Anti-Hacking: Securing your passwords!

Password security is an important subject in the web today. Many passwords are cracked and hacked everyday especially with popular sites such as myspace that have a constant account stealing problem. Some don't understand what makes a password secure and what doesn't. Some believe it is harder to remember so they prefer short passwords.

It is important to have as much characters as possible in order to make sure your password hashes are not cracked. The password hash is your own password that has been encrypted. Hackers have a large arsenal of tools, programs, and scripts that they use for exploiting websites or databases and cracking those password hashes that are created by encrypting your passwords.

How do passwords get cracked?

Many hackers gain access to databases using a number of exploits or they may even work for the company that they are stealing accounts from. So how do they decrypt your encrypted passwords? They use a number of methods and programs to accomplish this.

Common Brute Forcing Technique

A common technique is brute forcing your passwords. In this method, a program or a script will take your password as input, and loop through millions of possibilities for your password. Maybe it will get lucky and guess your password early. If your password is protected with, let's say a standard one-way-hashing like MD5; the script will attempt to guess the password by taking a random combination of letters or numbers and then MD5ing that and then comparing the two MD5s. If the two MD5s match perfectly, it means it has guessed the password.

Sometimes brute forcing programs do it directly on the website or program. If you ever seen Terminator 2 where the kid tries to hack an ATM, well it is very similar. The script or program will try and test all sorts of possibilities directly on the website. It will guess a password with the username of the person the hacker has set to hack. This hacking method will guess your password until it receives a success message from the website. This will be time consuming, and its possible that it may flood the website as well. So if your website suddenly gets too many page views (on the same page) yet not as much unique visitors then perhaps you are being attacked by this method. Of course this method is not as popular as just exploiting the website password by finding some weak login script.

Dictionary Attack

A dictionary attack is just like brute forcing except that it uses a huge word-list in English, much like the dictionary, to check your password. So if your password was "apple" or "telescope" your password can be cracked almost instantly. This is very similar to brute forcing except it doesn't check every combination so it can fail if no word is present in the password.

How to fight these techniques of hackers and crackers?

For brute forcing technique a good idea is to make your password a mix of letters and numbers, which will increase the amount of passwords that the program needs to figure out, this can range from cracking a password in 30 minutes to cracking a password in 2 days and wasting the crackers time. It's also good to mix in some random characters like #@^&$!* because usually those aren't looked for in a password.

Another important measure for this is, you should always make the length of your password over 8 characters. The reason being, a standard computer can crack a 7 letter password in maybe 10-40 minutes, while a 9 letter password can be cracked in maybe 3-30 days depending on the computer speed. This is a big difference, hence why many recommend 8 characters or more for passwords. If you were to make your password over 10 characters I'm sure few would ever attempt to crack it anyway.

Of course some crackers use something called rainbow tables which increase their chance of guessing your password by a lot. So don't think that 10 characters will protect you forever. If it involves a lot of money I'd recommend using over 16 characters with a complete mix of letters and numbers and symbols. Rainbow tables make password cracking very easy and fast so be careful. However, it is a very uncommon method and few ever use it because you need GBs of hard drive space for these tables.

Methods of security

For web developers out there using PHP you should always use some kind of form filter to force your guests to secure their passwords. Such as:

In addition, you may also salt and extra secure your passwords when saving them to the database:
$password = md5(md5($password.$some_sort_of_default_salt));

md5ing twice greatly reduces the chance of it ever getting cracked. Because if the person somehow cracks the password, he will find out he needs to crack it again, which is simply too time consuming to try. Of course remember your login check should do the same to check passwords.

Other methods hackers use

Some hackers or crackers are actually your friends, they may just be script kids that figured out some facts and programs to use to get your passwords to gain access to myspace, yahoo, paypal or whatever. What they will do is become your friend and then one day send you a file that you may be interested in, which contains a keylogger or a trojan. They will use these to either catch you while you type your password on the website with a keylogger, or they will watch and record your actions using a trojan or maybe even search your computer for personal information or clues you may have left behind.

Also please do try and use several passwords for all your sites, if one gets hacked, at least not every site you have access to will not get hacked if your passwords are different. In fact, a majority of adults over 30 will use passwords that are easy to remember and short, and probably even the same password they use for their credit card pin, their birthdate, their son's name, or even some simple password thats 4 characters long. If your passwords are secure I guarantee at least one of your family members has a weak password.

We hope this article helps you keep your passwords secure and keep hackers/crackers out.