Passwords - did you know . . . . .

. . . . . . . how much difference some subtle differences can make?

I have always been ‘password aware’ i.e. I knew that by being a bit inventive with your choice of password you can boost you security and vastly reduce the chances of a password being compromised. It wasn’t until last week though, that I realised just how much of a difference a slight change can make.

I got hold of a password cracking program. It came from a legitamate source and should only be used for legitamate reason as it states many times in the small print! As far as I am aware, this program isn’t readily available ‘off the shelf’ and is normally supplied direct to bussinesses, organisations, etc, direct.

So, the experiment I set up was to create very simple documents, saved to my desktop, each with a variation of the same word as the password. Knowing that a mixture of upper and lower case letters made the password more difficult to crack, I used a variant of both. I also threw some numbers into the mix to see the effect of that. The three passwords were as follows;

password (all lower case)

Password (use of captital letters)

Pa55word (mixture of lower case, upper case and numbers)

Even I was shocked by the results! I used an ACER laptop with a 1.8 processor with all other services disabled i.e cracking the password was the only load on the CPU. The results speak for themselves!!

password took 3 seconds to crack.

Password took 4 seconds to crack.

(Both of the above tests were checking in the region 180,000 password combinations per second)

Pa55word took 6 days 5 hours + and still hadn’t finished (but I needed my laptop back)!!! During that time a total of 87,238,558,861 combinations had been tried and the CPU was still busy working away.

In summary, this goes to show what a big difference a very small amount of thought can make with regards to the choosing of passwords. In this day and age there are constant attacks on our IT and data - make their task even more difficult and keep safe.

bit of an eye opener and no mistake.
have you noticed a lot of places do not allow numbers or spaces. perhaps this is why

It might also be that the programme tries the obvious ones first. i.e. password, admin, peoples names etc. then if they dont work it goes on to having to actually check properly. Would suggest that you need to use a unique password for the test to be of any use.

smcaul:
It might also be that the programme tries the obvious ones first. i.e. password, admin, peoples names etc. then if they dont work it goes on to having to actually check properly.

It just checks through a dictionary type database of words, in alphabetical order.

smcaul:
Would suggest that you need to use a unique password for the test to be of any use.

The first passwords I checked were gremlin and hobbit; both came in at 3 seconds. I used the same word in it’s various forms (password) to provide a level test-bed.

Either way, 3 seconds or 6½ days?

I’ve got a a few of this sort of program and the results with them are pretty much the same as you are getting. ‘Normal’ words are cracked in seconds while random letters take a little longer and mixed numbers and letters take even longer.

marcustandy:
password (all lower case)

Password (use of captital letters)

Pa55word (mixture of lower case, upper case and numbers)

When people here are choosing passwords I wouldn’t suggest that you simply just replace some letters with their commonly used number equivalents, like ‘3’ for ‘e’, ‘5’ for ‘s’ and ‘7’ for ‘t’. All three examples above are equally bad even that one particular password cracking program failed on the last one. I don’t know how this kind of programs work internally, but I’d guess they at least have quite big vocabulary against which password is tested. Each of those words can of course be easily tested with slight variations like pAs5w0rd or password1 without testing taking much more time than only against upper and lower case varied word.

In the university where I study Department of IT regularly runs this kind of hacking program against every user account which directly under their management. I don’t know how many accounts they have, probably something near 2000, but if I’d change my password over there into “Pa55word” my account is likely to get disabled in matter of days.

Kyrbo:
In the university where I study Department of IT regularly runs this kind of hacking program against every user account which directly under their management. I don’t know how many accounts they have, probably something near 2000, but if I’d change my password over there into “Pa55word” my account is likely to get disabled in matter of days.

Wonder why they feel the need to do that Surely if they are admins they can change any user’s password or lock the account.

Colingl:

Kyrbo:
In the university where I study Department of IT regularly runs this kind of hacking program against every user account which directly under their management. I don’t know how many accounts they have, probably something near 2000, but if I’d change my password over there into “Pa55word” my account is likely to get disabled in matter of days.

Wonder why they feel the need to do that Surely if they are admins they can change any user’s password or lock the account.

In fact the thing they do is altering account so that user can’t log into any of their computers and he’ll get account reopened by visiting at managements office where they generate new random password. I’m not really familiar with different nuances of English words covering this topic, so disabled might be wrong one to describe this action.

Nevertheless, my point was more in that “Pa55word” as a password is quite easily hacked despite fairly big amount of user accounts so I’d put some more randomness into password.

I get it now.

did you know that three of the main passwords used are

■■■
password
god

and thats a fact