, the longer is takes to crack. Then, change the password often, about every thirty days or so.
Step 1. Never Use Dictionary Words
Even a hacker with a minimal skill set can easily crack passwords that are found in the dictionary. You might think that your word or words are rather unique and obscure, but it doesn’t take me very long to test every word and word combination in the dictionary. NEVER use a dictionary word!
Even if you add numbers and special characters, hacking tools like Crunch will let me create custom wordlists, and tools like Hashcat, Brutus, Cain and Abel, THC Hydra, John the Ripper, Ophcrack, and L0phtCrack, as well as Aircrack-Ng and Cowpatty for Wi-Fi, will help me crack the password using my wordlists.
Step 2. Use All of the Allowable Character Types
Password cracking that tries all possibilities is called brute-force password cracking. It simply tries every possible combination of characters until it finds your particular password.
It can require much time and computing resources to do so, but with recent developments in parallel processing, specialized password-cracking ASICs, and the use of botnets and GPUs, brute-force password cracking has made some giant leaps toward making even long, complex passwords more feasible to crack.
To slow the hacker down, make certain that use at least one of every character type in creating your password. This means using at least one lowercase, one uppercase, one number, and one special character. This will force the hacker to include all of these characters into their brute-force cracking character set, thereby forcing them to take much, much longer to crack your password.
If you use lowercase, uppercase, digits (0-9), and special characters, the number of possibilities that the hacker must try is 75 raised to the 8th power, or 1,001,129,150,390,625. That’s 1 quadrillion possibilities! This translates into about 5,000-fold increase in the number of possibilities the hacker must try.
Step 3. Never Use Just Numbers
NEVER use a numeric password without any letters or special characters. You are making things way too easy for me!
Since there are only 10 digits (0-9) in our base 10 number system, even a numbered password with 10 characters only amounts to 9,999,999,999 possibilities to brute force. Compare that to the 8-character all lowercase password above, and it would be 20 times easier to crack your 10-digit password than the 8-character lowercase one.
That’s simply child’s play! Give me more of a challenge than that!
Step 4. Change Your Password Often
It’s important to change your password often. “Often” is a relative term and it will depend upon the value of the information being secured by the password. If it is an email or online bank account, you might want to change your password every three months. The reason you need to change your passwords periodically is that hackers are always gathering passwords from accounts all over the world. We may not use them immediately, or we may sell them to someone who hasn’t done anything with it yet. Your password may be compromised and you don’t even know it yet.
By changing it periodically, you significantly reduce the chances of someone like me compromising your account, even if the website/domain has been hacked.
Step 5. Use Different Passwords on Different Accounts
Your passwords are stored all over the world in various accounts, websites, domains, etc. If you use the same password on all of your accounts, your information is only as secure as the weakest system storing your password.
As a hacker, I may not have any interest in your account on that website, but I will try it on your bank account, credit card account, email account, brokerage account, and so forth. If they are all the same, I have struck GOLD!
The rule here is to use different passwords on different types of accounts. You might create one password for all of your highly confidential accounts, and one password for all the other accounts. That way, if that online game site gets hacked, I can’t take that password and get into your bank account.
Step 6. Create a Passphrase
Probably, the method that will frustrate hackers like me the most, is to develop a passphrase that is long and includes no words and all of the available character types.
I have seen many articles online that advise folks on how to create passphrases and I simply laugh at them because I know that their advice will simply create a passphrase that is still easy for me to crack. Things like adding a date and month after a word, reversing the order of dictionary words, and so on just beg to be cracked in short order. Here is what will make my job most difficult:
First, create a phrase or sentence that is meaningful to you. In this way, it will be easy to remember. For instance, “I love mountain biking and hiking.” Now, take that phrase and convert it into single string of uppercase, lowercase, numbers, and special characters, like this one:
Note that I have converted “love” to <3, “mountain” to mtn, “biking” to b1K1ng, “and” to &, and finally, “hiking” to H1k1ng. It is critical to intersperse special characters and numbers into the passphrase as well as use both upper- and lowercase letters.
This creates an 18-character passphrase that uses uppercase, lowercase, special characters, and numbers that, although not unbreakable, would make someone like me invest significant time and computing resources to crack it. Most importantly, because it has special significance to you, you will remember it. Obviously, this is key. No matter how complex, passwords or passphrases that you can’t remember defeat the whole purpose.
Now, How Do You Feel About Your Passwords?
I hope this advice makes my job as difficult as possible to crack YOUR passwords, but thankfully, so many people won’t take this advice that I know there will always plenty of easy pickings among your neighbors and colleagues.
Originally shared on Null Byte