How easy is it to hack a password?

Hacked Hotmail passwords: As simple as 123456
05:55 AM Oct 08, 2009
SAN FRANCISCO - Some surprisingly simple passwords were found in Hotmail's stolen account data, which were published online last week. Two of the most popular were 1234567 and 123456789.

Mr Bogdan Calin, a security researcher who obtained a copy of the 10,000 stolen Windows Live Hotmail usernames and passwords that were posted to the website PasteBin, said: "A big majority of Internet users still use very poor passwords".

Mr Cailin discovered that 82 out of 9,843 valid passwords used these two easily cracked number passwords. Another very popular password is 111111, reported IDG News Service.

The longest password Mr Cailin found: lafaroleratropezoooooooooooooo.

Gmail, Yahoo Mail and AOL have been hit by cyber-crooks using "phishing" tactics to trick users of free Web-based email service into revealing account and access information.

Phishing tactics include sending people tainted email attachments that promise enticing content such as sexy photos of celebrities and luring people to bogus log-in pages that are convincing replicas of legitimate websites.

Microsoft, Google, and Yahoo stressed that hackers did not breach their databases, but rather email users were conned into revealing information.

Other popular passwords are alejandra, alberto, and alejandro. Mr Calin speculates that the crooks were targeting Latinos, just by looking at the password names.

Security experts say that the secure passwords should use a combination of letters numbers and other characters, and not include things like names, dates or dictionary words. AGENCIES

Honestly, I wasn't too surprised by the recent news that thousands of accounts had been hacked using phishing tactics (which basically involves lying/cheating to get owner to reveal their passwords), and not direct attacks on the web servers. I'm also not surprised that many people still choose simple passwords such as 123456. Let me explain why.

Back in my ex-company, we have a few requirements for passwords. For example,

• The password that is at least 7 characters long, with a combination of numbers and alphabets. Which is good, as that is what makes up a strong password.Bad is, its difficult to remember.
  
• You need to change the password once a month, and the password cannot be the same as any of the last 10 passwords that you had used before. Which is good, in keeping things fresh. Bad is, how many random 7 character alphanumeric passwords that you can remember and come up with on a monthly basis?
  
• Lastly, it will automatically log you out of the system after 3 failed attempts, after which you will have to reset and in some cases, reapply for a new password. Which is also good, as it makes it difficult for someone to guess your password and try to access the system with it. Bad is it risks being disruptive to your work, especially at times when you return to the office to meet your deadlines, only to be logged out of system with no IT support due to it being after office hours or having to put in a application for a new passwords that takes up to a week to generate.
  

So what is really happening on the ground is that, people are using simple passwords so that they will not forget and be logged out of the system. Some of the common passwords that half my department are using include

1. a123456 (changing the alphabet to b123456, c123456 etc in subsequent months), 
2. a111111 (changing the numbers to a222222, c222222 etc in subsequent months),
   
3. the month and year combination (e.g. sep2009, oct2009 etc)
   

Either that, they will either write down their more complicated passwords and it will be somewhere near their desk, some even on post-it notes stuck to the keyboard. I could honestly have hacked the accounts of half the people in my department should I wished to.

Blogged with the Flock Browser