- For you, after multiple twitch accounts and profiles of renowned players have been hacked
There are different ways to crack peoples passwords. One popular way is called "brute-forcing". The method is rather simple and straightforward:
Just try every single possible password there is (and hope that one will fit).
Of course not manually, no. Computers are way faster at carrying out that job for you, plus they don't get tired and don't want to get paid.
But how does this work?
Maybe you guessed it already: How apt a password is in resisting this hacking-method, depends on mainly 2 things.
Examples
So then, you say: I should be safe if I used something like.. lets say 8 letters, right? Thats already 26^8 possible passwords, which is like a fuckton of them (26*26*26*26*26*26*26*26) = 200 Billion, approximately.
well yes it is a fuckload of passwords, but we underestimate how good computers are at this game. To sum it up, even the lowest of potatoes nowadays can crunch at least 100,000 passwords a second. Is your PC any good? Then it can probably do 10,000,000 a second. With that, an 8 letters password is successfully guessed after approximately 6 hours - basically over night.
Got an 8 letters or lower password somewhere? Change it. Now. Seriously.
Moving on to scary things that technology can do:
Thought 10,000,000 sounded like a lot? Think again. This one checks in at a mind-blowing 350,000,000,000 passwords a second.
If you caught yourself counting zeros, then no.. I didn't make a mistake. 350 billion it is.
350 billion? I don't understand what that means in practice
Here is a nice chart for everyone who wants to know how long it takes to break a particular password.
Alternatively you can calculate (password length^number of possible characters)/(number of guesses per second*60*60*24) for the number of days it takes someone to crack your password. Consider everything above 5 to be reasonable safe. If you have a dedicated stalker, lets say 15. If you are a celebrity, better go with 150.
Lastly, if your password has words in it, be warned. Most computers don't just brute-force randomly, but instead come equipped with dictionaries. So if your password has a word in it, or two words combined with no alterations like random numbers or CAPS characters at random places, your password will be done for in a matter of seconds.
As I hinted at before, trying completely random combinations is actually lots of wasted effort. The machine I linked before, hacked 90 percent of the 6.5 million registered LinkedIn-profiles. Surprise: Most people don't know how to pick their password. Now imagine what happens if someone lets a thing like that run wild on PayPal accounts. Good brute-forcers don't just try randomly. They consider the most advanced stuff, like popular word-combinations, at what positions you are most likely to capitalize letters, what numbers you are most likely to add to your password and where (hint: don't use 1's at the beginning or end of your password. Especially not at the end.)
Examples for safe passwords
Examples for shit passwords
Will choosing one of the safe passwords prevent you from getting hacked? No, there is other methods to get passwords, but the one I described is the most common one. You can't avoid getting hacked by doing this, but you can avoid getting brute-force-hacked. This is about as good as you can do if you stay away from suspicious porn-sites and don't get keyloggers and all sorts of viruses on your PC. (*cough* shoutout to Linux *cough*)
Don't make avoidable mistakes. Getting brute-forced can be avoided. Be the 10% on LinkedIn.
Also don't be an idiot and give your password to others. A secret between 3 men is only safe when 2 men are dead. Benjamin Franklin knew that, and now you do too.
I appreciate passwords being changed to things that somehow honor my name.
Edit:
It might also be worth noting, that if I get a hold of your email and password here, I will check the same email-password combination for Facebook, PayPal, Youtube, Amazon, Netflix, Skype, Origin, various email-providers, Steam and all other sites that I could for some reason be interested in. I might get lucky! Never ever use the same password twice, especially if it is a weak one. That would be a deadly mistake.
A longer and more informational video on the topic
Generally, if you have something to add to this topic, I will try to edit it in later. Thanks for the heads-up, loe4boe, pointing out that l33t is not a good way to protect yourself. I edited that in too, and made a couple minor changes on the side.
I guess thats it then. Spread the word and correct me if I got things terribly wrong somewhere! Have a good one.
There are different ways to crack peoples passwords. One popular way is called "brute-forcing". The method is rather simple and straightforward:
Just try every single possible password there is (and hope that one will fit).
Of course not manually, no. Computers are way faster at carrying out that job for you, plus they don't get tired and don't want to get paid.
Maybe you guessed it already: How apt a password is in resisting this hacking-method, depends on mainly 2 things.
- password length
- number of possible characters. (special characters like +/#/* are good, also CAPITALS and numb3rs.)
SPOILER
for example, lets say you only use lower case letters as your password and the hacker assumes that you only use lower case letters. With that, b) will be 26.
If your password length is 1, your possible passwords to pick from will be 26: the number of letters. Your password will look like this, for instance: z
If your password length is 2, your possible passwords to pick from will be 26*26 = 676
for length 3, you already have 17,576 possible passwords, and so on. It increases exponentially.
If your password length is 1, your possible passwords to pick from will be 26: the number of letters. Your password will look like this, for instance: z
If your password length is 2, your possible passwords to pick from will be 26*26 = 676
for length 3, you already have 17,576 possible passwords, and so on. It increases exponentially.
So then, you say: I should be safe if I used something like.. lets say 8 letters, right? Thats already 26^8 possible passwords, which is like a fuckton of them (26*26*26*26*26*26*26*26) = 200 Billion, approximately.
well yes it is a fuckload of passwords, but we underestimate how good computers are at this game. To sum it up, even the lowest of potatoes nowadays can crunch at least 100,000 passwords a second. Is your PC any good? Then it can probably do 10,000,000 a second. With that, an 8 letters password is successfully guessed after approximately 6 hours - basically over night.
Moving on to scary things that technology can do:
Thought 10,000,000 sounded like a lot? Think again. This one checks in at a mind-blowing 350,000,000,000 passwords a second.
If you caught yourself counting zeros, then no.. I didn't make a mistake. 350 billion it is.
SPOILER
With that, it would take a stunning 9,94 seconds to get your precious 8 letter password.
9 letters isn't safe either: Takes 9 minutes.
10 letters isn't safe, got that one done in just about 2 hours
11 letters is finally safe: 121 days to get that one. Although if your name is obama and you try to protect your twitter-account, I really wouldn't bet on that one either. Word is out there that some scary machines in foreign countries can do much better than 350 billion a second.
And that is if someone tries using no other rule than "try randomly", which in all honesty is a pretty low-level rule to go by.
9 letters isn't safe either: Takes 9 minutes.
10 letters isn't safe, got that one done in just about 2 hours
11 letters is finally safe: 121 days to get that one. Although if your name is obama and you try to protect your twitter-account, I really wouldn't bet on that one either. Word is out there that some scary machines in foreign countries can do much better than 350 billion a second.
And that is if someone tries using no other rule than "try randomly", which in all honesty is a pretty low-level rule to go by.
Here is a nice chart for everyone who wants to know how long it takes to break a particular password.
Alternatively you can calculate (password length^number of possible characters)/(number of guesses per second*60*60*24) for the number of days it takes someone to crack your password. Consider everything above 5 to be reasonable safe. If you have a dedicated stalker, lets say 15. If you are a celebrity, better go with 150.
Lastly, if your password has words in it, be warned. Most computers don't just brute-force randomly, but instead come equipped with dictionaries. So if your password has a word in it, or two words combined with no alterations like random numbers or CAPS characters at random places, your password will be done for in a matter of seconds.
As I hinted at before, trying completely random combinations is actually lots of wasted effort. The machine I linked before, hacked 90 percent of the 6.5 million registered LinkedIn-profiles. Surprise: Most people don't know how to pick their password. Now imagine what happens if someone lets a thing like that run wild on PayPal accounts. Good brute-forcers don't just try randomly. They consider the most advanced stuff, like popular word-combinations, at what positions you are most likely to capitalize letters, what numbers you are most likely to add to your password and where (hint: don't use 1's at the beginning or end of your password. Especially not at the end.)
SPOILER
- pjAj3Oj4oaf
- tOTa!#llysafe8
- CraCkIng471
- tOTa!#llysafe8
- CraCkIng471
SPOILER
- CoffeecupRevolution (as said before, there are brute-forcing-programs that use dictionaries. They also count on you to capitalize the first letter of a word. So this will count as (number of words in the dictionary)^(number of words used in the password), as possibly combinations (roughly). Weak. Doesn't last a minute.)
- kjfpaoqi (simply too short)
- 9199159312 (seems long enough, but given that there are only 10 different numbers, theres not enough possible combinations for this one to make it safe. (11111111110 to be exact - even my laptop could get through to this one within a reasonable time.)
- cl3v3rp4ssword (think this one would do the job? Sadly, l33tspeak is well known and well considered by all sorts of algorithms. A brute-force program that runs a dictionary and makes slighter modifications to words, will get this one too. Might not even take an hour, given that its only 2 words and 3 most obvious modifications. Changing A -> 4 and E -> 3 can not be considered a safe modification. It is better than nothing, but still a weak protection.
- kjfpaoqi (simply too short)
- 9199159312 (seems long enough, but given that there are only 10 different numbers, theres not enough possible combinations for this one to make it safe. (11111111110 to be exact - even my laptop could get through to this one within a reasonable time.)
- cl3v3rp4ssword (think this one would do the job? Sadly, l33tspeak is well known and well considered by all sorts of algorithms. A brute-force program that runs a dictionary and makes slighter modifications to words, will get this one too. Might not even take an hour, given that its only 2 words and 3 most obvious modifications. Changing A -> 4 and E -> 3 can not be considered a safe modification. It is better than nothing, but still a weak protection.
Will choosing one of the safe passwords prevent you from getting hacked? No, there is other methods to get passwords, but the one I described is the most common one. You can't avoid getting hacked by doing this, but you can avoid getting brute-force-hacked. This is about as good as you can do if you stay away from suspicious porn-sites and don't get keyloggers and all sorts of viruses on your PC. (*cough* shoutout to Linux *cough*)
Don't make avoidable mistakes. Getting brute-forced can be avoided. Be the 10% on LinkedIn.
Also don't be an idiot and give your password to others. A secret between 3 men is only safe when 2 men are dead. Benjamin Franklin knew that, and now you do too.
I appreciate passwords being changed to things that somehow honor my name.
Edit:
The short answer is yes.ColdTooth wrote:
Does this affect everything with a password, like bnet, osu! itself, and other websites like newgrounds?
It might also be worth noting, that if I get a hold of your email and password here, I will check the same email-password combination for Facebook, PayPal, Youtube, Amazon, Netflix, Skype, Origin, various email-providers, Steam and all other sites that I could for some reason be interested in. I might get lucky! Never ever use the same password twice, especially if it is a weak one. That would be a deadly mistake.
SPOILER
loe4boe wrote:
I'll leave this here if someone is intrested.
Generally, if you have something to add to this topic, I will try to edit it in later. Thanks for the heads-up, loe4boe, pointing out that l33t is not a good way to protect yourself. I edited that in too, and made a couple minor changes on the side.
I guess thats it then. Spread the word and correct me if I got things terribly wrong somewhere! Have a good one.