How to Crack Passwords!

Or why you should stop using them…

locks 350x200


I admit – I lied.

I’m not going to tell you how to crack passwords – I do have scruples!

But you should stop using them – read on of you want to know why.

How it used to be

To skip the history, pitfalls and examples – go straight to creating better pass phrases that are easy to remember click here.

In the old days working as a system administrator, the current thinking, went along the lines that you should use characters from a lot of different symbol sets – A-Z, 0-9, :@~{}* etc. and should have a minimum of 8 characters.

This would make the password very hard to guess.

It also made it very hard to remember.

Admins had a novel way to deal with this issue – they would either write them down – or more often, use the same password for everything!

You could say this wasn’t ‘ideal’…

But then, no one had determined what the threat actually was…

In those days, businesses rarely thought about the most likely form of attack – they thought one solution would be good enough for every situation. Regularly, they would enforce monthly or quarterly password changes – for all staff – just in case one or two had been compromised.

This had appalling consequences.

Staff would just add a 1,2,3,4 etc. to the end of their short,’strong’, passwords, every time they were forced to change. Then the sys admins caught up with this practice and set further rules – to stop people using passwords too similar to ones used previously.

Does this sound like your companies policy?

Why this is wrong

People make all sorts of assumptions about what is or isn’t a strong password, with no real understanding of how passwords are cracked.

The first thing to really understand is this:

The criminal does not know anything about your password.

As long as this statement is true – i.e. you haven’t told anyone, or written your password on a Post-It note stuck to your monitor, then the criminal does not know whether your password is your dogs name, the number of your house, has 4 letters or is in French.

What this means to the criminal, is that they have to cover all bases: for example, certain password cracking ‘tools’, don’t work on passwords over 8 characters. But if you don’t know the length of the password, you might use one of these tools – wasting possibly days of work to discover that you need to try something else.

If your password was “rover”, it would be trivial to crack this – even just being friendly enough to find out your dog is called rover would do.

However, if your password was “rover jumps logs” it would now be 16 characters long and even though it’s all lower case – the criminal does not know this.

Once you force the criminal to start password cracking without any snippet of information about the password, it is another order of magnitude to crack.

Real World Example

On the internet, there are many questions like “How long would it take to crack a 10 digit password?” and “Should I use upper and lower case letters as well as numbers?”

There is no point to questions like these – the whole point about strong passwords is denying the criminal any knowledge about them.

If a criminal discovered that your password was 10 characters long, he would be at a huge advantage – because he can now concentrate his efforts, tweaking software tools for 10 characters or less. This knowledge significantly reduces the time it would take to crack the password.

If he knows nothing, he has to start from scratch and try everything.


Business (well actually, everyone), should understand what the threat actually is. Everyone knows what it is they are trying to protect, but few understand what from.

There really are only a couple types of attack on your computer – whether at a business or at home:

  1. Casual ‘drive by’ attacks.
  2. Prolonged, well organised attacks by determined individuals or government agencies.

The only thing that is going to protect you from the second type of attack, is sophisticated encryption and a solid understanding of how to implement it. Even then, once physical access has been gained, all bets are off.

The primary type of attack , therefore, comes from theft (for money – by selling your computer), or from your colleagues at work and even your friends and family (not necessarily malicious – e.g. the kids just accidentally deleted your year end report).

So, to defeat a colleague from gaining access to your computer, almost any ‘good’ password will do – because they will not get access to your machine, for long enough to crack it.

How to create strong passphrases

Stop using passwords!

Without going into technical detail, don’t use passwords!

Use passphrases instead – they are the easiest, strongest ‘passwords’ to remember especially – if used with a ‘padding’.

Here are some typical passwords – do you want to try and remember them?:

  • Hiudyfg^%^}
  • qwL*”ideR
  • #:co*/!*12

However, a passphrase is just a sequence of words and is much easier to remember:

  • passphrasesaregreatforthememory
  • quickorangebacongarden
  • greatbeaglebookcase

The simple idea is that passphrases are much easier to remember, longer and therefore relatively secure.

The Padding Trick

When used with a ‘padding’ – a symbol ‘block’ you attach to your passphrases – e.g. the characters “@6/” – which always stays the same – the passphase becomes dramatically stronger.

So, if you combine easy to remember passphrases with a padding, using our last example you would get:

“greatbeaglebookcase@6/” or “quickorangebacongarden@6/”

This allows you to create ‘passwords’ that are complex and long, whilst being reasonably memorable. Even better, you can always write the passphrases down and keep them in your wallet. If you lose the wallet, no one is going to know the padding, so can’t use the passphrase.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.