CYBERSECURITY: YOUR PASSWORDS ARE EASY TO CRACK

Your passwords are not good and you should change them. We need to get that out of the way before we continue.

If you are anything like me, then you log in to your MHCC portal using your six-digit username, being your student ID number, and then your six-digit birthdate. Nothing to be ashamed of; it is our default username and password, it is easy to remember and pretty user friendly, with the small exception of having to worry about memorizing the ID number.

Sadly, there is one major issue with six-digit numbers making up our username and password: They are ridiculously easy to crack.

Say you are a hacker, and you want to crack every single possible username and password of everyone in a given company, network or other institution. You can crack every single one in a couple seconds with just two tools, if you learn the basis for either log-in.

There is a software called “Crunch” that the Linux operating system comes with it. All a hacker would need to do on their command line, or terminal for Mac, is run Crunch, tell it to generate a wordlist with what is called rules. For example, I tell Crunch to make a wordlist consisting of every possible combination of six-digit numbers. You tell it that you want the wordlists to have exactly six digits in each username. You tell it that each digit is a number, 0-9, and hit enter.

In under a second you have just guessed every single such username you seek. And it would be just about as easy to do for the passwords.

Now you can execute what is called a brute force attack and input every combination of usernames and passwords into the login screen. Ridiculously easy.

There are other defenses, but also tools to attack those. For instance – fun fact – if the contents of a phone are seized for evidence, law enforcement has a tool exclusively sold to them that can disable the lockout function of an iPhone and guess every possible combination of numbers for that phone.

ENCRYPTION IS KEY

It gets worse, trust me.

Databases normally store passwords in what’s called a hash, or encryption – in simple terms, creative ways of turning what you say into gibberish. If they aren’t stored in hash, they are stored in plaintext. And, if just the raw password is stored in plaintext, all bets are off and you are just waiting patiently for your password to be hacked.

In fact, plaintext data breaches happen constantly, the biggest of which was the RockYou breach. That breach released millions of passwords, which hackers use almost as a bible for password cracking, and was a massive game-changer for hackers. You can download it for free from GitHub.

Say, then, that you found where your target stores its passwords, but oh no, they’re hashed. Hashes can come in many types, the most common of which is MD5. Which, while it is impossible to decrypt conventionally, it runs fast, which means you can feed it lots of passwords very quickly. But there are thousands of other types of hashes – NTLM, Argon2, PBKDF2, just to name a few. The best of which being Argon2, which takes a long time to hash, which means it takes hackers much longer to crack those. 

And yes, you heard me right, the only line of defense for password encryption is how much time it takes to crack.

AMAZING SPEED

Enter your second tool, which can come in several forms, including hashcat, which is open source and free to download; JohnTheRipper; and many, many others. These programs operate at breakneck speeds that are just simply incredible to see work. All you have to tell it to do is a few simple things, such as what mode you want it to work in – like attack mode. Then you feed it a wordlist of passwords. You can make your own with Crunch, or use the RockYou database, which contains 32 million passwords. You can also input a list of hashed passwords you want cracked, or tell it to find any combination of lowercase letters, numbers, symbols or whatever you want.

In seconds, your tool will hash every password and compare it to your specifications or list of hashes, and spit back what your hash found, and the cracked passwords. On my computer I ran hashcat over and over because I was simply stunned at how fast it ran. The longest time it took to crack the hashes I put in was five seconds. It normally takes under two seconds, which, bear in mind, means it encrypts 32 million passwords, compares it to the hashes I ask it to crack, and moves on.

All in all, this would take just about anybody with a novice understanding of cybersecurity almost no time to do. To make a list of every default username and password, and then run them through hashcat, would take about a minute.

PROTECT YOURSELF

So what can you do to keep your passwords safe?

First, understand a lot of the services you use are going to be careless and encrypt your passwords using MD5. So, use many different passwords on the sites you use. That way, if you get hacked on one site, you don’t need to worry about all of your other accounts being hacked. And don’t use variants of passwords. For example, if your password is password1234 for YouTube but it’s password123456 for Amazon, you will be hacked: It is not hard to guess those.

(For Mt. Hood students: Please, change your password from your birthdate, if you haven’t already. Seriously. Like, right now.)

Second, make your passwords long and random. Use letters, upper and lowercase letters, symbols and numbers. You can easily look up a random password generator and copy/paste one into whatever account you make.

Third, use a password manager. Most of them are free, and they automatically encrypt your passwords for you and fill them in on whatever website you’re on, so you never have to remember a password again and you are safer as a result. Google just released a password manager and Apple has one built in to iPhones that uses fingerprint or face ID as your one password to access all of your other passwords.

If a password manager isn’t for you, use pass-phrases. Essentially type an easy-to-remember sentence, for example, [email protected]. Pass-phrases are easy to remember and since they are long, have numbers, symbols and upper and lowercase letters, they are super secure and unique to you, and are almost impossible to crack. Try telling Crunch to generate a wordlist with that gem.

At the end of the day, remember that good password security is essential to keep your information safe.

More likely than not, one of your accounts will have a data leak at some point and if you remember to use good password hygiene, you will be able to rest easier knowing the rest of your accounts are safe.

Overall, for peace of mind, convenience and to make hackers’ lives just that much harder, make sure you secure your data with good passwords.

You should not ask yourself if your password will be hacked; you should ask when it will happen. We live in an extremely high-tech and constantly evolving world. It is the Wild West for hacking, and it is shockingly easy for anyone with a computer to steal your passwords with just a few keystrokes and an internet connection.

Password leaks happen on a daily basis and within seconds a hacker can crack them with little to no effort. It is imperative that we each stay safe and use good password techniques. Do not become a victim of an attack; instead, be the one person who never got hacked.