.png)
In my previous post I discussed password strength and the lack there of. I didn't go into full detail over how its smart to make a complex password that's easy to remember, and why you shouldn't make a stupid complex password that's hard to remember.
I'd like to state that computers are dumb, they can think VERY fast, but they can't think without telling you what to think about. So when a "hacker" is trying to guess what your password is, making it less common is always a plus, making it complex is a plus, but...
Stupid gibberish != complexity
Length == Complexity
Let me explain. A code cracking software will generally attack in a very few ways. Using Brute Force, Dictionary attack, or a Hybrid of the three above types of cracks. What are they and how do they work?
Brute Force
What is a Brute Force attack you ask? A password is made up of 8 bit characters, each character you add, increases the passwords length by 8 bits. 1 byte = 8 bits, which is binary, a bunch of 1's and 0's, for example the word "Cool" translates to 01000011 01101111 01101111 01101100. There are 256 combinations of 1's and 0's in a 8 bit string. Which means your computer is capable of creating 256 different unique characters. (º»½¾¿ÀÁ example characters you didn't even know your computer could do).
What the brute force attack will do is try different combinations of characters until it finds the correct code. With a 1 character password there are 256 possible passwords, with a 2 character password you increase the possible passwords to 65,536 passwords. A 3 character password has possible 16,777,216 possible passwords.
To figure out on your own strength an integrity, here is the equation.
2^X
Yep that simple. 2 represents what each bit can be, 1 or 0. thats 2 possible outcomes, X stands for how many bits you have. If you have a 6 character, each character is 8 bits long so we get this equation 2^48 which gives us 281,474,976,710,656 possible passwords. That's a big number right?
That number may LOOK big, but in terms of computers, its not. Your modern computer is capable of making roughly 1 billion passes per second, that's BILLION with a B, which would give this individual 281474 second to guess your password if it were 6 characters long. Or 78 hours.
Now where this gets brutally problematic is the fact we don't use all 256 characters in our keyboard, we may only use half, and our code cracking tools know that, and will offer the option to not use numbers, not use caps, not use special characters and try to crack a password in half, or even a quarter of the time.
DON'T USE PHONE NUMBERS!!!! Doesn't matter if you think its clever, if I use only numbers to crack your password it'll be under 30 seconds for me to get your password, NOT CLEVER AT ALL!!!
Dictionary attack
Now a dictionary attack is a largely different way of going at an attack, it doesn't guess with characters, it guesses with whole words. But not just any words, words that the cracker extraordinaire inputs to crack. Lists such as "the top 100,000 passwords", which is available for download with a single click. Or even all the passwords on twitter from a few years ago when they were hacked. Just have to Google them and you can get these lists in a few key strokes.
Looking above at the fact a computer is capable of processing 1 billion guesses a second, and I use a dictionary list to attack a 7 character password like "cupcake" can be hacked in under a second. A brute force attack would take days, but not a dictionary attack.
Hybrid attack
This one is quite simple and I see really no value in diving head long into this, but a Hybrid attack is a dictionary attack where at the end of each word they apply an additional character to see if it can be cracked. An example would be cupcakea, cupcakeb, cupcakec, cupcaked until something works.
Feeling secure yet?
The obvious solution here is to avoid the ability to be a victim of a Dictionary attack or a Hybrid attack. Don't use things like jesus, or jesus123, you're not going to be giving anyone a challenge. We want to force this person to need to use a brute force attack, it not only takes the longest, its also the most through of the cracking types. But why don't we want to use useless gibberish?
Useless gibberish is complex, its complex as hell B03g$$6 is confusing, no-one's going to guess that outside of a couple of days, its secure a'int it? Nope not at all. Using more advanced hacking tactics than what I've discussed (an experienced cracker) can get that in under an hour. Yeah. But let me ask, are you going to remember that? If you forget it how hard will it be to remember it?
Whats the alternative? Length.
Phrases, if you put nonsensical words together you remove the ability to be victim of a dictionary or hybrid, and you increase the number of characters (which you'll have to type), and that means brute force attacks take longer. A good example of this would be LukeVaderHamMan everyone who just read this has already remembered it, and its awesome. (may not meet the complexity requirements of some sites, but using a number solves that problem)
Length = Complexity
Real words = easy to remember
Easy to remember, hard to guess, best of both worlds. So stop using stupid gibberish, you're solving nothing. And if you think your password is strong enough, check it on this site listed below. Until my next post, be safe my goblins.
https://howsecureismypassword.net/
Blogger Comment
Facebook Comment