How long does it take for a hacker to crack your password? Generally, various online applications and services require a password of at least six characters. A "strong" password is one that contains combinations of letters, numbers, and special characters. In this case, three seconds will be enough to crack this password, but if you use only letters, then a second will be enough to access your data.
Why Your Password Strength Decreases Every Year
20 years ago, six or eight character passwords seemed strong. On older computers, it would have taken years or even centuries to crack such a password by trying all sorts of numeric combinations. Many people have been using their password for decades and never change it. Thus, the length of the password is preserved, and its strength decreases every year.
Over the past decades, the development computer science has made tremendous progress, and today any personal PC has more power than a multi-million dollar supercomputer in the old days. At the same time, new GPUs and multi-core processors offer processing power that most of us would have been hard to imagine 20 years ago, and every year new processors with more cores and GPUs more power.
Improving the technical means of cracking passwords
Thanks to this, more and more people today have the opportunity to crack the password, and technical means become more advanced. A simple enumeration of all possible digital combinations, i.e. Brute Force Attack without much thought is just the beginning. Tables are quickly created with possible passwords that are tried first. These tables contain the names of prominent figures, movie actors, dates of birth, pet names, and then all the words from explanatory dictionary. The more often a password is used, the higher it will be in such a table and the faster it can be found.
In addition, there are developed "Rainbow-Tables", which save time by pre-calculating the intermediate result, and GPUs are used to perform faster calculations.
How long should a strong password be?
In one article by Dirk Fox regarding minimum password lengths and cryptographic keys dated 2009, the table provides data on the duration of password searches in Windows by a brute-force attack using "rainbow tables" (Rainbow Crack).
At the same time, one should take into account the fact that the development of computer technology has made significant progress over the past 3 years, so today it may take much less time to crack passwords. Dirk Fox distinguishes between a password consisting only of letters and a password consisting of a combination of letters, numbers and special characters. Excerpt from the table:
Password length characters only letters letters, numbers and service
6 characters 0.2 seconds 3.4 seconds
8 characters 8.75 minutes 6.7 hours
10 characters 16.4 days 5.4 years
12 characters 22 years 38,147 years
Thus, the length of the password in Windows must be at least 10 characters if the password consists not only of letters, but of a combination of letters, numbers and special characters. In addition, both lowercase and uppercase letters must be used. The condition of easy remembering of the password with such a length is already impossible - but if it is nevertheless observed, then the password is guaranteed a place in the hacker's table!
PIN-codes of bank cards
Now you may be concerned about how reliable protection Your funds in the bank, since the PIN code consists of only 4 characters - and only one number. The PIN code in Internet banking also consists of 5 characters.
However, such a PIN is somewhat secure, because after three incorrect attempts to enter the PIN, the card or online access to it is blocked. The same applies to the autoradio blocking code. It is practically impossible for a hacker to reveal the correct combinations of symbols in the first three attempts if he does not know them in full or in part.
Also, a six-digit or eight-digit password can be strong if the number of incorrect entries is controlled, and after several incorrect attempts, the account is blocked. However, this does not always happen, and often the lock is released after a while. To be safe, you should still create a password that is at least 10 characters long. For greater security over the years, create a password of 12 characters or more.
If the respective service provider does not allow the creation of passwords longer than eight characters, you should consider whether to trust your data to this provider. At the very least, you should change your password regularly to make it harder for hackers to crack it.
About why even not very skilled attackers can easily crack the passwords of most visitors to various Internet sites. A logical question arises: is it possible to come up with a password that, on the one hand, would be sufficiently resistant to hacking, and on the other, easy to remember.
First of all, it is worth remembering that absolutely any password can be hacked (picked up, guessed). The only question is resources - computing and time s X. Therefore, it makes sense to assess the strength of a password from the point of view of justifying the cost of cracking it: if for some time it cannot be opened using available resources, then it can be considered safe.
Fundamentally different criteria apply for different categories of users. To crack the password of a simple schoolgirl's account on a social network, no one will use as many resources as to open the account of the head of a large company or (even more so) to access some especially protected state and defense networks. A password, which in the first case can be considered almost absolutely safe, in the other two can be absolutely vulnerable. At the same time, our abstract schoolgirl, of course, will never use an industrial-grade random password generator and change the password every time she enters it.
Let's talk about a certain "average" case - that is, about user passwords for Internet services that, while remaining strong enough for such applications, will not force a person to lead a clinically paranoid lifestyle.
Length is key
Unlike many other cases, for a password, length is everything. Passwords up to six characters long, inclusive, made up of 95 ASCII characters (26 letters of the Latin alphabet in both cases, 10 digits and 33 service characters), are cracked using the brute force method on a normal personal computer with the help of a “number crusher” of a modern video card in just a few minutes. But adding even one or two characters already seriously complicates the task, lengthening the search time to several days and even months.
However, the length is the main, but far from the only criterion for evaluating the strength of a password. Of fundamental importance is the absence of any predictable pattern in the set itself and non-randomness in the sequence of password characters. The measure of the unpredictability of the appearance of such symbols is called " information entropy”, and this value, calculated in bits of entropy, allows us to estimate the password complexity with a significant degree of accuracy. So, the entropy per character for a password of all ASCII characters will be about 6.56 bits; thus, the complexity of a 6-character password will be 39.36 bits of entropy, a 7-character password will be 45.95 bits, and an 8-character password will be 52.48 bits.
To crack a password of 52-bit complexity by brute force, you need a number of attempts equal to 2 to the 52nd power. When using a pair of modern video cards of the class GeForce GTX 570, capable of guessing 1.5 billion passwords per second, sorting through all possible combinations will take about a couple of months of continuous work, which, in general, gives an idea of the strength of such a password.
However, this only applies to passwords that do not contain any predictable patterns, that is, they are machine-generated, with theoretically maximum entropy. For human behavior, predictability is typical, therefore, when compiling a password, he will subconsciously use some familiar combinations and combinations of numbers, symbols and letters. Memorable dates, birthdays, names of dear people, names of familiar places and objects are involuntarily recalled.
In reality, this means a lot O more vulnerable, since the "brute force" method is always used in combination with other methods of hacking, in particular with dictionary selection. At the same time, the use of well-known masks and patterns greatly simplifies the task. In addition to the usual dictionaries and dictionaries of real user passwords “leaked” from hacked sites, there are widely known masks for substituting individual letters or adding numbers, popular number sequences - templates for dates, phone numbers, postcodes, social security numbers, as well as many other tricks that seem in vain their authors extremely original.
According to the US National Institute of Standards and Technology (NIST), the entropy of the first character of lowercase letters and numbers in human-made passwords is 4 bits, the next seven - 2 bits, and the use of uppercase and service characters adds another 6 bits, which in total it gives only 24 bits, that is, more than two times less than the theoretical maximum for a given character set and length. That is, the time for guessing such a password, even using the “brute force” method, is halved, but in reality, a “hybrid” attack will allow an attacker to succeed much faster.
And here we return to the length again: the complexity of a password with a length of 14 characters will theoretically be 91.84 bits, and with a length of 20 characters it will already be 131.2 bits, and it will take several tens, or even hundreds of years. Hybrid techniques, of course, significantly reduce the strength of such codes, and the "human factor" makes them even more vulnerable. Nevertheless, the length does its job: for the usual user password, even if there are not too obvious patterns in it, the recommended number of characters for today should be at least 14. Such a password will be much safer than the once "super strong" passwords of 6-8 characters.
Don't be predictable
After talking about predictability as a property of human nature, such advice may sound strange, but nonetheless. To compile a sufficiently secure password, it is not at all necessary to install generators and then try to remember abracadabra. You can just try to become a little more "sudden".
Among the most commonplace recommendations - do not use pseudo-passwords and combinations of pseudo-passwords like QWERTY, 123456 and the like. Even if part of this sequence is present in your password, this will drastically reduce its security. The repetition of individual characters and their combinations is unacceptable: both numbers and numbers, both letters and words.
The stupidest thing you can think of is to enter Russian words in the Latin layout as passwords. Even if notorious Punto Switcher is able to switch the layout in real time, it is strange to expect the absence of such an opportunity for specialized software.
Don't use predictable numbers like dates, phone numbers and zip codes, Social Security and car numbers. Since professional crackers are still partly mathematicians, you should not use some well-known constants in passwords - for example, the number "pi". Numeric sequences (like Fibonacci numbers) are also unlikely to be a good idea.
Substitution of "similar" characters in dictionary words will not give any effect, since all crackers have long been aware that "@" can replace "a" and "5" - "s". A much more effective option is to distort known words in some way that is understandable to you alone. For example, turning "password" into "p&sUprtDt" - there is no typical pattern here, so dictionary selection will not work, and if the password is long enough, then the "brute force" method will be ineffective.
In general, be creative, and you will succeed. You can evaluate the results of your efforts, for example, on the GRC.com website, which, unlike the parody Intel "calculator", gives a real idea of \u200b\u200bpassword strength. Of course, after evaluating, you will have to come up with New Password- if you really care about safety.
Styopka, do you want a puppy?
Even if you have come up with excellent passwords (and they, for your own safety, must be individual for absolutely every Internet service), the problem arises of how to remember them all. Of course, you can use the password remembering function built into any browser, but if an attacker somehow gains access to your machine, this will mean that he will be able to get into not only your social network page, but also, for example, your Internet site. banking.
Some people have a photographic memory for symbols, and it is not difficult for them to remember even the most ridiculous abracadabra. Others have to use a different method, which is described in the title of this part of the article. The author has not gone crazy at all, it’s just that this heading contains part of the mnemonic rule for memorizing voiceless consonants in Russian: - Fi! Mnemonics facilitates the memorization of any information with the help of associative links, replacing abstract data with vivid images.
Even the most complex password can be memorized using mnemonics, especially some topic close to you. For example, “AsTKp2eshe :)”: “Arkady ate a large plate of porridge, asked for two more, smiled,” etc. Phrases do not have to be meaningful: on the contrary, the more absurd they are, the easier they are remembered. There are a lot of memorization techniques, and if you master at least some of them, they will be useful to you not only for passwords. Again, this is a great way to remember a lot of complex passwords.
Passwords are just one of the means of protecting information, albeit one of the most common. But even with good passwords, you need to be able to handle them correctly. Among the main rules of “password hygiene” is not to use the same passwords on different resources and change them regularly. For Internet services, it is enough to carry out such a replacement once every two to three months, except for emergency situations with the loss of a computer, its hacking, or hacking of a web account.
Do not enter your passwords on other people's computers, especially those that have access to a large or unlimited circle of people. Even if insidious attackers have not installed keyloggers there that remember all keystrokes, the settings of the system, browser or software may by default provide for remembering all entered passwords, which is not obvious to the user. If you still had to use such a computer, hurry up to change the password from a secure machine.
Finally, never send your passwords to anyone either by e-mail or via instant messaging services: no Internet service will ever require you to send your own password. If you need to send the password to friends, dictate it by voice over the phone or send a photo from your mobile. And again - for security reasons - if possible, immediately change this password to a new one.
Only at first glance, impenetrable passwords do not contain a logical structure and look like abracadabra. Complex passwords are such only for those who do not know the recipe for their creation. You do not have to memorize letter case, numbers, special characters and their order. It is enough to choose a memorable base and follow simple tips for creating strong passwords.
Children's counting rhymes
We take any nursery rhyme or rhyme as the basis for the password. It is desirable that it be found only in your area and not be well known. Better than your own writing! Although any children's rhymes will do, the main thing is that the lines are firmly planted in your head from a young age.
The password will consist of the first letters of each word. Moreover, the letter will be written in uppercase if it is the first in the sentence. We replace some letters with numbers similar in spelling (for example, “h” to “4”, “o” to “0”, “z” to “3”). If you don’t want to get too confused with replacing letters with numbers, look for a rhyme that already contains numbers. Do not forget about punctuation marks that separate words and sentences - they will come in handy.
Example:
Turtle tucked its tail
And she ran after the rabbit.
Got ahead
Who does not believe - come out!
We replace the letters "h", "z" and "o" with similar numbers. The second, third and fourth lines start with capital letters and are therefore written in upper case. We include four punctuation marks. Of course, we write in Russian letters, but on the English keyboard layout.
17-character password is ready! It may not be perfect, as it contains repeated characters, consecutive lowercase letters, and numbers. But to call it simple certainly will not turn the language.
Favorite sayings
The scheme is similar to children's counting rhymes. Only as a basis you take your favorite and very memorable phrases of thinkers, celebrities or movie characters. You can complicate your life a little by replacing the letter "h" not with "4", but with "5", for example. There are never too many confusing maneuvers!
Example:
I found out that I have
There is a huge family
River, field and forest,
In the field - every spikelet ...
We replace the letter "h" with "8", do not forget about the uppercase and punctuation marks.
Ze,8evTjc^H,g,bk,Dg-rr…
Jargon and terminology
It implies the use of professional jargon, understandable to an extremely narrow number of people. These words are much more distant from the common man than the criminal sayings widely covered on the TV screen and the streets of any city.
For example, you can use a hospital discharge or a fancy medical definition.
Example:
Cyclopentanperhydrophenanthrene is a 28-letter term. It turns out to be a bit long, therefore I propose to throw out the vowels and dilute the remaining consonants with upper case.
Memorable dates
Of course, your birthday or the day you started your family life is not the best basis for a password. The event should be of exceptional importance, and only you should know about it. For example, it could be the day you first ate gum, ran away from class, or broke your heel. Since the basis of the password will be numbers, it is not superfluous to mix them with letters.
Example:
10/22/1983 and 06/16/2011
Replace the dots separating the day, month, and year with any letter, such as the small English “l”, which is very similar to the fairly common “/” separator. Between the dates we put the underscore character "_". Zeros are replaced by the letters "o".
visual key
Use the smartphone unlock technique on your keyboard as well. Think of any shape and “swipe” your finger along its contours.
Do not forget to go through the numbers, change the horizontal and vertical direction of movement. And show, unlike me, fantasy!
Conclusion
The suggested ways to create a memorable, but at the same time quite difficult to understand password from the side, can be changed and combined at your discretion. It is enough to think over your super password once, and you can use it without fear in the presence of an outsider.
How do you choose your password?
Here you are, dear reader, you probably don’t close your house, apartment on the latch, the hook. You select the front door, and the lock with a key for housing, more securely, stronger, so that no one can get inside without your knowledge. And that's right, and that's how it should be! Otherwise, at some point in time, or rather, day or night, you can lose everything that was acquired by overwork.
It is noteworthy that this worldly truth is also true for accounts in online services. They also need to be closed, and well closed with a key - a password - from strangers. After all, those who want to covet profiles, accounts in payment systems, online games, in social networks, but anywhere (the Internet is big!), more than enough. And you don’t need to reassure yourself during the registration process on the next web resource with thoughts like “Who knows me here ...”, “Who needs my profile ...”, etc. The fragile hope for "maybe" in this case can turn into trouble. Moreover, large if, for example, we are talking about funds in an account in Internet banking.
In this article, you will learn how to come up with strong password how to remember it and how to store it safely on a computer.
Complex password - privacy guarantee
Why do you need to invent good password? Yes, because it is the very first and most important level of protection for your personal data. Computer intruders "open" a lot of user profiles by guessing a password using special programs. Light character keys are a godsend for them. Once - and you're done! You don't need to work hard to crack.
To further clarify this situation with statistical arguments, we will use a special web service https://howsecureismypassword.net/. It tells you how long it might take to crack a user-specified password. That is, it evaluates the degree of its resistance to hacking.
So, suppose we decide to come up with a password using the arrangement of letters on the keyboard - qwerty (well, a very trivial combination). We ask the service.
Now let's try to test a 6-character key consisting of small English letters and numbers - ty23ds.
The result is also disappointing: 54 milliseconds. Of course, for such a period of time, the sequence can be “unraveled” exclusively by an automated method. However, in most cases, crackers use this technology.
Let's complicate the combination: add capital letters to the set and increase the key length to 11 characters. Enter - eYtou349i93.
This is already much better: for 41 years the villain-burglar will have to pore over the selection of the key (of course, theoretically!).
But you can come up with a more complicated password: increase the length, for example, up to 18 characters, and use special characters along with letters and numbers. Something like - ew$yu*ow)RweQ23&tT.
The result is simply "cosmic" (by the way, to the delight of the user): the estimated time required for the selection is 7 quadrillion years. And in 1 quadrillion, as you know, there are 15 zeros. In general, no comments.
Vigilant readers, right there, of course, will immediately ask the question: “Selection by selection, but what about Trojans? Do they steal passwords? Yes, the tools of attackers are extensive: they include viruses, and social engineering, and special software. And a complex password is certainly not a perfect panacea for account hacking. But it can be safely called a powerful protective barrier on the way of hackers to confidential data.
Password Rules
When creating a symbolic combination to enter the site, regardless of its functionality and purpose, be sure to consider the following points:
1. Avoid simple combinations. In particular:
- logical sequences - abcde, 1234;
- keyboard layout vertically, horizontally, diagonally, etc. - asdfg, qscwdv.
2. Do not use "pure" (without adding other characters, numbers) dictionary words. In particular, such as "parol", "password", "admin", "my_parol".
3. Do not use personal data that is in open access, for example, on a personal page on a social network or in a profile on a forum. Even with the addition of numbers! Including phone number, date of birth, address mailbox, name, surname, patronymic, nicknames of pets.
5. Do not enter Russian words in the English layout (example: input - d)
Loading...