Tech Tip: Your Password Can Probably Be Cracked Pretty Quickly

By Computerware, Inc.

Whether you’re talking about identity theft, data breaches, or any other form of cybercrime, one of the leading causes of successful cyberattacks is the use of insufficiently secure passwords. Just how easy is it for someone to bypass such a password? Let’s consider the facts.

How to Crack a Password

Cybercriminals come prepared, first of all. Not only do many of them have access to some pretty sophisticated tools and resources, they go about their selfish and deceitful activities with a strategy based on the average user’s online conduct.

For the cybercriminal, bypassing a password is really just a numbers game. Chances are good that, if they try some commonly-used passwords, they’ll eventually hit pay dirt. For instance, a cybercriminal’s first guesses could look like the following:

• 123456789
• guest
• qwerty
• password
• a1b2c3

Since these are some of the world’s most common passwords — with an estimated 10 to 20 percent of accounts using such passwords — trying different variations of them or adding one or two symbols still gives a cybercriminal a pretty good chance of getting in.

If we imagine ourselves to be cybercriminals, this knowledge helps to simplify our process immensely. With a handy cybercriminal’s password-cracking tool, algorithmically cycling through every dictionary word and randomized combination of characters and increasing in password length as it proceeds, chances are pretty high that we’ll be able to penetrate.

It’s just like trying to guess a bike lock’s combination number. While it’s going to take some time, you could try every possible combination — e.g., 1-1-1, 1-1-2, 1-1-3 — until you either get it, or the bike’s owner is back and not-so-politely asking you to step away from their property.

The more variables there are to try, the more possible options there are — increasing exponentially and making it impossible to manually try every single combination. A computer, on the other hand, could try… and whip through them all, much, much faster. That’s how a password-cracking tool operates.

How Long Before a Password is Cracked?

It all depends on the password. Many of the tools these cybercriminals use will try the usual suspects first, and will therefore crack the password almost immediately. The shorter, weaker passwords can take fractions of a second, with these tools testing millions of potential credentials in that time.

It also depends on the hardware the cybercriminal is using, as a more powerful system will allow the attacker to test potential passwords even that much faster. Let’s go over how speedily a reasonably powerful laptop could crack a password, based on how long the password is, and how complicated it is:

As pictured, weak — or short and simple passwords — would fold almost immediately, holding out for a few seconds or minutes at best. However, once a password is designed to be longer and more complex, the likelihood of a password being cracked within someone’s lifetime becomes far smaller…. and arguably impossible.

That is, however, assuming your password’s length and complexity aren’t wholly reliant on a combination of otherwise common (and therefore, insecure) words or phrases. Sure, “!password12345” may seem to meet some of the basic requirements for a strong password — and based on the password chart above, should take a million years to figure out — but, the use of common password phrases or trends makes it far easier to figure out.

This is precisely why we always advocate for more stringent password practices to ensure each and every one is sufficiently secure. These practices include the aforementioned length and complexity requirements, and avoiding things that could be guessed somewhat easily, including pet names, birthdays, and other common factors. Of course, passwords should never be used more than once, as in, you need a separate password for each account you’re securing.

It’s also important to keep in mind that the results generated above could be accomplished using resources that are out there and available, employing a basic tool on a common laptop. An invested cybercriminal very well could have additional resources at their disposal, things like botnets and significant cloud resources, along with the hardware needed to power through a brute force attempt much faster than our hypothetical mid-range laptop could.

The big takeaway: ALWAYS use strong and secure passwords.