Updated: Aug 14, 2021
Passwords. They've become a part of our daily life whether we like it or not. The problem is, we want to use passwords that are easy to remember (for obvious reasons), but if a password is easy to remember, it's probably easy to "hack". The word "hack" or "hacked" is used a lot in 2021, but most people don't actually know what it means or what it actually looks like. Images of dark, cloaked figures hunched over a dimly lit screen with lines of code streaming by, furiously tapping away comes to mind, but in reality that's not an accurate portrayal. It wasn't until I personally attempted "hacking" a password that I truly understood why all those tips and rules existed, and how seriously they need to be taken.
There's a reason you've been told: "Don't use a password that might appear in a dictionary". This is a basic rule when choosing a password because of something called "wordlists". What's a wordlist? It's exactly what it sounds like. A list of words. Every word in every dictionary is combined into a single file that a computer uses to find your password. Every time a database is breached those passwords are added too. As you can imagine, these lists are pretty big. Some of the larger wordlists have tens of billions of entries.
"Hackers" use these wordlists to perform what's called a "brute force" attack. It's called "brute force" because there's not much intelligence to it, it basically just throws password attempts at the wall until one sticks. You might think it would take a long time to throw a few billion passwords at that proverbial wall, and a few years ago that was true. When attempting to crack a WPA2 WiFi network password, a fast computer from 2015 could process around 2 thousand passwords every second. That means it would take almost 1 full month to get through a wordlist with 5 billion entries in an attempt to discover just one password to a single network, and that's assuming the password exists in the list. Like most things in life, hackers are typically looking for the "low hanging fruit", and unless they know there's a huge pot of gold at the end of the rainbow, they're not going to devote a full month pf processing power to possibly discover 1 password.
Phone numbers as passwords.
385, 435, and 801. These are the area codes currently used throughout all of Utah. If we include all prefixes, there's 30 million possible 10 digit phone numbers that begin with those area codes. Assuming a currently modern computer is able to process around 5 thousand phone numbers every second, it would take about 1.6 hours to try all of them. That's not long, but it's not that short either, and there's no guarantee the network the hacker is going after is even using a phone number, let alone a phone number with a Utah area code. Again, think low hanging fruit.
GPU powered brute forcing.
The same thing that makes a GPU or video card so valuable to crypto currency miners, makes them just as valuable to hackers. They're really good at solving the same mathematical problem, over and over again. The developers of a free program called "Hashcat" realized that and created one of the most powerful password brute forcing applications to come out in the last decade. How powerful is it? Remember how that fast modern computer could process about 5 thousand passwords every second? Put a midrange video card in that same computer, use Hashcat, and it's now able to process 5 hundred thousand attempts every second, with high end video cards pushing that to 1.2 million attempts. Now you can run through that 5 billion entry word list in just over 1 hour instead of 1 month, and those 30 million phone numbers in just 25 seconds. That just shook the tree and turned low hanging fruit into fruit laying on the ground waiting to be picked up, and the high hanging fruit just fell down to the lowest branches. The latest developments to hashcat allow you to inexpensively rent GPU processing power to help crack a password, and for a few bucks you can have access to a system with the ability to process 10's of millions every second. A system like that, able to process 12 Mh/s takes the time down to 7 minutes for the 5 billion entry wordlist and 2 seconds for the phone numbers.
Barriers to entry.
"This all sounds pretty complicated" you might be thinking. First of all, it's not. Anyone with a computer and access to YouTube can follow some easy directions and be setup with one of these systems. Beyond that, thanks to websites like gpuhash.me that crack any file you send them for a small fee, a bad actor doesn't even need basic technical capabilities to steal your information.
Are you scared yet? Good.
What's the answer to these powerful brute forcing techniques? That's easy. Don't use passwords that might appear in a wordlist! "But that's going to be impossible to remember!" I hear you saying. Well, you're right. But thankfully there's several great solutions for this called "password managers". They're programs that you can install on every device from your laptop to your phone, and they not only store your passwords, but help generate secure passwords and autofill them in websites and apps so you don't even have to copy and paste them over. The good ones even check the website asking for the password to make sure you're not being "phished". If setup correctly, they're actually easier than quickly typing in a weak password.