Posts Tagged ‘passwords’

How I’d Hack Your Weak Passwords

Posted: December 16, 2010 in Hacking, How to...., Indepth, Tutorial
Tags: , , ,
0

This article was posted on onemansblog.com by John Pozadzides

If you invited me to try and crack your password, you know the one that you use over and over for like every web page you visit, how many guesses would it take before I got it?

Let’s see… here is my top 10 list. I can obtain most of this information much easier than you think, then I might just be able to get into your e-mail, computer, or online banking. After all, if I get into one I’ll probably get into all of them.

  1. Your partner, child, or pet’s name, possibly followed by a 0 or 1 (because they’re always making you use a number, aren’t they?)
  2. The last 4 digits of your social security number.
  3. 123 or 1234 or 123456.
  4. “password”
  5. Your city, or college, football team name.
  6. Date of birth – yours, your partner’s or your child’s.
  7. “god”
  8. “letmein”
  9. “money”
  10. “love”

Statistically speaking that should probably cover about 20% of you. But don’t worry. If I didn’t get it yet it will probably only take a few more minutes before I do…

Hackers, and I’m not talking about the ethical kind, have developed a whole range of tools to get at your personal data. And the main impediment standing between your information remaining safe, or leaking out, is the password you choose. (Ironically, the best protection people have is usually the one they take least seriously.)

One of the simplest ways to gain access to your information is through the use of a Brute Force Attack. This is accomplished when a hacker uses a specially written piece of software to attempt to log into a site using your credentials. Insecure.org has a list of the Top 10 FREE Password Crackers right here.

So, how would one use this process to actually breach your personal security? Simple. Follow my logic:

  • You probably use the same password for lots of stuff right?
  • Some sites you access such as your Bank or work VPN probably have pretty decent security, so I’m not going to attack them.
  • However, other sites like the Hallmark e-mail greeting cards site, an online forum you frequent, or an e-commerce site you’ve shopped at might not be as well prepared. So those are the ones I’d work on.
  • So, all we have to do now is unleash Brutus, wwwhack, or THC Hydra on their server with instructions to try say 10,000 (or 100,000 – whatever makes you happy) different usernames and passwords as fast as possible.
  • Once we’ve got several login+password pairings we can then go back and test them on targeted sites.
  • But wait… How do I know which bank you use and what your login ID is for the sites you frequent? All those cookies are simply stored, unencrypted and nicely named, in your Web browser’s cache. (Read this post to remedy that problem.)

And how fast could this be done? Well, that depends on three main things, the length and complexity of your password, the speed of the hacker’s computer, and the speed of the hacker’s Internet connection.

Assuming the hacker has a reasonably fast connection and PC here is an estimate of the amount of time it would take to generate every possible combination of passwords for a given number of characters. After generating the list it’s just a matter of time before the computer runs through all the possibilities – or gets shut down trying.

Pay particular attention to the difference between using only lowercase characters and using all possible characters (uppercase, lowercase, and special characters – like @#$%^&*). Adding just one capital letter and one asterisk would change the processing time for an 8 character password from 2.4 days to 2.1 centuries.

Password Length All Characters Only Lowercase
3 characters
4 characters
5 characters
6 characters
7 characters
8 characters
9 characters
10 characters
11 characters
12 characters
13 characters
14 characters		 0.86 seconds
1.36 minutes
2.15 hours
8.51 days
2.21 years
2.10 centuries
20 millennia
1,899 millennia
180,365 millennia
17,184,705 millennia
1,627,797,068 millennia
154,640,721,434 millennia		 0.02 seconds
.046 seconds
11.9 seconds
5.15 minutes
2.23 hours
2.42 days
2.07 months
4.48 years
1.16 centuries
3.03 millennia
78.7 millennia
2,046 millennia

Remember, these are just for an average computer, and these assume you aren’t using any word in the dictionary. If Google put their computer to work on it they’d finish about 1,000 times faster.

Now, I could go on for hours and hours more about all sorts of ways to compromise your security and generally make your life miserable – but 95% of those methods begin with compromising your weak password. So, why not just protect yourself from the start and sleep better at night?

Believe me, I understand the need to choose passwords that are memorable. But if you’re going to do that how about using something that no one is ever going to guess AND doesn’t contain any common word or phrase in it.

Here are some password tips:

  1. Randomly substitute numbers for letters that look similar. The letter ‘o’ becomes the number ’0′, or even better an ‘@’ or ‘*’. (i.e. – m0d3ltf0rd… like modelTford)
  2. Randomly throw in capital letters (i.e. – Mod3lTF0rd)
  3. Think of something you were attached to when you were younger, but DON’T CHOOSE A PERSON’S NAME! Every name plus every word in the dictionary will fail under a simple brute force attack.
  4. Maybe a place you loved, or a specific car, an attraction from a vacation, or a favorite restaurant?
  5. You really need to have different username / password combinations for everything. Remember, the technique is to break into anything you access just to figure out your standard password, then compromise everything else. This doesn’t work if you don’t use the same password everywhere.
  6. Since it can be difficult to remember a ton of passwords, I recommend using Roboform for Windows users. It will store all of your passwords in an encrypted format and allow you to use just one master password to access all of them. It will also automatically fill in forms on Web pages, and you can even get versions that allow you to take your password list with you on your PDA, phone or a USB key. If you’d like to download it without having to navigate their web site here is the direct download link.
  7. Mac users can use 1Password. It is essentially the same thing as Roboform, except for Mac, and they even have an iPhone application so you can take them with you too.
  8. Once you’ve thought of a password, try Microsoft’s password strength tester to find out how secure it is.

By request I also created a short RoboForm Tutorial. Hope it helps…

Another thing to keep in mind is that some of the passwords you think matter least actually matter most. For example, some people think that the password to their e-mail box isn’t important because “I don’t get anything sensitive there.” Well, that e-mail box is probably connected to your online banking account. If I can compromise it then I can log into the Bank’s Web site and tell it I’ve forgotten my password to have it e-mailed to me. Now, what were you saying about it not being important?

Often times people also reason that all of their passwords and logins are stored on their computer at home, which is save behind a router or firewall device. Of course, they’ve never bothered to change the default password on that device, so someone could drive up and park near the house, use a laptop to breach the wireless network and then try passwords from this list until they gain control of your network – after which time they will own you!

Now I realize that every day we encounter people who over-exaggerate points in order to move us to action, but trust me this is not one of those times. There are 50 other ways you can be compromised and punished for using weak passwords that I haven’t even mentioned.

I also realize that most people just don’t care about all this until it’s too late and they’ve learned a very hard lesson. But why don’t you do me, and yourself, a favor and take a little action to strengthen your passwords and let me know that all the time I spent on this article wasn’t completely in vain.

If you liked John’s post you can listen to an interview with him on Connecticut Public Radio > HERE

Hack the Sticky Keys Feature to Reset a Forgotten Windows 7 Password

Posted: August 16, 2010 in Hacking, How to...., Windows, Windows 7
Tags: , , ,
0

If you’ve ever forgotten your password or been asked to assist somebody else in resetting their password, there’s a lot of different ways to accomplish it. Here’s how to do it by hacking the Sticky Keys feature.

Over at the 4sysops blog, they’ve written up the process of resetting your Windows password by booting off a repair disk, opening a command prompt, and copying cmd.exe over top of sethc.exe. Once you’ve done that, you can boot back up into Windows until you get to the login prompt, press the Shift key 5 times, and you’ll see a command prompt where you can use the net user command to reset the password.

If the system already has the Sticky Keys feature disabled, or you don’t feel like copying files around, you can use an Ubuntu Live CD to reset your Windows password instead.

For more Windows 7 articles go to howtogeek.com

Can a Hacker Guess Your Passwords?

Posted: May 1, 2010 in comedy, Cyber Crime, Hacking
Tags: ,
0

Strong passwords are the first line of defense against identity theft

We use passwords so often that it’s easy to lose sight of just how critical a password really is: one of the best defenses we have against cybercrime is often the one we take the least seriously.

After a hacking incident in 2009, InformationWeek analyzed the login information of the site’s 20,000 users and found that most passwords were ones a hacker could guess in seconds. The most common passwords? 123456 and password.

Don’t make it this easy for the cyber criminals—create strong passwords that are easy for you to remember but hard for others to guess.

Why you need strong passwords

It can be tempting to use an easy-to-remember sequence like a birth date or cell phone number as a password. But don’t. Many systems have been broken into due to weak passwords, which are passwords that can be easily guessed or can be quickly decoded by a cracking program.

A password cracking program is a tool that runs through a list of possible passwords, one-by-one, until it hits on the right combination; it can process tens of thousands of different passwords in one second. The list of possible passwords the program uses can include commonly used passwords, dictionary words, and information specific to you, such as your birth date.

Once your password is known, a hacker can tap into your private information and do all sorts of damage, ranging from reading your personal emails and creating fake postings on your profile page to robbing your bank accounts and stealing your identity.

Tips for creating a strong password

4 Password Dos

  • Use long passwords. The longer your password is, the better. Use a password that has at least 8 characters, and for your high-security accounts, security experts recommend even longer passwords: at least 14 characters. (How can you remember 14 characters? See “Consider building passwords based on phrases” below for some ideas.)
  • Mix it up. Use a mix of uppercase letters, lowercase letters, numbers, and symbols—the more types of characters you use in your password, the harder it is to guess.

    To illustrate: For an 8-character password with all lowercase letters, a cracking tool would be able to run through every possible combination in 2.42 days. By mixing in uppercase letters, numbers, and symbols, the tool would take 210 years to run through every combination.

  • Use text that’s not in a dictionary. A password cracking program can check millions of dictionary words in seconds. Avoid “real” words that can be found in a dictionary.
  • Change passwords regularly. Change your passwords on a regular basis. Every 60-90 days is the recommendation of most security advisors; you may want to change them more or less often depending on the security of the information the password is protecting.

4 Password Don’ts

  • Don’t use ‘password’. The word password and variations such as password1, passwd, p@$$w0rd, and drowssap (password spelled backwards) are so common that many hackers start with these.
  • Don’t use easy-to-guess patterns. Don’t use a sequence of characters (like 123456 or abc123), repeated characters (ioioio), or patterns that use characters that are close together on the keyboard (qwerty).
  • Don’t use your name or other personal characteristics. Don’t use your first or last name, and don’t use terms associated with your personal life that others may know, like the name of your spouse or children, names of pets, license plate numbers, and phone numbers.
  • Don’t use the same passwords for every account. The risk in using the same password for multiple accounts is that if someone figures out one password, that person now has access to everything else. For the utmost in security, use a different password for every password-protected program, web site, and account that you use. It’s particularly critical that you not re-use your email account password on web sites because once it’s compromised, the door is opened to all your accounts that have your email address on file.

Consider building passwords based on phrases

The truth is that a long string of random characters can be hard to remember, especially when you have a lot of different passwords to keep track of.

One strategy is to use passwords that are built from easily remembered phrases. You take the first letters from each of the words in the phrase, and you also mix in some symbols and numbers in place of certain words, like using & to replace “and.”

Here are a few examples of strong passwords built on phrases:

  • M2010nyri2l15# (“My 2010 new year’s resolution is to lose 15 pounds”)
  • Lmu?i:Wayd4o? (“Life’s most urgent question is: What are you doing for others?”)
  • Iw2Tls&cw2gb! (“I went to Texas last summer and can’t wait to go back!”)

Make any security questions strong, too

Automated password resetting is a process that lets you reset your password if you ever forget your current one; it’s typically implemented by you setting up one or more security questions that you have to answer in order to gain access to your account. But if these questions are too simple, someone else may be able to easily guess the answers.

One example of this technique happened in 2008 when the email account of Sarah Palin, a nominee for Vice President of the United States, was broken into. The hacker was able to answer three security questions and illegally access Palin’s email simply by researching her zip code, her birthday, and where she met her husband.

For any account that offers password resetting, be sure to set up strong questions as well.

And remember–keep your passwords secret

The strongest of passwords won’t protect you if others can readily access it. Have you ever seen someone’s password written on a sticky note taped to their monitor? This is a bit like taping your car keys to the windshield—you can easily find your keys, but so can anyone else.

Here are a few tips on safeguarding your passwords:

  • Don’t respond to any email that asks for your password or asks you to verify your password by sending it in. Reputable companies don’t use email to ask their customers for this information.
  • When using public computers such as in airport lounges, internet cafes, and libraries, don’t access any sites that require a password. In these insecure locations, hackers can easily capture everything you type using keylogging devices.
  • The old advice was to never write down your passwords, but with today’s reality, you can end up with dozens of different passwords—and it’s better to use multiple passwords than to just use the one or two passwords that you can memorize. So it’s OK to write down your passwords: just be sure to keep the list in a secure place that others can’t access, such as a locked drawer or a safe deposit box.

How I’d Hack Your Weak Passwords

Posted: April 1, 2010 in Cyber Crime, How to....
Tags: ,
1

Internet standards expert, CEO of web company iFusion Labs, and blogger John Pozadzides knows a thing or two about password security—and he knows exactly how he’d hack the weak passwords you use all over the internet.

Note: This isn’t intended as a guide to hacking *other people’s* weak passwords. Instead, the aim is to help you better understand the security of your own passwords and how to bolster that security.

If you invited me to try and crack your password, you know the one that you use over and over for like every web page you visit, how many guesses would it take before I got it?

Let’s see… here is my top 10 list. I can obtain most of this information much easier than you think, then I might just be able to get into your e-mail, computer, or online banking. After all, if I get into one I’ll probably get into all of them.

  1. Your partner, child, or pet’s name, possibly followed by a 0 or 1 (because they’re always making you use a number, aren’t they?)
  2. The last 4 digits of your social security number.
  3. 123 or 1234 or 123456.
  4. “password”
  5. Your city, or college, football team name.
  6. Date of birth – yours, your partner’s or your child’s.
  7. “god”
  8. “letmein”
  9. “money”
  10. “love”

Statistically speaking that should probably cover about 20% of you. But don’t worry. If I didn’t get it yet it will probably only take a few more minutes before I do…

Hackers, and I’m not talking about the ethical kind, have developed a whole range of tools to get at your personal data. And the main impediment standing between your information remaining safe, or leaking out, is the password you choose. (Ironically, the best protection people have is usually the one they take least seriously.)

One of the simplest ways to gain access to your information is through the use of a Brute Force Attack. This is accomplished when a hacker uses a specially written piece of software to attempt to log into a site using your credentials. Insecure.org has a list of the Top 10 FREE Password Crackers right here.

So, how would one use this process to actually breach your personal security? Simple. Follow my logic:

  • You probably use the same password for lots of stuff right?
  • Some sites you access such as your Bank or work VPN probably have pretty decent security, so I’m not going to attack them.
  • However, other sites like the Hallmark e-mail greeting cards site, an online forum you frequent, or an e-commerce site you’ve shopped at might not be as well prepared. So those are the ones I’d work on.
  • So, all we have to do now is unleash Brutus, wwwhack, or THC Hydra on their server with instructions to try say 10,000 (or 100,000 – whatever makes you happy) different usernames and passwords as fast as possible.
  • Once we’ve got several login+password pairings we can then go back and test them on targeted sites.
  • But wait… How do I know which bank you use and what your login ID is for the sites you frequent? All those cookies are simply stored, unencrypted and nicely named, in your Web browser’s cache. (Read this post to remedy that problem.)

And how fast could this be done? Well, that depends on three main things, the length and complexity of your password, the speed of the hacker’s computer, and the speed of the hacker’s Internet connection.

Assuming the hacker has a reasonably fast connection and PC here is an estimate of the amount of time it would take to generate every possible combination of passwords for a given number of characters. After generating the list it’s just a matter of time before the computer runs through all the possibilities – or gets shut down trying.

Pay particular attention to the difference between using only lowercase characters and using all possible characters (uppercase, lowercase, and special characters – like @#$%^&*). Adding just one capital letter and one asterisk would change the processing time for an 8 character password from 2.4 days to 2.1 centuries.

How I’d Hack Your Weak Passwords

Remember, these are just for an average computer, and these assume you aren’t using any word in the dictionary. If Google put their computer to work on it they’d finish about 1,000 times faster.

Now, I could go on for hours and hours more about all sorts of ways to compromise your security and generally make your life miserable – but 95% of those methods begin with compromising your weak password. So, why not just protect yourself from the start and sleep better at night?

Believe me, I understand the need to choose passwords that are memorable. But if you’re going to do that how about using something that no one is ever going to guess AND doesn’t contain any common word or phrase in it.

Here are some password tips:

  1. Randomly substitute numbers for letters that look similar. The letter ‘o’ becomes the number ‘0′, or even better an ‘@’ or ‘*’. (i.e. – m0d3ltf0rd… like modelTford)
  2. Randomly throw in capital letters (i.e. – Mod3lTF0rd)
  3. Think of something you were attached to when you were younger, but DON’T CHOOSE A PERSON’S NAME! Every name plus every word in the dictionary will fail under a simple brute force attack.
  4. Maybe a place you loved, or a specific car, an attraction from a vacation, or a favorite restaurant?
  5. You really need to have different username / password combinations for everything. Remember, the technique is to break into anything you access just to figure out your standard password, then compromise everything else. This doesn’t work if you don’t use the same password everywhere.
  6. Since it can be difficult to remember a ton of passwords, I recommend using Roboform for Windows users. It will store all of your passwords in an encrypted format and allow you to use just one master password to access all of them. It will also automatically fill in forms on Web pages, and you can even get versions that allow you to take your password list with you on your PDA, phone or a USB key. If you’d like to download it without having to navigate their web site here is the direct download link. (Ed. note: Lifehacker readers love the free, open-source KeePass for this duty, while others swear by the cross-platform, browser-based LastPass.)
  7. Mac users can use 1Password. It is essentially the same thing as Roboform, except for Mac, and they even have an iPhone application so you can take them with you too.
  8. Once you’ve thought of a password, try Microsoft’s password strength tester to find out how secure it is.

By request I also created a short RoboForm Demonstration video. Hope it helps…

Another thing to keep in mind is that some of the passwords you think matter least actually matter most. For example, some people think that the password to their e-mail box isn’t important because “I don’t get anything sensitive there.” Well, that e-mail box is probably connected to your online banking account. If I can compromise it then I can log into the Bank’s Web site and tell it I’ve forgotten my password to have it e-mailed to me. Now, what were you saying about it not being important?

Often times people also reason that all of their passwords and logins are stored on their computer at home, which is safe behind a router or firewall device. Of course, they’ve never bothered to change the default password on that device, so someone could drive up and park near the house, use a laptop to breach the wireless network and then try passwords from this list until they gain control of your network — after which time they will own you!

Now I realize that every day we encounter people who over-exaggerate points in order to move us to action, but trust me this is not one of those times. There are 50 other ways you can be compromised and punished for using weak passwords that I haven’t even mentioned.

I also realize that most people just don’t care about all this until it’s too late and they’ve learned a very hard lesson. But why don’t you do me, and yourself, a favor and take a little action to strengthen your passwords and let me know that all the time I spent on this article wasn’t completely in vain.

Please, be safe. It’s a jungle out there.

EDIT: You might also want to listen to my interview on Connecticut Public Radio about password security.

Twitter’s List Of 100 Banned Passwords

Posted: December 29, 2009 in twitter
Tags: , ,
1

Twitter appears to have learned from its security scare earlier this year and seems to be taking password security more seriously than most Internet services.

TechCrunch and a few other people noticed this list of 370 passwords that Twitter bans its members from using when they sign up for new accounts. They range from the obvious — “password,” “twitter,” etc. — to the obscene and bizarre.

Why ban them? They’re very easy for humans and brute-force hacking scripts to figure out, making it easier for people to get access to your account. On Twitter, this can be embarrassing. On other sites, this can be very costly.

A good, strong password is long, has multiple numbers and letters, mixes upper and lower case, and includes special characters like ! or &. Different sites use different security techniques, and might not allow some characters. But in general, the harder to remember, the better! (Which doesn’t help when you forget your password, of course.)

Here’s the full list of banned Twitter passwords, via TechCrunch:

FOLLOW ME ON TWITTER

1. 111111
2. 11111111
3. 112233
4. 121212
5. 123123
6. 123456
7. 1234567
8. 12345678
9. 131313
10. 232323
11. 654321
12. 666666
13. 696969
14. 777777
15. 7777777
16. 8675309
17. 987654
18. aaaaaa
19. abc123
20. abc123
21. abcdef
22. abgrtyu
23. access
24. access14
25. action
26. albert
27. alexis
28. amanda
29. amateur
30. andrea
31. andrew
32. angela
33. angels
34. animal
35. anthony
36. apollo
37. apples
38. arsenal
39. arthur
40. asdfgh
41. asdfgh
42. ashley
43. august
44. austin
45. badboy
46. bailey
47. banana
48. barney
49. baseball
50. batman

 51. beaver
52. beavis
53. bigdaddy
54. bigdog
55. birdie
56. bitches
57. biteme
58. blazer
59. blonde
60. blondes
61. bond007
62. bonnie
63. booboo
64. booger
65. boomer
66. boston
67. brandon
68. brandy
69. braves
70. brazil
71. bronco
72. broncos
73. bulldog
74. buster
75. butter
76. butthead
77. calvin
78. camaro
79. cameron
80. canada
81. captain
82. carlos
83. carter
84. casper
85. charles
86. charlie
87. cheese
88. chelsea
89. chester
90. chicago
91. chicken
92. cocacola
93. coffee
94. college
95. compaq
96. computer
97. cookie
98. cooper
99. corvette
100. cowboy