What was considered a strong password 10 years ago, today is very easy to crack. A 5 character password being composed of just lowercase numbers was considered safe by many websites: universities, businesses or even government agencies were using short lowercase passwords. However in the last few years artificial intelligence and computing power have improved exponentially, and the security standards for passwords have become more demanding.
Brute-force attacks
Brute-force attacks use powerful computers which can test millions or even billions of passwords/sec. Many users use short passwords, which often consist only of lowercase letters or numbers, which make the task of cracking the password trivial for a supercomputer.
Creating a strong password
When creating a password, the maximum number of characters that are available are the following:
Numbers (10 different: 0-9)
Letters (52 different: AZ and az)
Special characters (32 different).
In total we have 94 different symbols. The number of possible combinations of characters i.e the number of passwords for a given length and a given pool of possible input values for a character is calculated using the following formula:
Possible combinations = (possible number of characters)^(Password length)
Therefore the number of possible combinations determines the strength of the password. The larger the number of potential passwords for a given password length the harder is for a computer to find the password. For a 5 letter password consisting of just lowercase letters the number of different combos is:
Possible combinations= (24)^5= 7962624
This might seem like a large number, but don't forget the power of the modern supercomputers which can test more than 2^9 passwords/sec. This would mean that if the password was lets say of a hard drive owned by hackers, a supercomputer could be used to gain access to the data within:
7962624/2^9 = 0.004 seconds (faster than the blink of an eye!)
Next, lets consider that we use symbols from all 4 main categories: (capital letters, lowercase letters, numbers, special characters). Lets consider that we use them randomly to create a password of 12 characters in length. The time required for hackers to crack the password would be:
(94^12)/(2^9)= 237,960,157,407,127 Seconds= (about) 7.5 million years!
Comic-Tragic Stories:
1) We decided to use Kaspersky password checker to test our theory: We used a very simple and frequently used word as password, namely:
1jG5fY"#$%^Y8jO0
Therefore the password checker justifiably suggested us to change our password to something less obvious.
2) A much more serious incident was the following email that has been sent to millions of people from hackers, who had genuinely gained access to their passwords (either from brute force or from leaked data or with other methods such as phishing).
Security researchers at Cisco's Talos group reported that scammers have made at least $146,000.
"That isn't too bad considering the attackers have only been distributing this particular scam for roughly 60 days, and do not actually possess any compromising material concerning the victim," the researchers said. "Doing web searches for key phrases in suspect emails may help to verify that a scam is taking place or at least increase awareness of the attack" Barracuda Networks said. "Always pay close attention to the details and do not assume that a breached password or spoofed email means that you are currently compromised. Ask your ISP or tech support for help if you have questions." It is believed that the emails were sent from automated computers, however the question remains if the hackers were finally caught by the police officers, or if they managed to cover entirely their anonymity behind firewalls and proxy servers.
3) You might also be interested to read about a very massive leaked data scandal.