What password should I set?
Everyone has encountered the problem of choosing a password.
And so that he doesn’t get lost in his memory, and so that no one is indignant, and so that he is imitation-resistant - unbreakable. A lot can be written about ciphers and passwords. However, in addition to a unique and “correctly” composed password, it is also necessary to systematically and competently organize its storage and administration. On the other hand - paranoia, and even if you forget him... .
Cracking a password is difficult, but it is possible. You can seriously complicate the work of burglars.
"One" of the largest social networks reported that almost every day, out of more than a billion attempts to log into the system, more than 600 thousand are made by attackers who are trying to gain access to other people's messages, photos and other personal information.
The American Internet company SplashData has compiled a list of the stupidest and weakest passwords used by people around the world. Unfortunately, many users use exactly them - so that it is easy to remember.
The most idiotic and, at the same time, dangerous password was “password”.
In second place is the combination of numbers "123456", in third - "12345678". The words “football” and “superman” found their way into the rankings.
12345678
trustno1
baseball
I love you
sunshine
passw0rd
superman
Experts urge you to be more careful and not use the same password for mail, online banking and other online services. Experts in the field information security warned users not to use the same login-password pair for several different sites. A strong password must contain at least eight characters, include numbers, uppercase and lowercase letters, and Special symbols(such as underscore, dollar, or percent).
It is much easier to crack simple passwords programmatically, but complex passwords using brute force methods are very difficult.
A simple tip for choosing a relatively complex password.
We take any word. Let's say the name of a loved one or the name of a pet. Switch the keyboard to English.
We look at the Russian letters and type this unforgettable name.
Of course, with a capital letter!
For example, the dog's name Sharik is converted to Ifhbr
Name Miranda -> Vbhfylf
It's easy to remember and quite difficult to pick up/hack.
To make it more difficult, you can use the name of your favorite book (song, etc.). Moreover, if there is a numeral in the name, that’s great! After all, this numeral can and even should be written in numbers. In this case, spaces can be skipped or replaced with an underscore _
For example:
3veirtnthf -> Three Musketeers
100ktnjlbyjxtcndf -> One Hundred Years of Solitude.
123456, 11111, etc.
qwerty, fyva, avs,"password" / "password", etc.
name (yours, loved ones, pet...)
date of birth (yours, loved ones, pet...)
phone number
And:
The minimum acceptable password length is 8 characters
the password should be meaningless
Why is this so important when choosing a password?
Let's look at each of these positions separately.
Briefly on the first 2 points. These passwords are simple, common and known to any hacker; rest assured, this is the first thing a person trying to hack your account will try.
To get an idea of the remaining positions, let’s dive into the depths of the problem and try to look at everything from the inside.
Any password you enter during registration is necessarily encrypted before entering the storage. There are many such encryption algorithms. Using the example of the most common of them, one-way MD5 encryption, we will trace the path of our password from registration to its hacking.
So, after encryption, our password takes on the form of a HASH (checksum), which in our case consists of 32 specially obtained characters and looks like, for example: “202cb962ac59075b964b07152d234b70” for the password “123”.
If an attacker manages to gain access to the storage and obtain the HASHES of our passwords. Then he is faced with the task of deciphering them. Special software will help him with this, which can be easily found on the Internet.
Any program for decrypting passwords of this type uses a brute force method: complete (Brute force), according to words, by mask. To complete this task, depending on the complexity and literacy of the password, it can take from a few seconds to several days, months and even years.
Using a standard PC (CPU: 3 GHz) and software (PasswordPro), House of Soviets decided to test a line of passwords of different lengths and composition for strength.
So, passwords consisting of numbers will be the first to be given up.
Password: "1234"; search time< 1 c.
Password: "1234894"; search time< 1 c.
Letter passwords will last a little longer.
Password: "adfp"; search time = 2 s.
Password: "adrpsdq"; search time = 22 min. 1 p.
A combination of lowercase and capital letters will significantly increase the time, but it still remains insufficient, considering that several PCs can be working on decryption at once.
Password: "aBst"; search time = 5 s.
Password: "fdQnnHF"; search time = 1 day, 22 hours 13 minutes.
And the most ideal option would be a combination of uppercase, lowercase letters, numbers, special characters (usually “-” and “_”) and with a length of at least 6 characters.
Password: "As_3"; search time = 7 s.
Password: "fN4u-3k"; search time = 11 days, 13 hours 27 minutes.
Password: "fN4u-3kS8"; search time > 1 year.
Brute force can be performed not only by periodically combining printed characters, but also using a specific list of words, a password database, which may include a dictionary, for example, Dahl, or user passwords stolen from other sites, as well as your personal data thoughtfully found on the Internet. Therefore, it is important that the password is clear and does not contain such obvious data as the day, month, year of your birth, the names of you and your loved ones, etc.
Is it safe to store a password on a computer?
No. There are a huge number of programs (Trojans, Keyloggers) that can search for valuable files on your hard drive, a connected flash card, or take notes on the keys you press and send the extracted information to its owner.
Hack password. It’s possible, but now it’s difficult.
Even if you are protected by a Firewall and an antivirus with the latest update, it is better to play it safe and store really important information in a paper notepad.
And there is also the letter e!
What password to choose.
After reading a lot of related literature and looking at a ton of habratopics (links to interesting ones are given at the end of the article), I decided to summarize the information about the main methods of generating a strong and memorable password.
Let me start by saying that I myself use the wonderful KeePass program to generate and store my passwords. Its functionality is quite sufficient for all my modest webmaster needs. Its main disadvantage is the fact that it also requires you to remember one master password. Therefore, all this fuss around coming up with a password also concerns me and all the happy owners of the KeePass program or its analogues, because You still have to come up with one password.
Let's talk about hacking methods
To understand the full depth of the problem, I will devote a couple of lines to the hacking technique. So, how can an attacker find out/guess/guess your password?- Method of logical guessing. Works on systems with a large number of users. The attacker tries to understand your logic when creating a password (login + 2 characters, login in reverse, the most common passwords, etc.) and applies this logic to all users. If there are many users, very soon a collision will occur and the password will be guessed;
- Dictionary search. This type of attack is used when the database with hashed passwords is leaked from the server. It can be combined with the replacement of letters (typos) or with the substitution of numbers/words at the beginning or end of a word as a prefix or suffix. Dictionaries typed in the wrong keyboard layout are also used (Russian words in the English layout);
- Searching through a table of hashed passwords. An advanced method of cracking passwords, when the hashes have already been generated and all that remains is to find a match in the database for the hash and the password. It works very quickly even on weak machines and leaves no chance for owners of short passwords.
- Other methods: sociotechnics and social engineering, the use of keyloggers, sniffers, Trojans, etc.
Password strength
Summarizing the information obtained from various reliable sources, I will highlight the main features of a password that is resistant to hacking (by hacking I mean searching through hash databases, when the hashing algorithm is known in advance):- Password length (the longer the better), for advanced cases it is recommended to use a 15-character password;
- Absence of dictionary words and parts of common passwords in the password;
- Lack of templates when creating a password (by template I mean a logical algorithm for generating a password, for example: “Med777vedev”, “12@ytsu@21” or even “q1w2e3r4t5”);
- Stochastic sequences of characters from various groups (lowercase, uppercase, numbers, punctuation marks and special characters);
How do people remember their passwords?
Having analyzed the methods of generating passwords for Habrapeople, I came to the conclusion that the main methodology for remembering a password is based on drawing up a logical or associative series. All sorts of distortions of words are also used. It can be:- Domain names interspersed with login (“gooUSERglcom”, “UmailruSer”);
- A certain standard phrase that is attached to the domain (“passgoogleru”, “passhabrahabrru”);
- Common word interspersed with significant figures and other signs (“321DR67ag0On”, where 32167 is a cheat that summoned 5 black dragons in Heroes of Might & Magic);
- Russian words in English layout (“,k.lj)
