Why is !!1014JFcfLM a bad password?

Submitted by dnieweg on Tue, 01/19/2016 - 01:44

It seems like it meets all the needed characteristics of a good password. Length is 12 characters. It has lowercase, uppercase, alphas and numerics, as well as special characters. The answer as to why this is a bad password will reveal that everything we thought about how to make a secure password, might just be wrong.

We often hear the term that hackers are using a technique called a dictionary attack to try and guess your password so they can hack your email/bank/etc account.

The method is to try a long list of possible passwords from a "dictionary" in order to gain access to your account. The process is slow and tedious and takes a long time, which the hackers automated systems just happen to have.

So, when we create a password we think, "I will choose a password that is not in the dictionary, or at least mash up of some words and numbers to decrease the likelihood significantly." Right?

Here's the main problem we all face. You have used that password before haven't you? Admit it. You use the same password for your email and most likely your bank account as well. In fact, you used that password way back when on MySpace, and later on Facebook.

So why is that a problem? To get a better perspective let's fill in the details on where hackers get their dictionary. If you have been thinking all along this is some version of Merriam-Webster, you've been thinking your password of qwertyuiop, q1w2e3r4, or even 147852369 is super safe because it is not in the dictionary, and not even made up of common words.

The real issue starts with the data breaches that happen on a continual basis. Over time the hacker community has gained access, and compiled long lists with every password ever hacked from some of the largest systems on the planet. Tens of millions of passwords used on social sites, email sites, dating sites and more, are now part of this dictionary

These dictionaries of all known passwords are readily available not only on the dark web, but also in plain sight so anyone with a browser can download them. Even you. If you are interested take a look here: https://downloads.skullsecurity.org/passwords/ The files are just normal text files compressed with bz2 (a type of zip file). These can be decompressed using a utility such as 7ZIP.

Here is an excerpt from one of the lists showing the top 20 passwords along with a count of the number of accounts that used that password. If you have used 123456 as a password, so have 290,729 other people on this list.

This particular list has over 14 million previously used password. There is a good chance your password is on this list or one of the others.

popular passwords

So what does this mean to you in the way of security for your accounts?

It means that your super-secret, well-thought-out password is quite possibly already in the dictionary. Even if you were the only one in the world to ever use that specific password, the chances are you used it not only for your email and bank accounts, but you may have also used it on ebay, SnapChat, Uber, or perhaps a dating site, or a shopping site such as DSW, or any of the other thousands of sites that have been compromised. Once it's on the list, it is on the list.

The next question is how far up in the dictionary is your password? Consider yourself in the hackers shoes for a moment. It takes a certain amount of time to try each password, so which ones are you going to try first? You are going to start with the most popular ones and work your way down. Even if you think your password is complex, and you never used it on a site that was compromised, there is still a very high chance that someone else was just as clever as you and used the same password on a site that was hacked. Also remember, that a hacker is not trying each of these passwords by typing them in, or even copy and paste. They are using powerful computers that can crunch lists with millions of records in a relatively short amount of time.

Of course, the obvious goal is that you never want to have the passwords that are being used to protect your bank account, email and other important data in the crackers dictionaries. The first way to do this is to use a password unique enough that no one else in the world is using, or has used it in the past. The more people in the world using the same password as you, the better the chances are that it will eventually be used on a site that is compromised. 

Remember, that clever does not always equate to unique as many people are clever, looking for patterns that can be remembered. 

The second goal is to use your very unique password(s) on your most important accounts while using different "throwaway" passwords for all those random accounts you sign up for online. Just remember, while the bank website may be secure, that chat group, software download site, or dating site is highly likely to be less secure and one of them is going to be compromised at some point. This means your super-great password will certainly end up in the dictionary for all time.

Hopefully this article gives you a little more insight into why the IT world is so concerned about the uniqueness of your passwords as well as the common advice to use different passwords for each site. The reality is however, that we have failed to provide a way to remember all those different and super-random passwords and even then we are not guaranteed absolute security. 

The best advice I can offer at this time is as follows:

1) Do change your passwords to something a bit longer and a bit more unique.

2) Do not use the same password you use to access your bank account to create an account to buy shoes or get coupons. (or whatever)

3) There are great tools such as lastpass.com that are viable and secure methods of managing secure passwords. *

By the way, that password of !!1014JFcfLM is in one of the main cracker's dictionary's right at about number 500,000 of over 14 million records. This means it is approximately only 1/28 of the way down from the top. 

* Note to those in the know: Yes, even with the hacking of lastpass, it's still a great option. The data will be difficult to compromise and users have plenty of time to change master passwords.