Internet standards expert John Pozadzides just posted a very interesting blog post on hacking passwords.
It’s an old cliche about passwords: that many of them are just the word “password” or “12345.” But as Mr. Pozadzides points out, hackers have the numbers on their side when they target weak passwords like that. In this post, he ponders how he would hack the passwords of his readers:
I can obtain most of this information much easier than you think, then I might just be able to get into your e-mail, computer, or online banking. After all, if I get into one I’ll probably get into all of them.
- Your partner, child, or pet’s name, possibly followed by a 0 or 1 (because they’re always making you use a number, aren’t they?)
- The last 4 digits of your social security number.
- 123 or 1234 or 123456.
- “password”
- Your city, or college, football team name.
- Date of birth yours, your partner’s or your child’s.
- “god”
- “letmein”
- “money”
- “love”
Statistically speaking that should probably cover about 20% of you. But don’t worry. If I didn’t get it yet it will probably only take a few more minutes before I do”¦
Overall, it’s a fascinating article that looks at the ins and outs of password cracking. For instance, he calls up some numbers on how much time it takes to hack a password depending on how many characters it has, and whether it’s all lower case:
Anyone with any involvement with IT security needs to hammer these messages home as often as possible, no matter how exhausting it gets (and no matter how futile it feels).