It was a fascinating read about Passwords, with many intriguing links.
First, it shouldn’t surprise anyone, but people wanting to crack passwords study passwords. They buy up databases of stolen passwords, and when possible, link them to their owners, and then use the information they’ve gained to look up the owner on the Internet and social media to learn what they can. They’re not targeting these people to hack them; they’re targeting them to understand demographic patterns.
Second, people continue to use words or personal information as passwords. Cracker programs and applications have databases that automatically look for words first. Match and done, cracked. Naturally, they also look for names.
from Mark Burnett, xato.net, via https://wpengine.com/unmasked/
Third, more scary, but not surprising, is that password crackers are also including the “Leet” (or 1337) methodology so many employ. It isn’t surprising, because it’s commonly known and used (because it’s been around for a long time), so of course anyone trying to crack passwords will include that information in their processing.
Fourth, the thinking behind websites and applications about how password strength and password entropy is weighed varies. Zxcvbn (recognize the pattern?) in a remarkable post compared multiple sites and gave the results for the same passwords. Intriguing.
Returning to the Unmasked article, they also used Full Contact’s Person’s API to go through seventy eight thousand passwords to find rich and famous people. From that, they selected forty passwords that were matched to see if they could be cracked, and how long it took.
Most were too easily unmasked. That’s one thing to remember: if you’re targeted, your password can probably be cracked, but it’ll take time. Thieves typically aren’t targeting most of us because we’re not notable or wealthy. So taking the time to create challenging passwords can help remove you from the list of low hanging fruit. That’s the same reason for frequently changing passwords. Yes, it is all a pain. It’s also why you shouldn’t use the same password — or easy variations — on multiple accounts.
A Github developer, whose password had an entropy of ninety-six, was hardest to crack.