How Pathetic Is Your Password?

Tue Apr 4, 2006 1:36PM EDT

See Comments (138)

Think putting a "1" on the end of "daisy" is going to stymie crackers intent on breaking your password? Turns out that with a reasonably up-to-date computer, a dedicated hacker should be able to break it, by brute force, in about an hour and a half.

Lockdown.co.uk has a handy document that shows just how secure your password really is, based on its length and the type of characters you use in it (all numbers, letters and numbers, uppercase/lowercase, special symbols, etc.).

Think about your most common passwords, then visit the site. You'll be most interested in the results for a "Class D" attack, which represents somone with a single, very fast PC. (Class E and Class F represent multiple PC attacks and aren't as likely to be involved with someone trying to break into your eBay account.)

As an example, the site notes that a password like "darren" would take all of 30 seconds to break. "Land3rz" would take 4 days. And "B33r&Mug" would take 23 whopping years.

Key to great security isn't just length, but adding in non-traditional characters, too: A great password should be eight characters long (or more), and include at least one number, one uppercase letter, and one special character like an ampersand. To make it easy on yourself, try using the same button on the keyboard in both lower- and uppercase versions. For example: "JjKkIi*8" requires you only hit four different keys (plus Shift), and they're all clustered in a tight group.

Comments on How Pathetic Is Your Password?

Post a Comment

Join in the discussion. Here you'll see the comments in the order they were posted.

  • 6 Posted by rrraluca on Thu Sep 3, 2009 8:53PM EDT Report Abuse

    well,sounds dangerous enough,people without a tehnical background hardly could imagine is so simple actually to breack a password!Thanks for this precious informations,I`ll forward them to my friends!Best wishes from here:))))))RrAaLlUuCcAa

  • 8 Posted by johnscott80918 on Thu Sep 3, 2009 4:39PM EDT Report Abuse

    I've had the same password for 3 years now and had zero trouble. To further prove my point, my password is

  • 9 Posted by mov2k6 on Thu Sep 3, 2009 7:27PM EDT Report Abuse

    Yes these ideas are very good but what if i use a phrase ... It doesn't need to be transformed or anything ... e.g : "eBay rocks" How about this ?

  • 10 Posted by deathwish01b on Thu Sep 3, 2009 3:39PM EDT Report Abuse

    It would be easier, I think, for web-based email providers to simply add a 3-strikes system like some of the old BBSes had (notably the ones I was a member of). Then it doesn't matter how many passwords you can enter per second, because if you guess wrong three times, your computer is locked out. Mua ha ha!

  • 11 Posted by sirdavid06 on Thu Sep 3, 2009 9:24PM EDT Report Abuse

    I had no idea it was so easy. I dont even really know how they do it but I should try much harder to make my passwords much more complex.

  • 12 Posted by nightwolf113268 on Thu Sep 3, 2009 7:38PM EDT Report Abuse

    Well, There are several passwords I use. None of them are lower then 15 characters long and generally much higher then that. Some sites can't go up high enough in characters though so I run into log in problems in some cases. I have tried to see if a program can crack my passwords. Which after 45 minutes the security test program finally gave up as far as brute attack level. So if B33r&Mug would take 23 years to crack, then I would imagine mine would be near impossible or well over 100 years to crack.

  • 13 Posted by eli_saulson on Thu Sep 3, 2009 3:53PM EDT Report Abuse

    What happens when hackers find the password file or list from a major business? All businesses (Yahoo, Amazon, any Fortune 500 company, etc) must have files or lists of passwords so that their systems people can do their jobs. For example, if I lose my password, most companies can email it back to me in seconds. Once a file or a list like that gets into the hands of hackers, it could be combined with other lists to become part of a "hacker database" used to break passwords. I'm reminded of the saying that "a lock keeps an honest man honest but doesn't keep a thief out."

  • 14 Posted by vmwareman on Thu Sep 3, 2009 10:37PM EDT Report Abuse

    I find the article a bit misleading. Most computers can be set to lock up the pw after certain # of wrong tries. If you are using a windows computer on a corporate domain chances are this has already being done. So for example after 3 tries the password would lock up. Ultimately anyone with admin rights with your computer can access the computer and read the data, unless is secure in some encrypted way independent of the os. So even if you have a pw that is 40 character longs but I have physical access to your windows system, it would take me a couple of minutes to reset the password by booting from a cd and resetting the SAM database. I am attaching a link for a utility that does just that So even if you have a pw that is 40 character longs but I have physical acces to your windows system, it would take me a couple of minutes toreset the password by booting from a cd and reseting the SAM file. here is a free utility that does just that http://www.petri.co.il/forgot_administrator_password.htm#1 vmwareman@yahoo.com

  • 15 Posted by lmtan888 on Thu Sep 3, 2009 6:55PM EDT Report Abuse

    try random passwords like: 4e3eepgwxsif rt9b8uw4j5gf h8ru74csm31k jid09sy28dnj

  • 16 Posted by riva140 on Thu Sep 3, 2009 8:42PM EDT Report Abuse

    Good to know someone cares. According to yahoo I have a good password, lets hope so. For now I am sticking with the one I have. Riva140

  • 17 Posted by winningcolors2001 on Thu Sep 3, 2009 10:47PM EDT Report Abuse

    All the careful selection of password characters in the world will not surpass the effectiveness of changing your password every chance you get.

  • 18 Posted by frankie_rodolfo on Thu Sep 3, 2009 4:02PM EDT Report Abuse

    Thanks for the advice i see that my e-mail accounts do not have a strong enough password im changing them now

  • 19 Posted by mikemorrison2002 on Thu Sep 3, 2009 7:20PM EDT Report Abuse

    I do understand how important a good pasword is and this arctile goes to show it even more. If someone doesn't know how easy it can be, hacking someone's computer is pretty easy as long as you know a bit about it. I knew a few people even back in high school Which were able to hack peoples computers and even some companys they Claimed about. It is a risky and stupid thing to do, but some people have nothing better to do i guess.

  • 20 Posted by manugw on Thu Sep 3, 2009 7:05PM EDT Report Abuse

    "Daisy1" was a good example of how pathetic one can be The & adding is a good option, however any time you have to type it makes it obnoxious

  • 21 Posted by twayburn on Thu Sep 3, 2009 10:25PM EDT Report Abuse

    I think I would like it a lot better if we didn't need passwords.

  • 22 Posted by patmatem on Thu Sep 3, 2009 8:01PM EDT Report Abuse

    I am happy to learn these simple ways to keep hackers at bay. I will also be happy how to keep spam down to manageable levels. I will change my password immediately. Thanks. Pat

  • 23 Posted by ownyi on Thu Sep 3, 2009 7:47PM EDT Report Abuse

    hey , thanks alot this article is so useful , for the1st time i could make an extreem strong password:) thhhhx

  • 24 Posted by ownyi on Thu Sep 3, 2009 7:47PM EDT Report Abuse

    hey , thanks alot this article is so useful , for the1st time i could make an extreem strong password:) thhhhx

  • 25 Posted by tchtic on Thu Sep 3, 2009 9:57PM EDT Report Abuse

    Agree with vmwareman, the article is misleading. Wrong in fact. In addition to the "lock after 3 wrong tries", some modern systems will slow down their response. After a few wrong attempts, they'll insert a 3 second delay, then a 5 second delay, then 20, then a minute, 5 minutes, an hour, a day, a month, and so on. The reason for 5 minutes, an hour, and a day is that gives you a chance to remember the password, an hour is probably faster than you can call the help desk. If it takes 50 tries to crack a password, you're looking at days. 1,000 guesses? You won't live that long. Then there're the systems that notify the user or admin that there are attempts on the account. Think of that as "Intrusion Detection". Modern systems, this is about 1990, store passwords in encrypted files for which there is no decryption key. The way they validate the password is to encrypt the user's entry and compare the two encrypted strings. This way, there is no password "file" to steal. You're likely on a modern system when the administrators tell you that they cannot "retrieve" your forgotten password but they can set it to something, "hotdog", "peanut", "doofus". If you're on such a modern system, then almost any password is secure. Much of the mythology of "secure" passwords is left over from early Unix systems where academics spent their time. These problems were solved in the commercial world 15 or 20 years ago but the myths persist. Perhaps some engineers have re-invented security and have re-introduced bugs from 15, 20 years ago. Unfortunate articles like this perpetuate the myths.

Post a Comment

Sign In to Post a Comment

My Tech

Please enable your browser's cookies to activate the My Tech column.

Also on Yahoo! Tech

Computers Home Office Wi-Fi & Networking Phones & PDAs Cameras & Camcorders TV & Home Theater Portable Audio
 

Site Map | Tour | Subscribe to Yahoo! Tech

Question and Answer content at Yahoo! Tech is written by Yahoo! users at Yahoo! Answers. Yahoo! does not evaluate or guarantee the accuracy of any Yahoo! Answers content. For more information, read the Full Disclaimer.

Opinions expressed by the Advisors are their own and do not necessarily reflect the views of Yahoo! Inc. Yahoo! receives no compensation from any manufacturer or distributor nor does it compensate any Advisor for the coverage of any product or service in any Advisor's content.