Cracking passwords can be an easy process if good protocols are not put in place.
There are three main ways people will attempt to crack a password – guessing, dictionary attack and brute force attack.
Some passwords can easily be guessed by someone who knows the password holder well. Examples of passwords that may easily be guessed include:
- A password being written on a piece of paper and attached to the person’s monitor;
- A password not being used at all;
- Leaving the password as what was set by the system administration – regularly “password” or “admin”;
- A password being the name of a spouse, child or pet;
- A password being a person’s favourite type of car, favourite celebrity or band;
- A password being a combination of the month and year; or
- A password being the person’s name or using their actual login as their password as well.
Many people also use standards words. In this case a dictionary attack will not take long to determine what the password is.
The last option is a brute force attack which will try every combination of letters, numbers and symbols. The time taken to determine the password will depend on the number of characters and the combination of letters, numbers and symbols. By using a combination of letters, numbers and symbols, there are over 100 possible combinations for each character.
It has been estimated that the time taken to crack a password is as follows:
- 4 characters = 10 seconds
- 6 characters = 1,000 seconds
- 7 characters = 1 day
- 8 characters = 115 days
- 9 characters = 31 years
- 10 characters = 3,000 years
So what does this mean? For the best password security:
- the greater the number of characters in the password, the better (at least 8);
- use a combination of upper and lower case letters, numbers and symbols;
- do not use common words;
- do not give your password to anyone else;
- regularly force users to change their password;
- force users to use a minimum number of characters;
- force users to use a combination of letters, numbers and characters; and
- do not allow the password field to be left blank.