Eternity Web Development is a Vermont Web Design Company in South Burlington VT. We Specialize in Web Site Design, Web Hosting, and Graphic Design.

What Can 32 Million Password Hacks Teach Us?

Home » Blog » What Can 32 Million Password Hacks Teach Us?

Posted By: Eternity Web Team

 

I was reading an interesting article about a study that was done of a list of 32 MILLION breached passwords. 

http://www.imperva.com/docs/WP_Consumer_Password_Worst_Practices.pdf

The long and the short of it is people are still sacrificing personal and professional security for the sake of brevity and ease of access.  I realize that there are many sites now that ask people to create user profiles with passwords, and you might not be concerned that one time things you’re signing up for might get hacked, but don’t be lax enough to let this attitude drift in to more important passwords. 

If you look at the top 20 breached passwords in this report, you’ll see some surprising breeches of security and common sense.  The top three hacked passwords, accounting for over 377,000 account hackings, were 123456, 12345, and 123456789.  41% of the hacks were on passwords that only had lower case letters. More surprising is that letter and number mixtures accounted for 36% of the hacked passwords. 

Most people make the mistake of thinking that most “hacking” is done by groups of two or three people in a basement, plotting email account hacks like robbers planning a bank heist.  Nothing could be further from the truth.  Many hacks are generated by programming scripts running “brute force” programs, meaning someone programming a script to try a few well known combos, like every combination of lower case letters for six spaces, just to see if they can find some people who chose bad passwords.  People use easy passwords because they think their accounts aren’t worth the trouble of a “bank heist” level of planning.  But they don’t know that most hacking attempts are more akin to walking around a suburban neighborhood and trying every front door just to see if the owner had forgotten to lock it.    Not as profitable as a bank, but when you have a script that checks 120,000 front doors a day, you start to see their real angle of attack.

People think that hackers are going to try and guess a password based on information gathered about the target.  They think that if they make it some personal nonsense word that no one could possibly know (fraternity nick name, name of a childhood imaginary friend) that the hacker will be baffled and give up.  What brute force hacking is actually doing is trying every letter and number combination together, so what seems nonsensical to your coworkers, is attempt 374,765 out of 12,234,123 for a hacking script.

So why use longer passwords, special characters and lower and uppercase letter and numbers?  I because its a numbers game.  While processing speeds are allowing hackers to run longer and longer scripts, its still a time to results ratio.  If I want to run a script to check for every possibility of a 6 digit number-only password, that’s 10 x 10x 10 x 10 x 10 x 10 or 1,000,000 possibilities right there.  Make it letters AND numbers and it jumps to 2,176,782,336.  A hacker needs to decide what mix of search criteria is going to yield the best results in the smallest, most profitable amount of time.  I’m sure they could brute force a password containing lots of special characters, but the return on time invested is far too little for them to consider.  Most thieves, online and in real life, aren’t looking to work harder than they would for a real job.  They won’t go after tougher game if there’s plenty of people using 123456 as their password. 
   
Hackers know once their script registers a hit, that your password might also be the same for your email, facebook, twitter, and possibly online banking and credit card sites.  Most hackers seem content to let their script send out a poorly written email trying to get your email contacts to buy computers or Viagra, and the most the victim suffers is some professional and personal embarrassment.  However, should some one have more long term and malevolent intentions, especially if it’s a work password that’s been compromised, the damage can be long lasting and lead to a series of relationship ending problems with your clients.

In short, changing your passwords should be something that’s done frequently, and when ever any sort of security breech occurs.  It may be annoying to your employees, but it’s better than explaining to your clients why the password to your server was PASSWORD.