How-To Geek

Your Passwords Are Weak and Crackers Are Increasingly Well Equipped

The number of sites we’re all using is increasing and, for most of us, the number of passwords we’re using is decreasing. Read on to see how you’re at risk and what you can do.

Over at Ars Technica they’ve shared an extensive writeup that could be accurately re-titled “The Sad State of Password Security Today”, in the introduction they write:

The average Web user maintains 25 separate accounts but uses just 6.5 passwords to protect them, according to a landmark study (PDF) from 2007. As the Gawker breach demonstrated, such password reuse, combined with the frequent use of e-mail addresses as user names, means that once hackers have plucked login credentials from one site, they often have the means to compromise dozens of other accounts, too.

Newer hardware and modern techniques have also helped to contribute to the rise in password cracking. Now used increasingly for computing, graphics processors allow password-cracking programs to work thousands of times faster than they did just a decade ago on similarly priced PCs that used traditional CPUs alone. A PC running a single AMD Radeon HD7970 GPU, for instance, can try on average an astounding 8.2 billion password combinations each second, depending on the algorithm used to scramble them. Only a decade ago, such speeds were possible only when using pricey supercomputers.

If you’re one of those people who maintains a laundry list of frequently visited sites but a very short list of frequently used passwords, it’s definitely time to beef things up. Start by reading our emergency guide How To Recover After Your Email Password Is Compromised–even if your email hasn’t been compromised it’s a great starting point for analyzing and improving your password practices. Follow that up with The How-To Geek Guide to Getting Started with LastPass and you’ll exponentially increase the variety and quality of your passwords.

For more a more in-depth look at the problem of duplicate passwords, security compromises, and the ease in which crackers are acquiring more and more password lists, hit up the link below for the full and fascinating article at Ars Technica.

Why passwords have never been weaker—and crackers have never been stronger [Ars Technica]

Jason Fitzpatrick is a warranty-voiding DIYer who spends his days cracking opening cases and wrestling with code so you don't have to. If it can be modded, optimized, repurposed, or torn apart for fun he's interested (and probably already at the workbench taking it apart). You can follow him on if you'd like.

  • Published 08/21/12

Comments (14)

  1. Dave

    I use 15-20 character gobbledygook passwords generated by KeePass on sensitive sites such as email, shopping, banking, investment, and the like. I might reuse a generic password to comment on a website forum. Am I safe?

    One thing I find annoying is when a website won’t allow me to drag my ridiculously long password from KeePass into its password field, and sometimes they make it difficult to copy and paste. If you want us to use long strong passwords, make it easy to use them!

  2. Zona

    I use KeePass also. I too dislike having to manually type long passwords because a web site makes it impossible to copy and paste.

  3. Danny

    “A PC running a single AMD Radeon HD7970 GPU, for instance, can try on average an astounding 8.2 billion password combinations each second”

    About that. I understand the the technology can work that fast, but don’t website have limits to how many you can try before you get locked out?? Meaning all the power is useless?

  4. TheFu

    Dave, I’m with you, by using 30-70 character gobbledygook passwords generated by KeePassX for all logins. Never reuse a password on the internet. NEVER. The only time to use a lesser complex or shorter password is when the login doesn’t allow it.

    Since switching to KeePassX (KeePass-v1.x on Windows), I’ve only needed to type in 3 passphrases.
    * PC login
    * KeePassX phasephrase
    * google (android won’t install KeePassDroid without a google account connected)

    All the others are auto-typed by KeePassX so it doesn’t matter if they are 30 or 70 or 500 characters to me. The Google password is really long too, just not complete gobbledygook. I’m trying to create passwords that are secure today AND for the next 30 yrs against brute force attacks.

    There is no substitute for length.

    Further, lie on those password reset questions – don’t even use words for most answers.

    If you talk with professional password crackers, people who compete in contests, there is much insight available. Some is surprising like to start with a Capitol or end punctuation or any number. Never use numbers that look like dates, especially at the end (YY) or (MM). L33t doesn’t work either.

    If the password you are using is less than 13 characters, that is a joke. Using 4 GPUs with 200+ cores each in a single machine, every possible combination of characters can be attempted in less than 24 hrs. This is only a $1500 machine, so the cost to become a password cracker is not high. Oh and if the password was ever used previously on any online website, the crackers have a copy and have spent months cracking it to add all of those to their “try-first” database before they bother with brute force at all.

  5. Danny

    “A PC running a single AMD Radeon HD7970 GPU, for instance, can try on average an astounding 8.2 billion password combinations each second”

    Ok, so they have the power to do that many, but don’t most places have a limit to how many you can enter before getting locked out?
    Wouldn’t that render all that power useless?

  6. r

    I try not to get overly paranoid about these things. Life is full of uncertainties & situations out of our control.Just use your brain when dishing out any personal info in any public forum or medium.

    all in all, I’ve never had any passwrd problems all these years,…as Joe Walsh says,
    “life’s been good to me so far”

  7. jhon gil

    more sites should enable two step verification!! yes twitter im lookin at you……..

  8. StevenTorrey

    This is related though apparently tangent. Signing a real name to a post invites hackers. The give and take of posting comments can quickly degenerate into nastiness and that nastiness can invite the vengeance of psycho’s into hacking a person’s computer simply to wreck havoc. Tracking a person down is as simple as a few key-strokes. And I always assume for the cognoscenti that hacking a computer is as easy as pie… It’s why passwords ought to start with numbers and not letters and certainly not contain recognizable words… That’s also why a good paid for anti-virus program should be able to protect people from this sort attack by some anonymous hacker out for vengeance. Or so it is to be hoped for…

  9. Kim

    I see that some people are using copy/paste to input passwords, there is a chance even though it’s small that a clipboard logger could steal the passwords as well as other info. Personally, I wouldn’t take the chance.

  10. Bink Farmer

    Interesting that I don’t hear mention of RoboForm which is much easier to use than what I am reading here. I’ve been using RoboForm for years and it keeps getting better.

  11. gldvorak

    After user information is stolen the perpetrator is free to test the scrambled passwords as many times as they can, there is no restriction on the number of times.

    So first your information has to be stolen, which is relatively rare!

  12. r

    I prefer my information medium-rare

  13. Snap

    Re: “A PC running a single AMD Radeon HD7970 GPU, for instance, can try on average an astounding 8.2 billion password combinations each second”

    If a hacker has gotten a copy of the encrypted password lists (as is often the case when we see large and small sites gets hacked), that is when they can try to many so fast. (e.g not when trying to log in to t an account on the net).

  14. CJ

    There is an easier approach. Start with the assumption that password security is a joke, it doesn’t work; it never has and it never will. Passwords are exactly like locks. They only keep out honest people.

    WWW also stands for Wild Wild West. “There ain’t no law west of the Pecos”. Keep it firmly in mind that on the internet, there is no cop on the corner to protect you, no one enforcing any laws, because there are NO laws that apply to every country on the planet.

    So on the web, you can actually make it easy, use one simple password everywhere, on every (non financial) site, and never bother to change it. Really! How, you ask?

    Live your “Web Life” knowing that there is no security, no privacy. NEVER post anything financial, sensitive, secret, or that could someday somehow come back and bite you in the ass! Assume if it is on the web anywhere, it WILL be seen, it will be known. If you don’t want Grandma to ever see that picture, DON’T POST IT!!! If you don’t want every potential employer to know it… You get the idea.

    Honestly, it is simple. With money, deal only with trustworthy financial institutions that protect you. Make sure your bank/credit/debit cards have good anti-fraud/theft measures that hold you harmless, because sooner or later some thief WILL hit them.

    And on the web, if you don’t want it known, don’t put it out there in the first place. Don’t misunderstand me, I actually use LastPass myself. But that doesn’t mean I am relying on the “security” of my passwords. There ain’t no such thing.

More Articles You Might Like

Enter Your Email Here to Get Access for Free:

Go check your email!