It’s doubtful you’ve ever heard of “the beast”—but it lives in the computer science department at the University of Nottingham in the U.K. and can crack 40 million computer passwords in just seconds. The short story is this—everyone’s computer passwords are just plain terrible, and we should all be changing them like right now.
Long and Hard is better
In a recent episode of the video program Computerphile (a sister project to Brady Haran’s Numberphile), the team ran several simulated calculations to see just how easily a password can be hashed. Turns out, it’s super easy for the computer affectionately known as “the beast” to crack billions of passwords without breaking a sweat. The Linux-based supercomputer, called the Nvidia-SMI, is about two or three times the size of a normal desktop with four Titen X graphics cards, which are critical for deep learning.
The pros at Computerphile did some password cracking with Hashcat password cracking software. And they illustrated their ability to perform about 10 billion hashes per second. Once a password to Target or Amazon is cracked, it becomes that much easier to surmise all other passwords, to bank accounts or health insurance accounts, are the same. Most consumers are either lazy or ignorant—or both.
For example, many people use a standard password such as “Password1234.” If you use a more complicated longer password that includes a mix of characters, both lower and uppercase, numbers, symbols, it takes the hashing software much longer to figure it out, or cannot be found out at all. Ideally there are 9-10 characters. And, don’t use your birthday or pet’s name, duh!
Professional Password Crackers
While the team at Computerphile are not professional hash crackers, they were able to use Nvidia_SMI to compile a list of 14M passcodes from the RockYou list by manipulating a set of rules and testing these words for passwords at the rate of about 8-10 billion attempts per second. Mind-blowing speed and volume. They were only 18% of the way, and found 3.5 million passwords in the RockYou dictionary.
There are, however, money-making enterprises that will hack an Instagram, Facebook, or Twitter account for you. One such company is called Insidehackers. (Disclaimer: The Threat Report has no affiliation or connection with this company.) All you do is give them the Facebook ID or Facebook URL and they will get you the original password and email with a 96.77% effectiveness ratio. The cost ranges from $500-$900. And they do not accept cash—only bitcoin, Paybis, or Coinbase in the U.S. only.
Some of these tools, such as the password hacking and phishing page, are customized for specific companies and brands. This allows a hacker to decide who they want to target. They can start with a brand that doesn’t cost much and work up to a premium brand such as Apple. Google, Dropbox, Coinbase, Twitter, Facebook, Paypal, Apple and Netflix are not exempt. The tools that hackers use now are more and more accessible.
Too Common For comfort
As mentioned earlier, people often use the most common references in their lives as passwords. Hackers are using common terms from pop culture and sports to break into accounts online because they know many people are using those easy-to-remember words.
Every year the password security tool provider, SplashData, creates a list using over five million hijacked passwords that were made public over the past 12 months. The majority came from users in North America and Western Europe.
Based on the 2017 list, many were pretty standard (“123123”, “Password”, “admin” etcetera), there were a couple of unexpected entries, including “monkey” and “whatever”. Others were a little more topical – a very cynical (and entirely appropriate) “trustno1” snuck in at number 25 last year. “Football” and “dragons” (a likely reference to Game of Thrones) also made the list.
Here are the top 10 from 2017:
- 123456 (unchanged… for the fourth year in a row)
- Password (unchanged)
- 12345678 (up 1 from 2016)
- qwerty (up 2 from 2016)
- 12345 (down 2 from 2016)
- 1234567 (unchanged)
- football (down 4 from 2016)
See any of your passwords there? We can only imagine the top passcodes of 2018. We will report back when we find out. And, while we are on the subject—change your passcodes. Use password keychain. And don’t write them down on a sticky note, whatever you do.