recommended reading

Five Steps to Avoid Getting Hacked

JMiks/Shutterstock.com

It took three hackers less than a day to decipher the majority of a list of 16,000 encrypted passwords, all because of the laughably easy-to-crack passwords most of us pick to protect our online lives. The most successful guy got 90 percent of the "plains," as hackers call deciphered passwords in 20 hours; the least successful guy just 62 percent of them in about an hour. Yes, it's really that easy. But, rather than sit there, shocked at how little security passwords provide, we should use this Ars Technica article as a lesson in password security. And, the first lesson learned therein is: Never, ever use a six character password. 

Rule 1: Six characters is too always too short. The very easiest and the first thing all of Ars's hackers did was guess your super weak six character passwords, via what's called a "brute force" attack. See, the most successful of the hackers, Jeremi Gosney, a password expert with Stricture Consulting Group, hacked 62 percent of the list in sixteen minutes because that's how easy it is to guess a code that's just six letters long:

Gosney's first stage cracked 10,233 hashes, or 62 percent of the leaked list, in just 16 minutes. It started with a brute-force crack for all passwords containing one to six characters, meaning his computer tried every possible combination starting with "a" and ending with "//////." Because guesses have a maximum length of six and are comprised of 95 characters—that's 26 lower-case letters, 26 upper-case letters, 10 digits, and 33 symbols—there are a manageable number of total guesses. This is calculated by adding the sum of 956 + 955 + 954 + 953 + 952 + 95. It took him just two minutes and 32 seconds to complete the round, and it yielded the first 1,316 plains of the exercise.

"Normally I start by brute-forcing all characters from length one to length six because even on a single GPU, this attack completes nearly instantly with fast hashes," Gosney told Ars. 

Rule 2: So is a seven- and eight-character password, probably. After doing almost nothing to guess six-character passwords, it gets a tiny bit harder for hackers, but not much. For example, Gosney then did more of these types of guessing attacks with different permutations of longer possibilities, trying seven or eight character passwords with only lower case letters, for example. That technique takes mere seconds, and in this case revealed many additional "plains." 

(Image via JMiks/Shutterstock.com)

Threatwatch Alert

Accidentally leaked credentials / Misplaced data

Boeing Employee Emails 36,000 Coworkers’ Personal Info to Spouse

See threatwatch report

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
 
 

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • It’s Time for the Federal Government to Embrace Wireless and Mobility

    The United States has turned a corner on the adoption of mobile phones, tablets and other smart devices, outpacing traditional desktop and laptop sales by a wide margin. This issue brief discusses the state of wireless and mobility in federal government and outlines why now is the time to embrace these technologies in government.

    Download
  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

    Download
  • A New Security Architecture for Federal Networks

    Federal government networks are under constant attack, and the number of those attacks is increasing. This issue brief discusses today's threats and a new model for the future.

    Download
  • Going Agile:Revolutionizing Federal Digital Services Delivery

    Here’s one indication that times have changed: Harriet Tubman is going to be the next face of the twenty dollar bill. Another sign of change? The way in which the federal government arrived at that decision.

    Download
  • Software-Defined Networking

    So many demands are being placed on federal information technology networks, which must handle vast amounts of data, accommodate voice and video, and cope with a multitude of highly connected devices while keeping government information secure from cyber threats. This issue brief discusses the state of SDN in the federal government and the path forward.

    Download
  • The New IP: Moving Government Agencies Toward the Network of The Future

    Federal IT managers are looking to modernize legacy network infrastructures that are taxed by growing demands from mobile devices, video, vast amounts of data, and more. This issue brief discusses the federal government network landscape, as well as market, financial force drivers for network modernization.

    Download

When you download a report, your information may be shared with the underwriters of that document.