I've been cracking passwords lately for pen tests, and I'm surprised at how corporate guidelines don't really help people choose passwords. As in many places in security, a disconnect exists between how people secure systems and how hackers break systems. So the following is a brief description of what hackers do (or, at least, what I do when pen-testing systems).

The first problem is an "online" vs. "offline" attack. An online attack is where hackers try to log on pretending to be you and guess your password. Unless you've chosen something extremely easy to guess (such as "Wasila High"), this isn't a big danger. Online systems automatically lock your account after too many bad guesses.

The real danger is "offline" cracking. Hackers break into a system to steal the encrypted password file or eavesdrop on an encrypted exchange across the Internet. They are then free to decrypt the passwords without anybody stopping them.

Doing this, hackers can guess passwords at the rate of 1 billion guesses a second. That's fast, but not when you consider how big the problem is. Consider passwords composed of letters, numbers, and symbols. That's roughly 100 combinations per character. A five-character password will have 10 billion combinations. This means a hacker can guess a five-character password in only 10 seconds. But things quickly get worse for the hacker. This problem grows exponentially:

5 characters = 10 seconds
6 characters = 1,000 seconds
7 characters = 1 day
8 characters = 115 days
9 characters = 31 years
10 characters = 3,000 years

This is why you need long passwords. Hackers can usually crack anything with seven characters or fewer, but they would be unlikely to guess passwords using this technique that are nine characters or more.

This is also why you need complex passwords containing uppercase and lowercase, numbers, and symbols. That's 100 possible combinations for each character. Lowercase passwords have only 26 combinations per character. A hacker can guess an all-lowercase password of 10 characters in about two days.

However, hackers have another trick up their collective sleeve: the mutated dictionary attack. Because of the above problem, you might choose a large password, like "Aardvark-Zebra9." This is longer than what a hacker will be able to discover by brute force. So hackers solve this with a "dictionary" attack. Instead of trying all combinations of characters, they instead try to match passwords with words in a dictionary. They then "mutate" the words, reflecting common things people do to passwords.

When users are told to make their passwords complex, they usually do something simple to them. Instead of choosing "robert" as a password, they will make it "robert!". Putting an exclamation mark at the end of a password is one of the most common mutations people choose. Hackers know this, so their dictionary cracks will do the same thing.

Here is a list of common mutations a hacker will try to dictionary words:

• capitalizing the first letter of a word;
  
• checking all combinations of upper/lowercase for words;
  
• inserting a number randomly in the word;
  
• putting numbers on the ends of words;
  
• putting numbers on the beginning of words;
  
• putting the same pattern at both ends, like *foobar*;
  
• replacing letters like "o" and "l" with numbers like "0" and "1";
  
• punctuating the end of words;
  
• duplicating the first letter, or all letters in the word;
  
• combining two words together; and
  
• putting punctuation or space between the words.

Hackers are also smart about which words they choose. They don't just choose English words, but also include most popular languages (i.e., Spanish, French, German). They also choose words from pop culture, like xbox360 or Britney Spears.

If they know who you are, they will find words particular to you. Let's say your name is "John Smith," you drive a "BMW," you work for "Microsoft," and you like to watch "The Office." A hacker will Google these terms and create wordlists from the resulting Web pages. Thus, "Carell325i" seems like a fine 10-character password to defeat hackers, but will get cracked in only a few minutes by a hacker who knows you. (I like to use the Associative Word List Generator Web site to generate password lists for me.)

So how do you choose something that hackers can't guess? Well, remember that hackers aren't all-powerful. Increased complexity of things they have to check, the less likely they will guess your password. Yes, they will check for numbers on the ends of passwords, but as long as you've chosen something like your birthdate instead of 1234, it's something more likely to be missed.

Including just one international character, like a vowel with an umlaut, will defeat most password crackers. They can be typed by holding down the key and typing a -three-digit number on the numpad. Typing long phrases instead of words will also help. In theory, it should be easy to guess "Twas as a dark and stormy night" as a passphrase, but in practice, hackers won't catch it.

On the flip side, the more complex you make your password, the harder it will be for you to type it in. Try to create something as long as you can comfortably type, while still keeping in mind the techniques above.

Robert Graham is CEO of Errata Security. Special to Dark Reading