How long does it take to hack a typical password? Using brute force attacks between instantly and 438 trillion years.
Many thanks to Graeme Reardon, Managing Director of D-Link ANZ, who answered Jeffrey Kemp’s question, “Why do D-Link routers not accept simple passwords”.
Graeme answered on Boxing Day – that is service. ‘We disabled ‘simple password’ support a few years ago. The rise in IoT devices that still only support these types of passwords is a key reason why people continue to get hacked.”
He also attached research from Hive Systems, which is both gobsmacking and disturbing.
How long does it take to hack your password?
You see, not only are there brute force attacks (throw the dictionary at it), but AI machine learning and advanced graphics processing technology have slashed the time. Over the past two years, the most complex 18-character passwords have reduced in cracking time from 7 quadrillion years to a scant 438 trillion years. You can imagine what that means for simple passwords that most use.
What AI means to faster cracking
Let’s say you use a name (any name), fred. That is an instant crack.
- OK, make that freddie – another instant crack.
- Why not add a number and capitalise at least one letter (best not to capitalise the first letter – AI knows that trick) – fredD1e, and we are up to 1 minute.
- Why not add a symbol? We suggest you avoid every symbol above your numbers on the keyboard as AI will try to substitute them first – fredD1; and you have a six-minute crack.
That is too easy for a hacker and AI.
Hive has a few recommendations to slow down a hack of your password (paraphrased)
- Don’t use below a mix of 12 characters with Upper-and-Lower-case letters, numbers, and symbols. All of a sudden, it takes 3,000 years to crack. Sixteen characters are now recommended.
- Thinks of a relevant phrase to extend the password (and not ones that are well worn or books, websites you frequently visit, or hit TV series names) like fredD1;theFox, and you are at 202,000 years to crack.
- Never use the same password or partial password. It is not safe to use fredD1; as the root of the password for multiple sites, e.g., freD1;the Fish, freD1;the founder…
- Never use your children’s or pet’s names as the root because AI already knows these from social media – it is smart. Totally unrelated names and phrases are best.
- Please do not use your address (unless it is from several houses ago before 1992), date of birth, or phone number.
- Do not store your passwords in email (like Outlook or Gmail), sticky notes, or text files on your computer.
- Do not rely on Samsung, Google, or Microsoft Edge when they offer to store logins and passwords.
- Use LastPass Password manager, free for a PC or Mac. Get a family subscription if you want to use it on smartphones, PCs, tablets etc. You set up a Master Password like fredD1;theFlounder and LastPass can store your existing passwords and generate new tough-to-crack ones. The paid version also has a secure folder where you can store details like Medicare, passport, driver’s licence, bank account numbers etc. We can’t live without this, especially as it allows biometrics (fingerprint) access to the password vault.
Finally, test your passwords at https://www.security.org/how-secure-is-my-password/ – my master password takes seven quadrillion years to crack, and I change it every 90 days.
What do hackers do with cracked passwords?
The most obvious is to access the internet account and try to defraud it. AI also combines all your dark web personal profile data to see if it can guess other passwords based on that root.
There is a massive market for cracked Facebook, Twitter, TikTok, Instagram and other social media accounts as it is sold to online marketers to use your account to promote their wares. There is also a market for video and audio streaming services.
If that account is your
- Bank account they can empty it.
- Telephone or internet provider, they can transfer the service to use for online marketers
- Government Departments like Centrelink, they can divert pensions, NDIS and more
- If they get 100 points of ID, they can apply for loans and more in your name. Fast-money and BNPL services are a massive target as they don’t conform to APRA regulations.
CyberShack’s view – How long does it take to hack your password? Nowhere near long enough
If I get one message out to you, that is to spend a little time with a password manager (LastPass) and fix this once and for all. Once you have, you do not need to change passwords unless there is a hack.
I am sure we all know at least one friend that has been hacked. From January to September 2022, Aussie consumers lost nearly $500 million to hackers, and 96% of us have had scam emails, SMS or calls to carry out remote access scams.
3 comments
Graham McIntosh
Mate, took your advice a while back concerning Last Pass.
Installed family version on desktop and Ifone. Started good, then little issues on the ifone, spoke to Last Pass staff, couldn’t resolve issue, frustrated, removed last pass from all and now 6 months later getting things back together. What an issue loosing all your passwords! Should have talked to you first.
Jeffrey Kemp
It was indeed gratifying to unexpectedly get a response from the MD at D-Link to my question.
This was after a long and ultimately unfruitful back-and-forth chat with Goodwe support, wherein the support person struggled to even understand the problem, ultimately referring me to my ISP for help – recommending I get them to “change my password to only have letters and numbers”. This was after explaining in detail to them that this was simply not an option provided by my router (at least, with WPA security anyway).
In the end, all security measures must be analysed in view of the particular set of risks they are mitigating against (including a consideration of the value of the assets being protected), set against any impediments imposed by the equipment that must function within the constraints imposed by those security measures.
According to the chart provided, a password consisting of only 18 lowercase letters would require the hacker to sit, unnoticed and unchallenged, in close proximity, for 2 million years, patiently trying to bruteforce the WiFi password.
I’m well aware of the need for security in depth, and exceeding minimum security requirements is generally a good idea.
However, enforcing complex password requirements that make it impossible for the customer to use their own equipment only forces the customer to use far less secure means. And handballing it to the customer to try to get a Chinese manufacturer of solar inverters to fix the issue from their end is the ideal solution in a perfect world, but ultimately completely unrealistic.
In this case, I was forced to choose one of the following options:
a) forego this router and use another (presumably less secure) router, or
b) downgrade the security to WEP or “None” which don’t have this password complexity requirement
While the company says “we must enforce complex password requirements because some customers don’t secure their equipment properly” is particularly ironic in light of the fact that the same router still supports WEP and “None” as options on its WiFi.
Ray Shaw
Thanks, Jeffrey. Your points are all valid, and I hear exactly what you are saying. I understand that D-Link (in fact, all mainstream router makers) were required to close the CVE vulnerability https://www.cve.org/ on Wi-Fi 6 and later routers. I have experienced it too and some rotuer makers are allowing WEP/None on as a dedicated 2.4Ghz channel. As for the hacker having unfettered access, the figures are based on a hacker using a high-end i7 PC and Nvidia Ge-Force card (that really cuts the time down), so it is more relevant to hacked databases than brute force attacks on a website that usually stops further attempts after three miss tries. I hope you had a great Xmas and a COVID-free 2023. I am happy to be of service.