AfterDawn: Tech news

How secure is your password?

Written by Andre Yoskowitz @ 07 Feb 2011 11:38 User comments (38)

How secure is your password? BusinessWeek has posted a nice concise report on how secure most passwords are, and how long it takes even hackers to guess it.
As it has been for years, the most popular password is "123456," followed by "password," "12345678," "qwerty," and "abc123."

The following is how long it takes for a hacker to randomly guess your password:


Length: 6 characters
Lowercase: 10 minutes
+ Uppercase: 10 hours
+ Nos. & Symbols: 18 days

Length: 7 characters
Lowercase: 4 hours
+ Uppercase: 23 days
+ Nos. & Symbols: 4 years

Length: 8 characters
Lowercase: 4 days
+ Uppercase: 3 years
+ Nos. & Symbols: 463 years

Length: 9 characters
Lowercase: 4 months
+ Uppercase: 178 years
+ Nos. & Symbols: 44,530 years


Furthermore, the report says it costs a company $10 to take a phone call that will eventually require a password reset.

30 percent of all help desk calls are password related, and 50 percent of all users make their password a "common word or simple key combination."

Previous Next  

38 user comments

18.2.2011 00:03

oookaaay

28.2.2011 01:45

makes sense with all the website requiring one nowadays

38.2.2011 06:24

Although many wouldn't agree. All password systems need to be equipped with a 5 try limit, before locking the login.

48.2.2011 06:47

I've been using the same passwords for almost 30 years and have never had one guessed/hacked.

I certainly don't buy the 10 minutes for even a simple six character password. Sounds like somebody has used poor test passwords for their research.

58.2.2011 07:44

Originally posted by Clam_Up:
I've been using the same passwords for almost 30 years and have never had one guessed/hacked.

I certainly don't buy the 10 minutes for even a simple six character password. Sounds like somebody has used poor test passwords for their research.
it would depend who is trying to crack the password.a professional hacker will crack a 9digit password in minutes.an average computer users might take longer than 10mins for 6digit passwords.I had a password on the schools computer network(years ago) that heaps of kids tryed to crack no one succeeded.my hotmails been hacked once but i kinda suspect i left myself logged in on a public library computer.

68.2.2011 07:52

Quote:
As it has been for years, the most popular password is "123456,"

My first Password! wayy back in 1997! Good ole days...eagerly waiting to read cheap viagra spam e-mails!

78.2.2011 08:39

My password has always been 13 characters mixed Cap/small letters, numbers and symbols for important stuff, and 8 mixed the same way for stuff that is trivial.

If a hacker gets my password the way I see it, they deserve it; but most hackers don't even care. I have no information anyone would want, and there are bigger fish to target if they are looking for $.

Should people use a bigger password, not necessarily, but should they use a stronger password; definitely. Unfortunately they usually can't remember complicated stuff, not even if they leave it on paper to attempt memorizing it, thus there will always be "password, 1234..., qwerty," and other simple passwords.

88.2.2011 14:46

What should be mentioned is how many people will use a good password at their bank... then have a crappy password on their email account.
Your email account is arguably the most important one in need of a good password since most places will let you reset a password if you know the email account.

Also, I think many people use the Easy password for one time or unimportant logins and hard password for important stuff, but will frequently use the same password at many places.

98.2.2011 16:00
lissenup2
Inactive

And this is new news??????

Anyone not living under a rock with half a brain knows that most people are nincompoops when using passwords. Attention people................8 digits, alpha numeric at the very LEAST.

When will humanity learn and wisen up?

108.2.2011 16:04
lissenup2
Inactive

Originally posted by Mysttic:
My password has always been 13 characters mixed Cap/small letters, numbers and symbols for important stuff, and 8 mixed the same way for stuff that is trivial.

If a hacker gets my password the way I see it, they deserve it; but most hackers don't even care. I have no information anyone would want, and there are bigger fish to target if they are looking for $.

Should people use a bigger password, not necessarily, but should they use a stronger password; definitely. Unfortunately they usually can't remember complicated stuff, not even if they leave it on paper to attempt memorizing it, thus there will always be "password, 1234..., qwerty," and other simple passwords.
And hence why hackers don't target people like you. Hackers target people they deem worth profiling. Maybe the CEO of a specific corp or the Pilot of certain planes to/from certain countries, philanthropists, etc.

So if you're so certain that no one cares about stealing your information, then why not just shorten your password and be done with it Hmmmmm?

118.2.2011 16:06
lissenup2
Inactive

Originally posted by Mysttic:
My password has always been 13 characters mixed Cap/small letters, numbers and symbols for important stuff, and 8 mixed the same way for stuff that is trivial.

If a hacker gets my password the way I see it, they deserve it; but most hackers don't even care. I have no information anyone would want, and there are bigger fish to target if they are looking for $.

Should people use a bigger password, not necessarily, but should they use a stronger password; definitely. Unfortunately they usually can't remember complicated stuff, not even if they leave it on paper to attempt memorizing it, thus there will always be "password, 1234..., qwerty," and other simple passwords.
And hence why hackers don't target people like you. Hackers target people they deem worth profiling. Maybe the CEO of a specific corp or the Pilot of certain planes to/from certain countries, philanthropists, etc.

So if you're so certain that no one cares about stealing your information, then why not just shorten your password and be done with it Hmmmmm?

128.2.2011 16:10

And yor password is the frist line of defence??.May have a "top password" but if that keylogger/trojan has not been picked up on........

Layered approach to security.

138.2.2011 16:23

Quote:
As it has been for years, the most popular password is "123456,"
Wow! That's the same password that's on my luggage...

/Spaceballs

148.2.2011 17:26

Quote:
So if you're so certain that no one cares about stealing your information, then why not just shorten your password and be done with it Hmmmmm?
Because these are passwords I created almost 20 years ago, they've all been memorized and they grow on me. Chances are if someone found out one of my accounts they nailed 3 - 5 others. To make a long answer short, it is called familiarity. Most people who use short passwords can't think of something familiar to them that no one else would guess.

158.2.2011 19:20

I tend to make my passwords with a mnemonic. It would look like nonsense to most people, but if you know the phrase it's easy to remember.
Ilt$0nitm
I love the smell of napalm in the morning
Movie quotes, song lyrics, or other easily remembered phrases works for me.

I have several sets of passwords - one set for online banking and financial stuff that I NEVER use anywhere else. Another for online forums and stuff that if it gets hacked, nothing of value will be lost. A different one for email, and so on.

168.2.2011 20:29

I love that man that was sweet. I love the smell of napalm in the morning, hell yea. lol.

179.2.2011 07:14

To create a secure password that is easy for you to remember, follow these simple steps: ... Mix different character types. You can make a password much more secure by mixing different types of characters. Use some uppercase letters along with lowercase letters, numbers and even special characters such as '&' or '%'. I am definitely sure that will be help you.
-------------------------------------------------------------
accounting service
register a company UK
setting up a limited company

189.2.2011 11:11

Originally posted by baglobal:
To create a secure password that is easy for you to remember, follow these simple steps: ... Mix different character types. You can make a password much more secure by mixing different types of characters. Use some uppercase letters along with lowercase letters, numbers and even special characters such as '&' or '%'. I am definitely sure that will be help you.
-------------------------------------------------------------
accounting service
register a company UK
setting up a limited company

And what a PAIN IN A** would it be to keep typing that over and over!

1910.2.2011 02:28

You could just use KeyPass:
http://keepass.info/

I use it and my primary password (the one on the account) is over ten characters with symbols, numbers and mixed upper-and-lower case letters.

Sure, if you crack it you have all my other passwords/logins but since it generates unique passwords for each service you use it with one compromised account means almost nothing.

2011.2.2011 07:59

For years, the most common password in the Corps of Royal Engineers was "house*magnet". I taught infosec, and most of the "students" were Officers (graduate level education then two years at Sandhurst). I would highlight the requirement for easily memorable but difficult-to-guess passwords, using two common words separated by a character, and use 'house*magnet' as an example - but cautioning them to use something else. Students would diligently take notes, writing down the example.. and then using it in "real life. Later, when we engaged in "difficult data retrieval", you can guess the first pwd I would try, and more often than not succeed with. Officers.. like lighthouses in the desert... bright, but f***ing useless ;-)

What really made me laugh was that I had snitched that example from a book I'd read *years* earlier, in the mid-80's!

A historical perspective. See if you can find Hugo Cornwall's "Hackers Handbook" 4th Ed. read the preface. He talks about not overtly worrying about putting passwords in the book, as "they were bound to be changed by publication". Nope. Nor by the 2nd edition, nor the 3rd... even by the 4th Edition most of the passwords were *still* unchanged. And this was back in 1985-1990, when "hacking" was a hot subject.


214.3.2011 06:36



2217.3.2011 07:20

LOL, that was a good cartoon, saw many today this one stood out.

2329.6.2011 02:51
Unidentified
Unverified new user

Originally posted by Clam_Up:
I've been using the same passwords for almost 30 years and have never had one guessed/hacked.

I certainly don't buy the 10 minutes for even a simple six character password. Sounds like somebody has used poor test passwords for their research.
As a hacker myself, cracking a 6 digit pass will probably take a lot less then 10 minutes. Maybe 5 at max if it's simple. Using a known brute-force tool or one I made myself, I can easily crack a 6 digit pass.

Think of it like this...I can test about 103,000 password combinations per second. In a minute, that's approximately 6.1 million passes. Add in some symbols and it will take longer, but not more then a few days or so. It's also based on the experience of the hacker. I'll make short work of you 6 digit pass ;)

2429.6.2011 06:41

Originally posted by Unidentified:
Originally posted by Clam_Up:
I've been using the same passwords for almost 30 years and have never had one guessed/hacked.

I certainly don't buy the 10 minutes for even a simple six character password. Sounds like somebody has used poor test passwords for their research.
As a hacker myself, cracking a 6 digit pass will probably take a lot less then 10 minutes. Maybe 5 at max if it's simple. Using a known brute-force tool or one I made myself, I can easily crack a 6 digit pass.

Think of it like this...I can test about 103,000 password combinations per second. In a minute, that's approximately 6.1 million passes. Add in some symbols and it will take longer, but not more then a few days or so. It's also based on the experience of the hacker. I'll make short work of you 6 digit pass ;)


Go on then.. you have three attempts to guess/crack my 6 digit password... then you get locked out, and require a password reset.

So, please.. be my guest. whats my password?

2529.6.2011 09:43

Took a class when I was an Engineer at Stanford.
It took seconds to generate 100,000 passwords. That was in the early 1990's.
So to the guy who has 30 years under his belt, maybe nobody has wanted your password in the first place. If somebody does and they have the skills you are dead meat.
Jeff

2629.6.2011 09:49

Same challenge to you, jeffrey_P.

All of this is hypothetical unless you have a FILE to work on. If you are trying to log into a system, its a different ball game.

2729.6.2011 10:08

I'm not a hacker guy. I don't want to know anybodies personal information.
Thanks for the invite.
Jeff

2829.6.2011 10:20

lol! It was a hypothetical challenge :)

If someone can grab the pwd file from a net server - or worse, ecommerce/commercial/corporate login system - then the strength of one's password is probably the least worry.

Its a bit like WEP hacking. Lots of noise, but not quite so easy in practice. The hard part is GETTING the data to crack, not cracking it.

2929.6.2011 10:36

Even @ home I only use a wireless connection, WPA2 with a laptop outdoors on occasion. Still though there is no guarantee. A J45 connection is more secure.

Even hiding the SSID, WPA2 is ..... Seems you already know, so I'm preaching to the choir;)
Carry-on guy
Jeff

3029.6.2011 11:18

:-)

3130.6.2011 05:11

i honestly wouldnt mind if my neighbours wanted to use my wireless connection as long as they are willing to pay a % of the internet costs.

i remember years ago bill gates claim to have a new setup unhackable.someone hacked it and sent $10000 worth of condoms to his house using his (bill gates)credit card.doesnt matter how smart you are or how much experience you have someones gonna be better.

@alewis im assuming someone hacking your computer would be pointless anyway.if someone or some group has a good reason to then maybe you'd get hacked.

3230.6.2011 07:24

You miss the point. "hacking" someone's PC is not the same as cracking a password.
Having a tool that can brute force passwords at anynumber-per-second is not the point; this tool is *useless* against a system that locks out after 3 attempts. It is ONLY useful against a static file. As such, read beyond the headlines...

3330.6.2011 08:14

Bill Gates has made a lot of off-the-wall comments like that.. "640k of RAM is all we will ever need."
Funny, I'm running 12 Gigs of DDR3.
Jeff

This message has been edited since its posting. Latest edit was made on 30 Jun 2011 @ 8:15

3430.6.2011 13:28

Its not off the wall. Think about it - how many login attempts does a remote system grant before account lockout? 3. So a bruteforce crack is somewhat irrelevant there. Even without account lockout, the throughput a b/f cracker can operate at is massively lower that which it is capable of; it might be able to generate 130,000/sec, but will onlybe able to throw them at the prompt at 20 per minute, TOPS?

Thats not off the wall, thats fact. Until that changes...

WEP cracking. More useful, BUT you still need to capture 5000+ packets. Very easy if there is traffic. Not quite so easy if there is not - I'm not saying its impossible, but you do need some pre-conditions. Lets say the target network has an attached client, but the client is only trasmitting keepalives; 2 per min, and the odd burst. Lets say it will take 3 hours to capture the traffic. Sure, if you have the time OR can leave the sniffer alone. But that aint gonna work outside of your own house/place of work.

WPA cracking. much the same. In both cases, PROVIDED the target network is conveniently juxtaposed to yourself, yep its game over. BUT 'provided' is NOT a given.

File cracking. "HUDSON: Its game over, man, f***** game over".

When I say read beyond the headlines, its because its a journo spin. Shock! Horror! 'PASSWORD' and 'SECRET' are the most common passwords - we are all doomed! Change yours NOW! Even "knowing" that "fact", what exactly does it gain you. Or a hacker? Nothing until you actually attempt to login to an account which DOES use an "easily guessable" password. So go on, find an account and login to it... finding one is a lot harder than the headlines suggest.


Incidentally, whether BG did state that 640K ram was all we will ever need is disputed; I'm [b[sure[/b] I remember reading an article that attributed that to him 20 odd years ago.. but there was no source attribution in the article per se. And that said, this is the guy who massively criticised IBM over the choice of the 80286 processor for the AT, calling it "braindead" - and it is.

He did state that multitasking in less than 4MB was impossible - odd, given at the time those of us with Amigas were running a true pre-emptive multitasking OS in 512KB - and some in 256K.

3530.6.2011 13:40

I owned several Amiga. two 500's, three 2000's and two 3000's. Also a A4000 which was a hollow shell of previous Amiga's.I installed an 3 party vid card into my 3000-040 but it ruined what the Amiga was all about.

When I was an engineer at SLAC, Amiga's were used to render fast time plots. No PC or Mac could fill the bill.

I am truly saddened that Jay Minor sold the Amiga to Commodore.
Jay was a friend I could call for info. He passed away in the early '90's. His wife would answer the phone giving updates of his health.

RIP Jay Minor the father of the Amiga. :(
I see we are about the same age.

Jeff

This message has been edited since its posting. Latest edit was made on 30 Jun 2011 @ 1:48

3630.6.2011 15:57

:-)

Old, bold, and still young at heart! I had an A500, then a B200 (which ended up with a 14MHz 68000, ICD FFV, GVP G-Force 68030@40MHz, Picasso II, and various SCSI cards, the first of which was a Supra WordSync. Sold on ebay to a dude in Australia, he paid 75UKP for the Mig, and 145ukp shipping!

Swapped a UW SCSI drive for an A4000 in 96, added a Picasso IV and WarpEngine040 to that. Then in 2004 stuck it in a tower. Managed to get another 4000 and stuck Cyberstorm PPC/060 and a Cybervision card, and an A1200 tower with a Blizzard 060. Sold them all in 2007 to a guy in London.

Loved the Amiga. I used to write for Commodore User International and ICPUG 'back in the day'. Jay didn't sell Amiga to C=, Amiga Inc sold to C=, but it was better than going into Tramiels hands at Atari, surely?

What pee'd me off was Tramiel *leaving* C= and then later Medhi Ali running it into the ground. We should have had AAA from 1990, and OS4 in 1992. Heck, if they had pushed it as a business machine in 1985, well, who knows eh.

But I still think the A1000 is the sexiest box around. Still have the Aug 1985 PCW with it on the front cover and the Guy Kewney (RIP) review. Fell in love with it then and there.

3730.6.2011 16:23

Yep I had a Picasso IV. It was 32 bit video card so it was unusable in an A500 or A3000. I had a plug-in for one A500 (forgot the manufacturer") but it huge! It had three or four 16 bit slots, no video slot.

The 1000 was cool but it needed to be booted from a floppy. The A or B2000 was my fave.

Cable companies used the Amiga to view channel listings. It was funny when it crashed on them. Guru meditation error XXXX.;) That's how I figured out they were using the Amiga at the time.

Sweet memories of a platform that could of killed the PC and Mac if the Amiga was in proper hands.
Have a good one
Jeff

This message has been edited since its posting. Latest edit was made on 30 Jun 2011 @ 4:24

381.7.2011 07:08

if you can't go through it (in this case a password) go around it or over it or under it.

Comments have been disabled for this article.

News archive