Your Facebook, Snap! Websites and other passwords...

Alexis Wilke's picture

Password Strength

I'm sure that, if you've been around for some time, you've heard of someone's account being hijacked. Half the time, that's because the password was something too simple. Although all companies could force you to enter a safe password, only banks really do it (and a few geek websites that you have probably never even heard of!) At least, Snap! Websites have a counter that let you know the strength of your password as you type it.

There are many tools that will help you check whether your password is considered safe. For instance, password1 is not safe. So are all the words found in any dictionary (especially English, but whatever the language, all the same.)

Boletus in Finnish forest by Petritap
Is a mushroom your safe heaven?

comparitech offers a page for you to test your password strength:

Password Checker: Using Strong Password

There are many hacker tools on Linux that will also check your password against dictionaries1 and let you know how long it took to crack your password. We're planning of having such a tool on all our websites soon. We already offer the password strength feature, though, and don't take it lightly!

To be safe, a password should be as random as possible and include letters, digits and punctuation. Yes! Some companies still have password fields that only accept letters and digits2. Weird. Especially because that means once in a while you'll be limited in your password strength.

Now for those interested, there is a little bit of math. Say you use just ASCII letters. There are 26 of them. Write a password of 8 letters. You have 268 possibilities (a little under 209 billion including dictionary words.) Add the 10 digits to that, you now have 26 + 10 characters. With 8 letters password you get 368. Just that extra 10 character increases the possibilities to over 2.8 trillion. Finally, add the punctuation, which is about 32 characters, and you get 688 possibilities or about 457 trillion.

With so many possibilities (and only 7 billion people on the planet most of whom don't have Internet access) we should all be able to have a different password. However, the fact is that many people will use one or two words, their birth date, maybe swap the name as in "sixela"... Nothing that fancy. Why is that? Because the English dictionary is limited to about 600,000 words. Far off from even the 268 possibilities mentioned in the previous paragraph. Plus, the 600,000 is including archaic and Latin words you probably did not ever hear, did I mention Plagiarism in my previous post? And I know spelling of words like et cætera, which is why when I see ect instead of etc it makes me go bananas. In most languages, people use only about 20,000 words of their language. In Japan, they say that you can get by with about 2,000. In France, François Mitterrand, a former president, used words that more than 50% of the population could not understand.

Trojan Horses

Alright. So by now you've been very scared and you've got strong passwords everywhere, right? Good! Maybe you even started a schedule to change your passwords once a month or so... Even better.

There are two other problems with passwords:

1) Many people tend to use the same password for everything, please, at least use different passwords for each of your bank accounts (including Paypal and alike), insurance accounts, etc.

2) Many companies have rather unsafe computer systems and on top of that they save your password unencrypted!

What point (1) means is: if I hack your account on Facebook, now I can enter all your accounts on all platforms like Twitter, YouTube, Google Mail, Yahoo!, Hotmail, etc. you got the picture. You may think you'll have time to fix all the passwords... shall I remind you that hackers use computers to hack accounts? These are robots that work "in real time" and are much faster than you at logging in (and changing your password so you're blocked OUT of your account.)

Point (2) is subtle... and most people are not aware of it. When you have an unencrypted password saved in a database anyone who has access to that database will be able to see your password. If you are using the same password everywhere, then (1) will deadly apply to you since some people now know your password (i.e. the server administrators have access to it! All administrators are not nice people. Some could sell the list to hackers and make money out of it...)

The other problem with point (2) is that a hacker who can penetrate that company's system now has a complete list of all the user names and passwords... When passwords are encrypted they cannot reuse them without first breaking them which can take a long time (assuming you did not use password1 and that the encryption is strong enough. It still gives them the advantage to bypass any software that would prevent brute force password hacking as we have on Snap! Websites.)

Okay... Now let's assume that problem (1) and (2) are resolved by you using a different password on each and every platform and by the fact that all companies use encryption to save your password and they have tools to prevent brute force password farming...

What other means could a hacker have to find your password?

Trojan horses. You probably already heard of Trojan horses and some include a keyboard sniffer3.

This is generally called a Virus. These viruses don't do anything noticeably wrong to your computer though. Instead, they quietly install themselves and sniff what you're doing and sends the info to the hackers. This is similar to you being wiretapped by the government.

These tools are extremely annoying because they are hard to detect and most of the time they are hard to remove from your computer.

As you can imagine, whatever the strength of your password, if the hacker can detect what you are typing in the user name and password boxes for a given website URL, they got all the information. For your bank, Facebook, insurance company, YouTube, anything.

One of the latest scam email I received, Your facebook password has been changed, most certainly included such a virus. (I don't take the time to test those viruses... sorry!) I infer because I had 3 of my Facebook friend accounts intruded within the last 2 days.

Anything else?

Yes. For banks and other accounts, many black hats will send you a link to follow. For instance, they will tell you that Paypal just shutdown your account and you can reactivate it by logging in immediately. Follow the link and you'll notice that the website is generally not a 1 to 1 copy of the regular Paypal log in screen, the URL will be wrong (obviously?), and finally it is quite unlikely going to be a secure page (although I started seeing hackers make use of 30-day free secure certificates, so watch out on that last one!)

To avoid problems with those, it is better to use your bookmark and see that the browser tells you that the security is good. That now appears in your location bar at the top and in the status bar at the bottom.

If you have any suspicion, just don't follow the link and don't open attachments (especially if the email was sent by someone you don't know!)

Ah! And I have a scoop for you, a white hat getting ATM machines spit $20 billsSorry! This news was removed from the newspaper I was linking to. The story was that a hacker bought 3 ATM machines and managed to easily hack 2 of them....

  • 1. The main dictionaries used are language dictionaries (i.e. English, Germany, French, Arabic, etc.) and password dictionaries. These last ones are built by hacker each time they crack a password.
  • 2. Actually, there are much worst cases. Several times I entered a 14 or 15 letters password that got truncated to 8 letters by the company! Needless to say, when I tried to log in later, it failed... Another company, when entering a [, {, } or ] would generate on screen errors because of mishandling of the password string. Finally, another one would let you enter everything on registration, including punctuation, but not when logging in.
  • 3. Keyboard sniffers are well known in the security area, you can also get a browser plug-in that runs right before your password gets sent to the company website and thus can save the password unencrypted on your hard drive or send it to another website without you knowing that it happens.