Your P@55w0rd Still 5ucks… and why

Hacker

If you’ve read my explanation of how to make a more secure password, Your Password Sucks (A Public Service Announcement)((http://techneeded.com/2015/05/30/passwordsucks/, Daniel Northcutt, 2015)), you might be taking the time to think a bit more about the passwords you use, and making them a bit better. The method I discussed uses simple changes to what you already were using to make the password more difficult to guess by a random person attempting to get into your information.

However… it WILL NOT protect you from a hacker.  Here’s why…

Caution: The following list contains strong language…
NO Top 1-100 Top 101–200 Top 201–300 Top 301–400 Top 401–500
1 123456 porsche firebird prince rosebud
2 password guitar butter beach jaguar
3 12345678 chelsea united amateur great
4 1234 black turtle 7777777 cool
5 pussy diamond steelers muffin cooper
6 12345 nascar tiffany redsox 1313
7 dragon jackson zxcvbn star scorpio
8 qwerty cameron tomcat testing mountain
9 696969 654321 golf shannon madison
10 mustang computer bond007 murphy 987654
11 letmein amanda bear frank brazil
12 baseball wizard tiger hannah lauren
13 master xxxxxxxx doctor dave japan
14 michael money gateway eagle1 naked
15 football phoenix gators 11111 squirt
16 shadow mickey angel mother stars
17 monkey bailey junior nathan apple
18 abc123 knight thx1138 raiders alexis
19 pass iceman porno steve aaaa
20 fuckme tigers badboy forever bonnie
21 6969 purple debbie angela peaches
22 jordan andrea spider viper jasmine
23 harley horny melissa ou812 kevin
24 ranger dakota booger jake matt
25 iwantu aaaaaa 1212 lovers qwertyui
26 jennifer player flyers suckit danielle
27 hunter sunshine fish gregory beaver
28 fuck morgan porn buddy 4321
29 2000 starwars matrix whatever 4128
30 test boomer teens young runner
31 batman cowboys scooby nicholas swimming
32 trustno1 edward jason lucky dolphin
33 thomas charles walter helpme gordon
34 tigger girls cumshot jackie casper
35 robert booboo boston monica stupid
36 access coffee braves midnight shit
37 love xxxxxx yankee college saturn
38 buster bulldog lover baby gemini
39 1234567 ncc1701 barney cunt apples
40 soccer rabbit victor brian august
41 hockey peanut tucker mark 3333
42 killer john princess startrek canada
43 george johnny mercedes sierra blazer
44 sexy gandalf 5150 leather cumming
45 andrew spanky doggie 232323 hunting
46 charlie winter zzzzzz 4444 kitty
47 superman brandy gunner beavis rainbow
48 asshole compaq horney bigcock 112233
49 fuckyou carlos bubba happy arthur
50 dallas tennis 2112 sophie cream
51 jessica james fred ladies calvin
52 panties mike johnson naughty shaved
53 pepper brandon xxxxx giants surfer
54 1111 fender tits booty samson
55 austin anthony member blonde kelly
56 william blowme boobs fucked paul
57 daniel ferrari donald golden mine
58 golfer cookie bigdaddy 0 king
59 summer chicken bronco fire racing
60 heather maverick penis sandra 5555
61 hammer chicago voyager pookie eagle
62 yankees joseph rangers packers hentai
63 joshua diablo birdie einstein newyork
64 maggie sexsex trouble dolphins little
65 biteme hardcore white 0 redwings
66 enter 666666 topgun chevy smith
67 ashley willie bigtits winston sticky
68 thunder welcome bitches warrior cocacola
69 cowboy chris green sammy animal
70 silver panther super slut broncos
71 richard yamaha qazwsx 8675309 private
72 fucker justin magic zxcvbnm skippy
73 orange banana lakers nipples marvin
74 merlin driver rachel power blondes
75 michelle marine slayer victoria enjoy
76 corvette angels scott asdfgh girl
77 bigdog fishing 2222 vagina apollo
78 cheese david asdf toyota parker
79 matthew maddog video travis qwert
80 121212 hooters london hotdog time
81 patrick wilson 7777 paris sydney
82 martin butthead marlboro rock women
83 freedom dennis srinivas xxxx voodoo
84 ginger fucking internet extreme magnum
85 blowjob captain action redskins juice
86 nicole bigdick carter erotic abgrtyu
87 sparky chester jasper dirty 777777
88 yellow smokey monster ford dreams
89 camaro xavier teresa freddy maxwell
90 secret steven jeremy arsenal music
91 dick viking 11111111 access14 rush2112
92 falcon snoopy bill wolf russia
93 taylor blue crystal nipple scorpion
94 111111 eagles peter iloveyou rebecca
95 131313 winner pussies alex tester
96 123123 samantha cock florida mistress
97 bitch house beer eric phantom
98 hello miller rocket legend billy
99 scooter flower theman movie 6666
100 please jack oliver success albert

 

That is the list of the top 500 most common passwords.((Perfect Passwords, Mark Burnett, 2005, website unreachable))  Originally compiled in 2005, the list has remained relatively unchanged, only having the order move about a bit from year to year.  

Why is this important?

Some facts:((Compiled from various sources across the Internet. A simple search will find numerous links and data.))
  • 14% of users will have a password in the top 10 above
  • 40% of users will have a password from the top 100 above
  • 79% of users will have a password from the top 500 above
  • 91% of users will have a password from the top 1000((Not shown for security purposes.))
  • 98.8% of users will have a password from the top 10,000.((Not shown for security purposes.))

I’m sure you are wondering how this could possibly be, right?  After all, your password is completely unique, and NO ONE COULD GUESS IT…  Well, I’m afraid that they won’t have to guess.

This is how password hacking works…

Generally, a hacker will begin the attack by grabbing the password file stored on a server.  At one time, this was all that was needed, since some servers used to keep the lists in plain text that anyone could read. Nowadays, the passwords are encrypted, using one of various techniques  (like sha or MD5) that make reading them more difficult.

For example:

Instead of password1, you would see 7c6a180b36896a0a8c02787eeafb0e5c.

If the list contains only a few passwords, cracking it is unlikely without a huge amount of luck.  But… when thousands of passwords are encrypted in the same way, hacking them becomes infinitely easier.  

This works by simple substitution by a program.  Using software that is freely traded online, nearly anyone can seem magically gifted.  The programs begin the analysis with lists of common passwords, and look for patterns. They then begin substituting in the known most common passwords for the most common hashes in the list at thousands, millions, or even billions per second.  Once the program has discovered a pattern, it is often a single step away from deciphering all the passwords in the entire list, no matter how complex using one or a combination of methods.

Dictionary Attack
Ciphertext Attack
Brute Force Attack

After all, when you get right down to it…

  • 26 letters
    • Capital (A-Z)
    • Lower case (a-z)
  • 10 numbers (0-9)
  • 8-32 symbols (depending on the system and what is allowed)

So… between 70 and 94 possible characters for each space.  Looking at the requirements for the website will describe more fully how to limit the search.  After all, if it requires AT LEAST 8 characters, AT LEAST one capital letter, AT LEAST one number, and AT LEAST one symbol, most passwords will have EXACTLY 8 characters, one capital, one number, and one symbol.  The Capital letter will usually be the first letter. The number will probably be a 3 for an e. The symbol will probably be @ or $.  

After this, it is all mathematics.  Depending on the server, the date and time of the password may be put into the hash, or the username may somehow be used, or other variables that will make the crack more difficult, but this is unusual, since coders are often as lazy as the rest of us.

So, on a simple hashed site (which is most of them), your difficult password may be defeated by the horribly simple passwords of others.

Okay then…

Now you know that no matter how complex your password:

  • it CAN be compromised;
  • you are at the mercy of a site coder;
  • you are at the mercy of other users;
  • you are at the whim of a hacker; and
  • your information is insecure.

HOW ON EARTH CAN YOU PROTECT YOURSELF?!

Well, that is actually rather easy…

Do what you never do…

Change your password(s) often.

You see, while it is easy to crack any password given enough time, it DOES TAKE TIME.  Anywhere from a few days to a few weeks or even months are needed by most casual hackers (which is most of them) to allow brute force, dictionary and cipher text attacks to work for even a moderate amount of password hashes. If the password is changed during this time, all the work will be for naught, since the discovered password will be different.

How to keep the Password Hackers at bay:
  • DO use complex words or phrases as described in Your Password SUCKS
  • DO change your password often (every week is best)
  • DO NOT use any of the words (or combinations of those words) in the top 500 list above
  • DO NOT use the same password for multiple sites or functions

4 thoughts on “Your P@55w0rd Still 5ucks… and why

Leave a Reply