I've been cracking passwords lately for pen tests, and I'm surprised at how corporate guidelines don't really help people choose passwords. As in many places in security, a disconnect exists between how people secure systems and how hackers break systems. So the following is a brief description of what hackers do (or, at least, what I do when pen-testing systems).
I've been cracking passwords lately for pen tests, and I'm surprised at how corporate guidelines don't really help people choose passwords. As in many places in security, a disconnect exists between how people secure systems and how hackers break systems. So the following is a brief description of what hackers do (or, at least, what I do when pen-testing systems).The first problem is an "online" vs. "offline" attack. An online attack is where hackers try to log on pretending to be you and guess your password. Unless you've chosen something extremely easy to guess (such as "Wasila High"), this isn't a big danger. Online systems automatically lock your account after too many bad guesses.
The real danger is "offline" cracking. Hackers break into a system to steal the encrypted password file or eavesdrop on an encrypted exchange across the Internet. They are then free to decrypt the passwords without anybody stopping them.
Doing this, hackers can guess passwords at the rate of 1 billion guesses a second. That's fast, but not when you consider how big the problem is. Consider passwords composed of letters, numbers, and symbols. That's roughly 100 combinations per character. A five-character password will have 10 billion combinations. This means a hacker can guess a five-character password in only 10 seconds. But things quickly get worse for the hacker. This problem grows exponentially:
5 characters = 10 seconds
About the Author(s)
You May Also Like
The fuel in the new AI race: Data
April 23, 2024Securing Code in the Age of AI
April 24, 2024Beyond Spam Filters and Firewalls: Preventing Business Email Compromises in the Modern Enterprise
April 30, 2024Key Findings from the State of AppSec Report 2024
May 7, 2024Is AI Identifying Threats to Your Network?
May 14, 2024
Black Hat USA - August 3-8 - Learn More
August 3, 2024Cybersecurity's Hottest New Technologies: What You Need To Know
March 21, 2024