Some people reading this will have good instagram passwords, some people will have thought about this before, some people should have thought about this and haven't, and hopefully will after we talked about this a little bit more.
How to hack a password using pretty basic techniques
There are people who know more about this than me who run other custom dictionaries and rule-sets and things. It's not really important for getting the message across of just how quick this is. Picking a good password was actually a lot easier than people make it.
XKCD alluded to this and we'll talk about that in a minute. It didn't necessarily answer every question but it did get a good message across and then as other aspects should you reuse passwords and, and so on.
So let's address these. Password hackers and and people who research password security talk about something called password entropy, which is the amount of information held in a password, the idea being that if you're not holding much information in a password, it's going to be cracked very quickly because it's not a much search space to go through. In some ways I think that's a bit of an over complication I think practically you need to look at two things. You say, first of all, can it be brute-forced, right?
In which case if the answer is is your password shorter or equal to 8 characters, the answer is yes. If your password's nine characters and you're using symbols, you're probably ok. Fairly straightforward, ok?
As GPUs get faster, these barriers go down, and then you've got to ask, "Is your password dictionary crackable?", right? Those people in the last conference didn't think so, and then there I was hacking their instagram passwords and they had quite good ones, some of them.
You've got to do two things: you've got to make sure your password is long enough and uses interesting characters so it can't be brute forced, but beyond that you've got to make sure that you can't be dictionary attacked.
Let's get this out the way first; if your password is "password", you probably want to close out your browser right now and change it and, you know, hang your head a little bit. If there's any variation on the word "password" or has any of the numbers "1 2 3 4" in order in it, you need to delete those passwords, maybe delete your account out of shame. Because, oh dear.
I'm not addressing those, I'm addressing, I guess, what a better password will be. Password systems in general are not a very useful way to authenticate. A lot of people think this, ok? Because they're hard to remember, unless you pick an easy one to remember, in which case it's easy and not secure, alright? So, in some sense we've tried to find a way of authenticating ourselves which is hard for a human to remember, easy for a computer to guess, and people do it badly. There's lots of reasons why passwords are terrible. Google thinks passwords are going the way of the Dodo, because they're bringing in this new authentication system where, you know, it tracks your movement in your pocket and things like this.
Fine, maybe that will work, but in the back you're always going to have some kind of password, because you don't want to be pulling your phone out of your pocket and Google saying, "you moved your phone weirdly, so can you type in your PIN code". You're gonna have to have something backing it up at all times.
For now, we're going to have instagram passwords hacked for a while longer
And so we have to think about what they should be. So, obvious rules: 8 characters, 7 characters, not long enough. If you have an 8 character password and you assume, just for a minute, that the website you're hosting it on is storing them in MD5, then I'm going to be trying passwords at forty billion hashes per second. How long's it gonna take me to get through eight? Not that long. If I'm smart about my character sets, less than a day, a few hours probably.
Let's talk about the better approach or the nearly perfect approach of XKCD and how can we improve even on that. So XKCD suggested the situation where you had a decent password, because it was hard to remember, because it was some word that you've got. Is it "troubadour"? And you change a few letters around for numbers, and you capitalize things and you stick in a symbol somewhere and things, and his argument is that this isn't a good password because there's not much entropy, because you're doing standard things that people do in hackable instagram passwords. That's absolutely true in the sense that if you replace an 'e' for a '3', everyone does that, that's number... rule one on the list, ok? Don't think that's clever because it's not. lf you replace a 'z' for a '3', actually that's still not very good. Let's pick a better one. If you... an 'o', if you replace an 'o' for a '3', that's slightly better, but someone's still probably going to have written that rule, because why wouldn't they when it's so fast to try them out? Ok, so you've got one option which is up which is a kind of hard word to remember with a bunch of weird to remember symbol exchanges, and then you've got another one, which is just four words appended together: correct horse battery staple.
I think that's the order. Now everyone knows that password which kind of means that password is not very good, but the point remains: if you pick, his argument is that if you pick four words and just stick them together, you have... It's inherently un-brute-force able, if that's a verb, right? Because it's too long, even with all lowercase even without symbols and things, and it's not really going to come up in a dictionary much because those are weird combinations of words that aren't very often used, and it's four of them.
How breakable are these two passwords? Well, first of all, troubadour with all those exchanges probably slightly harder than he suggests, because its entropy is not bad. I think it's 11 characters and you know there's some exchanges there. Not all of them are immediately obvious.
It's not absolutely terrible and perhaps slightly better than many things but he's absolutely right but it's quite hard to remember and a bit of a pain, certainly a pain to type in. "correct horse battery staple", much easier to remember, no funny characters to press, you get to type that quite quickly but the issue is that we don't brute force hack instagram passwords of that length, we dictionary attack them.
The question really comes down to, "is 'correct horse battery staple' going to come up in a dictionary attack?", and the answer is, "probably not", but once we start thinking people are just appending four words together, maybe yes, ok? So instead of our password cracking being a brute force of the number of characters to the power of the length of our password, it becomes the number of words we might use to the power of the number of words we are using, okay?
In this case, let's say the top ten thousand words to the power of 4, okay? Which happens to be a very big number, so we're kind of safe. But what if you only pick obvious words? "Staple", I've checked. I've checked a list of about the top 20,000 english words; "staple" is somewhere around 12,000. Which means that we don't tend to use it very often, that makes sense. "Horse" is much further up the list so were "correct" and "batteries" further up the list as well.
I mean, we all have phones, we talk about battery all the time. So, if you hypothetically picked four words that were in the top five hundred, then suddenly the search base is 500 to the power 4 which is much smaller and your bad instagram password is crackable. My advice to anyone attempting a password system like this is to assume that the person attacking you knows you're doing a password system like this and pick hard words. A brand name or a word that isn't going to come up in a list of obvious words that people use, "staple" is not a bad word, the other three are not great.
You know, change it for something else, ok?
Off the top of my head, uh... "lemming" is probably not a very common word we use, ok? Don't use it now, because I said it. I've got a Rubik's Cube, here "rubik" is probably not, or "Rubik's" is probably not in the top ten thousand english words.
We're changing the problem around to be a question of can they guess the word you'll used not the structure of your password, so a really good password will be three english words, i would say. With one word that's a bit out there Ok a bit odd; maybe it's a made-up word or something. Because then you can't be brute forced because of the length, you can't be brute force because of a combination of easy dictionary words. And you don't need to put symbols in, because it's just too hard anyway.
That would be really strong. If you want to be even stronger than that then just stick an underscore right in the middle of one of the words, just to really annoy everyone. Because if you stick it between words it's going to fit into a standard rule set of the sort of things people do with passwords, but if you put like an ampersand in the middle of a word that shouldn't have an ampersand in it, like "horse", "ho&rse" in the middle of "correct ho&rse battery staple", it's just that much harder to hack. And then, for you to be able crack that instagram password, a lot of things have to go right for the attacker.
They have to know the four words you're going to use, in the right order, and they have to have tried that with the exact right rule set that put an ampersand in at that exact position. And pick a word that other people don't use very often, like your favorite band name or something like that, ok? Because that way... maybe not your favorite band name if you blog about them because then they can social engineer the password, that's a different question.
What you should really be doing now is using a password manager
In some sense a password manager swaps you remembering a bunch of passwords for you hopefully remembering one really good password, ok? So this is the kind of password policy that you go even further with and make that your master password.
What a password manager does if it's well programmed is encrypt a database of your passwords for all your different websites and accounts and then you secure that with a master password of some description. And your master password has to be good and I don't mean, you know, "password password password" because no one's going to guess it's three times long.
It needs to be of the level we were just talking about. And you also need to look into what encryption the password manager uses, where's the decription done, it's not done on the server, we need to make absolutely sure it's all local and things like this. So look into it and see how they do their security.
I've looked into a lot of password managers.
They're all pretty good, you know, of the major players. They all use broadly similar schemes, they use very difficult to break hashes with lots of iterations, which means that even if your instagram passwords are released on the internet they're in encrypted form and they can't be obtained.
All my passwords are 16 characters of totally random and I don't know what they are. So if my... if my database gets deleted i'm somewhat in a problem right? But, my master password is similar, I won't give away too many too much information on what exactly it is it.
But my master password is in a similar vein to what we were discussing just now and I believe is essentially uncrackable at, you know, currently. But i can type it in quite fast, because I've done it a lot.
It's long enough and i can remember it, which is good, and i only have to remember one which makes it that much easier.
When you log on to a website and it says, "register for this website" again, and I'm only going to use it for five minutes, what am I going to do? I'll just make it my standard password that I use every time. Instead of doing that, you then go to your password manager and generate random 16 characters and it's a win-win because then, if you never use the website again, it doesn't matter anyway, because you've got... you've got a random password. And if someone, if that website is a bit dubious and they release your password later in a hack, it doesn't matter because it's random.
And that brings us on to last point:
Never ever reuse passwords, ever.
I fallen to this before, someone tried to log into my Facebook once with a password that got leaked, someone tried to log into my Skype with a password that got leaked, and that was my fault in a sense, because I used to use the same password a number of times before I knew what I was doing. This is a few years ago. Now, I know you have to have different passwords.
That way, if a password gets leaked down to the internet and hopefully it's random anyway, from your password manager then we're in business. You change that password, and you're secure again. If your master password for your... for your database is weak, then they are going to hack it, and then if they get in they get all your passwords. Obviously that has to be really strong.