Machines don’t guess.

It’s hard for many people to understand how account hacking works. “How can someone guess my password that’s comprised of my kids’ names? It would have to be someone who knows me, and I add a number at the end to make it even harder.” Using your kid’s names is sure to create a weak password but if I were to try to guess your password I wouldn’t have much luck so it’s hard to demonstrate that [4]. The basic problem at work here is the “faulty analogy” fallacy. Things that look alike must be alike.

We’ve all seen humans attempt to guess various things in our lives so we know guessing is error prone and inefficient. We therefore assign these difficulties to machine guessing and arrive at the incorrect conclusion that guessing is universally hard and therefore we don’t need strong passwords and we certainly don’t need to bother with having different passwords on different sites.

The specific fallacy here is that machines don’t guess.

Machines don’t need us

The implementation of a user interface (UI) is one of the last things that is done prior to a device shipping to market. The UI is the thing that we humans interact with to use the machine. It is the layer that gives the machine a way to send and receive data from us two-eyed, two-eared, 10-fingered life forms. It’s almost a pity layer. We’re so slow and limited that the eager machine has to add a slow and limited set of buttons put on it for us to interact. Slow and limited we may be, but we’re also the only one with money to buy things, so the machine grudgingly gets over it. Grudgingly, because it doesn’t give up its fast and smart machine layer when the human UI is bolted on. It lurks beneath working non-stop which infers that you can also choose to bypass the UI and communicate with the machine at its own level if you have the skills and desire.

In some sense, that is what hacking is. It’s the ability to subvert the intended interaction method (the UI) to get at the machine below. In the case of account hacking the goal is to copy account usernames and passwords from the machine. Most websites have protections at the UI level to prevent attacks such as repeated attempts to guess passwords. If you were to go to your bank website and input an incorrect set of credentials repeatedly your account would eventually be locked out and your IP address temporarily blocked. If machines had to use that same human UI with all its safeguards in place then they’d have the same problem. It’s much easier for me to try to steal a copy of the user database and download it to my own machine. I then have access to the user database without all those UI constraints and can just hack away at it at my leisure to try to derive all the username and password combinations within.

User database breaches are legendary these days. The Have I Been Pwned website verifies and catalogues these types of breaches and has almost 2 billion accounts listed so far. If you consider that only about 3.5 billion people even have access to the Internet, that’s a lot of data breaches [1]. And most of these breaches are for sale. Multiple times.

That brings us back to your password.

Only you can do damage control

Now that I’ve managed to get my hands on a user database that you’re part of I have unlimited time to figure out what your password is. I want to spend the time doing this for two potential reasons:

  1. If I’ve stolen this password from a lucrative site, I want to get into your account on that site.
  2. Regardless of where your password is from, I want to use that same username and password on other, possibly more lucrative, sites.

These are the two degrees of damage. Degree number one refers to the amount of damage the website can do to you. Degree number two refers to the amount of damage you can do to yourself.

The first is out of your control – you have no idea how securely your password is being stored or protected so you should always assume it has been stolen as soon as you created it. You’ve essentially screamed your password into the wilderness and have no idea how many people have heard it.

The second degree of damage refers to the amount of damage I can create in your life when I steal your password. That degree of damage is 100% on you. If you’ve reused your password somewhere and I now know what it is, you’re in for a rough ride.

In your head I suspect you’re still thinking “yeah, but…still, how are you going to guess my password to begin with?”.

Notwithstanding that 30% of the top 100 passwords used on the planet are names, it’s still not terribly hard.

All hashes are not created equal

With regards to the first degree of damage, you don’t know how securely that website has stored your password. An alarming number of sites store your password in plain text which means it’s just sitting there staring me in the face. Since you have no clue how badly your password is being stored, the only sane position is to assume it’s been compromised as soon as you entered it.

Of those web sites that do make some effort to obfuscate your password, they generally use hash techniques. Hashing is a technique that takes your password, runs it through a one-way mathematical function [2], and then stores that resulting hash instead of your password. When you log in to this site and enter your password, the site performs the same hashing process on what you typed in as your password and then compares that hash to the hash it has stored in the user database for your password. If the hashes match, then you’ve entered the correct password and it lets you in. This sounds good, and it can be, but as with all things there are many different ways to create hashes. AKA: “don’t get too close to the ballet.”

If the website owner is not keeping the site updated then they may be using older hashing techniques. Password hashes created with out of date software can leak a lot of data. For example, MD5 hashes make it easy to derive the length of a password and also it’s easy to see who is using the same password. If I see a bunch of people with the same hashed password I can be pretty sure I’ll find their password on one the many well-known password lists kicking around the Internet. If the website uses MD5 (which you won’t know) and your password is in the list of top 10,000 passwords at that link then I don’t really have to do anything [3]. The MD5 hashes are provided for me so I just have to look for those hashes in my stolen data. Thank you for making that easy.

Even if I did not have a nice list of hashes like that, I can combine many known passwords and dictionary lists into one huge list, calculate the hash for each of those and then compare them to the password list I stole. How fast can I do that? It depends on my computing power but serious hackers can do 100 billion comparisons A SECOND. Seriously. Even I am crying a little over that and I kinda knew that going into this.

So, now compare your mental view of me trying to awkwardly punch in what I think may be your Amazon password 3 or 4 times until I am locked out with the reality of a machine doing 100 billion guesses per second. Now you’re getting close to reality. Also, fun fact, that 100 billion per second figure above was done using a much more advanced hash than the old MD5 hash.

There will no alarm bells when your password is stolen

Keep in mind that you have no idea I’ve done this. You have no clue that I’ve cracked your username and password. Many people I talk to speak in ways that tell me they expect some alarm bell to go off once their password is stolen so they’ll have time to react. This is simply not true. Even the FBI took over a year to notice a hacker group in their network. How screwed up is your life going to become after I’ve wreaked havoc with it for a year? How do you think your local hockey pool or school report card site is defending itself against attackers trying to download their user database? You won’t know anything has happened until your other accounts start missing money, or your credit rating tanks because someone has become you and is running amok with your identity.

How can you prevent something you don’t know is happening from happening?

Make it hard. Ensure that when your password is stolen, it only works on that one site it was stolen from. That is 100% on you to make that happen.

I know. It seems impossible, but it’s actually not so hard. Use a password manager to generate and store your password for each different site. I won’t recommend any, but Google for ‘password manager’ and you’ll find there are 3 or 4 strong contenders out there used by many people.

1. As of today, the world population is about 7.4 billion and about 3.5 billion (47%) of us have Internet access.
2. One-way mathematical functions are created in such a way that given X you can derive Y. But, given Y you cannot derive X. These types of functions may, in fact, not exist. But we think they do at this time. So, sleep well with that.
3. I seriously just picked that list at random. There are so many known password lists on the Internet that it’s just ridiculous.
4. I use the pronoun “I” throughout as a teaching aid. Not because I am actually trying to hack your shit.