Today we’ll hear from a guest blogger who has studied password cracking and how password complexity affects cracking time. Katherine, thanks for sharing your research!
My name is Katherine, I am a student in fifth grade, and I am interested in computer security. I recently did an experiment to see if my computer can guess passwords, and I entered the project into my school’s STEM Expo.
It is important to know if your password can be guessed easily, because an insecure password may allow your data to be accessed without your knowledge. Computer crime costs $100 billion in the United States and $500 billion worldwide every year.
When you choose a computer password, the computer scrambles it and stores the resulting “hash” in memory. When you enter your password at a later time, the computer uses your entry to create another hash and compares it to the stored hash. If the hashes match, you have entered the correct password. Many people choose passwords based on common words or names, because they are easy to remember. I predicted that I would be able to use my computer to guess passwords that are based on common words or names.
I used an Apple laptop computer for this experiment, and I created 10 user accounts with different passwords: six using common words or names, two using common words with numbers substituted for letters, and two using a mixture of random characters. I found a list of 5000 commonly used passwords online, and I copied the hashed passwords from the test computer. I then wrote a Python program that creates hashes of the common passwords and compares them to the hashes from the test computer. When a hash from the list of common passwords matches a hash from the test computer, the password has been identified.
I was able to identify six of 10 passwords from the test computer in less than one minute; including “password”, “letmein”, “charlie”, “qwerty”, “trustno1”, and “123456”. I was not able to identify more complex passwords; including “d3bb13”, “Vxjw2!Z”, and “362?tu1Z”. I concluded that it is important to choose a strong password, including a mixture of upper case letters, lower case letters, numbers, and symbols. A computer keyboard has 10 digits (0-9), 26 lower case letters (a-z), 26 upper case letters (A-Z), and 33 symbols; so it is possible to include as many as 95 characters in your password.
It is important to realize that long passwords are more difficult to guess than short passwords. Very fast computers can guess 1 trillion times per second, so it is important to choose a password with many possible combinations in order to make a “brute force” attack, in which all combinations are guessed, more difficult:
4 Character Password:
Numbers Only: 10,000 combinations
Numbers + Lower Case Letters: 1,727,604
Numbers + Lower Case + Upper Case: 15,018,570
Numbers + Lower Case + Upper Case + Symbols: 82,317,120
7 Character Password:
Numbers Only: 10,000,000 combinations
Numbers + Lower Case Letters: 80,603,140,212
Numbers + Lower Case + Upper Case: 3,579,345,993,194
Numbers + Lower Case + Upper Case + Symbols: 70,576,641,626,495
10 Character Password:
Numbers Only: 10,000,000,000 combinations
Numbers + Lower Case Letters: 3,760,620,109,779,060
Numbers + Lower Case + Upper Case: 853,058,371,866,181,866
Numbers + Lower Case + Upper Case + Symbols: 60,510,648,114,517,017,120
In summary, even a very fast computer will take a long time to try all possible combinations of a 10 character password that uses a mixture of 95 possible symbols. Since not everyone chooses a long and complex password, it is possible that someone who is interested in guessing your password will instead try to crack an easier password.
Finally, here is a list of the passwords that were most commonly stolen in 2013:
While doing this project, I learned a lot about why it is so important to choose a strong password, and I wish you the best of luck with keeping your data safe!