If someone wants to open your lock, he has three ways:
- use lockpicking tools;
- steal your key;
- ask you for the key.
But, you may say, what does this has to do with computer science? I'm glad you asked. A password in the virtual world is exactly like a key in real life. And this similitude continues also when someone wants to enter your bank account (or inbox, or Google account or...).
The virtual equivalent of lockpicking tools is the classic way of guessing the password. There are two main ways to do this: brute-force and dictionary based.
The latter is quite simple. Hackers and crackers have big lists of common passwords and other words ready to use. If this attack is not successful, there is the brute-force.
The dumb version simply composes passwords by evaluating all combinations of uppercase and lowercase letters, numbers, and special characters (hyphen, underscore, percent, etc.). This method it's proven to succeed, soon or later. The issue for an attacker here is the time needed to check all the combinations that can be in the order of (billion) years.
But there is a fastest way. When people creates a password, digits are usually grouped together and at the end of a word. For example it's uncommon to have a password like "8such3fun" while "suchfun83" is more common.
Another pattern often used is to capitalize the first letter of common words (e.g. "SuchFun83") or use numbers to substitute some letters (e.g. "5uchFun83"). Using a combined attack brute-force and dictionary-based is quite easy to guess this kind of password.
If now you are wondering how strong is your password, there are a couple of sites that can answer your question:
- How Secure Is My Password tells you how long it will take to an attacker to crack your password, considering a combined brute force & dictionary attack
- The Password Meter is a little less accurate, since it only considers length and characters variability, but it suggests some rules to create really strong passwords
While playing with the above sites (or any other password checker), do not enter your real passwords, because they can be stolen by the website itself or during the transmission (if sent in plain text).
The second part of this series is here.
Lockpicking tools image by Chris Mitchell taken from Wikimedia Commons (public domain).