A Really Good Article on How Easy it Is to Crack Passwords

Pretty much anything that can be remembered can be cracked

Bruce Schneier discusses how the increasing Power and Efficiency off password cracking makes careless users increasingly vulnerable.

…The article goes on to explain how dictionary attacks work, how well they do, and the sorts of passwords they find.

Steube was able to crack “momof3g8kids” because he had “momof3g” in his 111 million dict and “8kids” in a smaller dict.

“The combinator attack got it! It's cool,” he said. Then referring to the oft-cited xkcd comic, he added: “This is an answer to the batteryhorsestaple thing.”

What was remarkable about all three cracking sessions were the types of plains that got revealed. They included passcodes such as “k1araj0hns0n,” “Sh1a-labe0uf,” “Apr!l221973,” “Qbesancon321,” “DG091101%,” “@Yourmom69,” “ilovetofunot,” “windermere2313,” “tmdmmj17,” and “BandGeek2014.” Also included in the list: “all of the lights” (yes, spaces are allowed on many sites), “i hate hackers,” “allineedislove,” “ilovemySister31,” “iloveyousomuch,” “Philippians4:13,” “Philippians4:6-7,” and “qeadzcwrsfxv1331.” “gonefishing1125” was another password Steube saw appear on his computer screen. Seconds after it was cracked, he noted, “You won't ever find it using brute force.”

So get yourself a secure password manager. As I write 1Password is still on half-price sale! And here is the referenced Ars Technica article: Anatomy of a hack: How crackers ransack passwords like “qeadzcwrsfxv1331” For Ars, three crackers have at 16,000+ hashed passcodes—with 90 percent success.

The only secure password is the one you can’t remember

You need only remember one secure password – the passphrase that unlocks your password vault. This Troy Hunt essay is very worthwhile – Troy explains in detail the bad things that can and will happen to you by using the same simple passwords across all those Internet accounts.

(…) And this brings me to a neat philosophical conclusion; security is all about risk mitigation -you never actually become “secure”, you merely decrease your risk. On balance, the risk of your account details sitting out there in even a very secure website is significantly higher than having them sit there in your 1Password file.

But beyond just security, the password manager route is a very handy solution. Having all your accounts handy on all your devices and being able to simply logon with the once strong password is a very convenient route indeed.

And finally, when the time comes that you realise one of your accounts has been breached (and trust me, it will come), it’s no good thinking about password security then – it’s too late. So put aside a few hours one afternoon, spend just a few dollars and get yourself organised. Either that or start developing a taste for acai berries!

Troy recommends the same solution we prefer, 1Password on Dropbox. For that solution you need two strong passwords, one each for Dropbox and your 1Password file. Then all your very-strong-passwords are available to you on all your devices (computers, smartphones, iPads, …).