2 minute read

While working in information security for the largest company in Canada, I realized there was no one internally, actively attacking the password database to see what passwords could be cracked. After raising this concern, I became the prime for resolving this.

There are a lot of password crackers out there, that anyone can download for free. The priorities for password cracking involve the processor power you have, how optimized your cracking algorithm is, and your keyword database. I built a pretty monster database, using many languages, as well as popular keystroke patterms like qwerty or bhunji. When I was finally ready to start cracking passwords, I was able to crack (decrypt) thousands in the first hour, if I recall correctly over 9,000 in the first day alone. This means if someone steals the encrypted password database from any website you frequent, they can run the same tools on that database to find your password.

The two questions I hope you’ve asked yourself while reading this, is “How hard is my password to crack?” and “If someone cracked my password, what other sites could they use it on?”

In order to determine how hard your password is to crack, there are a lot of tools out there, but I’ll recommend you try howsecureismypassword.net. But before you do, I have no affiliation with this website! This means you should not trust it, it could be a phishing attempt (they could be logging the passwords you enter, and trying them on Gmail or Facebook for example). Don’t use any of your real passwords, but enter a few dozen different passwords, to get a general idea of how hard a password is to crack. I wouldn’t recommend using anything that would take less than 100 years to crack, as this site shows how long it takes with a single desktop PC. Advanced attackers have a lot more resources than a single computer.

Sometimes when an organization has their encrypted password stolen, it is published online for others to crack. If someone cracks your password for one website, where else can they use it? I hope nowhere. One idea is to have a dynamic password on every website you go to. For example, say my base password was secretpassword%^&. I could then add something in the middle for each site I go to. Let’s say I choose the first 3 letters of each site I go to, after the http://www. part, and put those 3 letters in the middle of the password. I would have secretpasswordfac%^& for Facebook and secretpasswordgma%^& for Gmail. A clever attacker might recognize the fac or gma, so maybe you reverse those letters. Hopefully you get the point, find a base password that would take a long time to crack, and then add something unique to it on an individual site basis that is not visually obvious.

If you want to try password cracking your own encrypted passwords on your personal computer, check out this list of password crackers that are free for anyone to download.