ARCS shield icon75Avon River Computer Service

More Than Just Computer Repairs


Star InactiveStar InactiveStar InactiveStar InactiveStar Inactive

In today’s Internet world, passwords are becoming more and more pervasive.

It seems that you can’t do anything much without having to log in everywhere, and that means supplying a user name and password.Some people have developed systems so that they can remember the password on any given site. These usually rely on the site name, with perhaps some random or not, characters at one end or the other, or even both. For example, an ebay login (ebay was just a random choice on my part, and the password I put forward is not my own, so don’t try it) may run something like “111EbaySite” While you may think that this is a good password, 11 characters long, has both upper and lower case characters and numbers, hackers think it is a good password too, as they can expose Ebay and Site and the only thing left for them is to crack the 111 part. How long do you think that will take?

Hackers don’t go through the normal login path that we, as users go through. If they did, then a simple watch on the server log, would tell administrators that someone had tried to log in without success, and where these people were trying to log in from. They could then block this IP address and, problem solved. The other reason that hackers don’t try this method is the amount of time it would take to physically put in a user name and password and then click submit and wait for a result from the server. This could take 10 seconds or more with each submission. Think about that, they could only test 6 username and password combinations per minute. As there are a possible 105 different characters on a standard keyboard, it could take a hacker 11,025 attempts to guess a 2 digit password. So no, hackers tend to take a more direct route, and try to gain access to the server where the usernames and passwords are stored in an encrypted state. If they can get a copy of these encrypted records, they can then use software to attempt to decrypt the records in the comfort of their own home, presumably wearing slippers and eating pizza . Some hackers have built custom computers that are capable of generating 4 billion guesses per second. They also have dictionaries programmed in, in all languages of the world, just in case you were thinking about using a foreign language. What this means to you and me is that if I think up a password of 5 characters, it could take a hacker approximately 12,762,815,625 which is the maximum number of guesses to hit the right combination. This would take approximately 3 seconds. A 6 digit password will take approximately 33 seconds to crack. A seven digit password could take up to 58 minutes to crack, and for every additional digit you use will take exponentially longer. So if you are using a name, date of birth or something similar, think long and hard about it, then don’t do it…

So the question is, how do we create secure passwords that hackers can’t crack? Well, we don’t, at least not at this stage. Any password that you can come up with, given time, someone will be able to decipher or crack. What we do need to do is come up with a password that will take a cracker a long time to crack, which will give you enough time to log back into the compromised site and change the password before it is exposed and hackers can log in and steal, delete or damage your data.

One of the best ways to do this is to use a password manager. This is a program that runs on your computer and whenever you go to a site where you need to input your username and password, your password manager will fill in these details for you, automatically, no matter how long or complex your password is The beauty is that it will not generate real words or names or anything that a hacker could recognise as being a password. MyUltimatePa55w0rd is not as good as ns^*l!W5IblhK9oR67. Both passwords use 18 characters but the first password uses real words like My and Ultimate. This will be run through the dictionary and the last part Pa55w0rd is one that will be included as known variants, you may as well have put in password because it would be exposed just as quickly. This password would be exposed in minutes, probably less, whereas the second one would take probably weeks or even months to crack. Hackers also look for patterns on the keyboard such as qwerty, qzwxecrv and even things like !@#$%. These are not secure and will be exposed in minutes. If you have a password that you jump around the keyboard with any kind of predictability, go and change it now, before you are compromised.

LastPassThe password manager that I have been using for a while and I am very happy with is called LastPass. You go to the LastPass website and download the software to your computer. You need to create a username and password (Master Password) on the LastPass website which will serve as your password vault. The master password needs to as strong as you can remember. Something around 10 to 15 characters long and uses upper and lower case letters, numbers as well as characters !@#$%^&*()_+-, which you will need to remember, please don’t write this down. This should be the last password that you will ever need to remember, hence the name. If the program is running, the next time you come to a site where you have to log in, LastPass will ask if you want to store the username and password in the LastPass vault. If you do store it, the next time you go to the log in page, LastPass will fill in the username and password without you having to remember anything, heaven. LastPass can generate passwords for you at whatever complexity you need and whatever length you want. If you want to create a login for a site you have not been to before, you will notice a little curly symbol at the end of the input field. You can click this and LastPass will generate a password for you and then enter it again at the confirmation field and once you are logged in, Lastpass will offer to store the login details in your vault. What about if you are away from your computer, I hear you ask? Well, as long as you have Internet access, you can go to the LastPass site, log in to your vault and it will autofill the same as you were on your computer at home, easy. If you don’t have Internet access, you will not be trying to log in anywhere so it works. Give LastPass a go. If everyone had passwords that were virtually impossible to crack, it might just put the hackers out of business and make the Internet a much more pleasant place to visit and hang out in.

Add comment

Please keep comments relevant and positive

Security code

Ars Technica

Serving the Technologist for more than a decade. IT news, reviews, and analysis. Ars Technica