How to create strong, secure passwords by learning how to crack them
PCWorld|April 2021
It gets harder to crack a password if it’s 10 characters or longer—but complexity matters too, of course.
MARK HACHMAN

Create stronger, more secure passwords: We are nagged to do it all the time, but few of us actually make the effort to do so. Meanwhile, passwords continue to get stolen, leaked, and cracked on a regular basis. So this time we’re hoping to get your attention by looking at it from the attacker’s side of the equation. We’ll show you how passwords are cracked and even how to do it yourself, so you can see exactly why a strong password matters.

As our brief foray with a cracking tool will show you, your only protection against a determined password cracker is—you guessed it—a long, complex string of 10 or more characters. Anything shorter, let alone simpler, is too easy to crack. Know that, and suddenly using a password manager (go.pcworld.com/bpmn) looks a lot easier than trying to create passwords all by yourself.

Read on to learn more about how passwords are hidden from crackers, and how crackers try to tease them out.

Note: We tried cracking tools on our own passwords for this story. Using cracking tools to break into a website, service, or file that’s not yours is at best unethical—and at worst illegal. Take our advice and don’t even think about it.

HOW HASHING PROTECTS YOUR PASSWORD

To deter crackers, a responsible website won’t store a password in its original form, in what’s known as plain text. Instead, it will use a hashing algorithm—common ones include MD5, SHA2, or SHA3, but there are many more—to turn your password into a hash, a string of seemingly random numbers and letters.

The site won’t advertise which hashing algorithm it uses, as that would only make life easier for crackers. It might even take that first hash and hash it again, or add what’s known as salt—a series of additional characters that makes your password even harder to tease out.

Creating an example hash is easy. For an MD5 hash, all you need to do is visit a site like MD5hashgenerator.com (go.pcworld.com/ md5h) and hash an example word. (We would recommend not hashing a password you actually plan to use, for security’s sake.) MD5 is an older algorithm that’s considered unsafe for a number of reasons, but it’s still useful for demonstrating how password hashing and cracking work.

Thus, the password maverick becomes 55f9c405bd87ba23896f34011ffce8da.

As a further safeguard, the hashing algorithms work in only one direction. By design, you can’t unhash a hashed password. Furthermore, with a one-way hash, the website or service doesn’t even need to know your password. The site just needs to hash your password and compare it to the hash stored on file. If the two match, you’re in. That’s also how we begin to crack passwords.

HOW HASHED PASSWORDS CAN STILL BE CRACKED

Hashing is an important and fundamental step in protecting your password, but it doesn’t make your password impervious. All a password cracker has to do is replicate the process: Guess a password, hash it, and then compare it to the leaked password hash. If a cracker guesses right, they’ve unfortunately learned your password. If they’re wrong, they try again…over and over and over.

However, you simply can’t try to log in to Amazon, pretend you’re Bill Gates, and guess and guess and guess passwords until you get lucky. Ditto for a bank. A smartly designed website will have some form of control built-in. Guess wrong too many times, and the site will probably flag the account or your IP address as a potential hacker, and either limit or block your login attempts entirely.

After a password breach, however, all bets are off. Take this example: In 2019, a massive trove of 2.19 billion email addresses or usernames and passwords leaked to the web (go.pcworld.com/lkwb), part of the Collections breach. Once those hashed passwords were published, there wasn’t any way of stopping those with access to them from downloading them to their own PC, then trying to crack them without any of the rate controls enforced by a live website.

Continue reading your story on the app

Continue reading your story in the magazine

MORE STORIES FROM PCWORLDView All

HP Envy 14 (2021) : This budget content-creation laptop does it all

While you can find laptops that outperform the Envy 14, it’s harder to find one that can do so for the same price.

10+ mins read
PCWorld
May 2021

ThinkPad X1 Nano: Lenovo drops the mic with its light, fast, and long-lasting ThinkPad

This ThinkPad hits the sweet spot between power and battery life.

10+ mins read
PCWorld
May 2021

OnePlus 9 Pro: Revolutionary display, evolutionary camera

These are the early days of the Hasselblad camera partnership with OnePlus—and it shows.

10 mins read
PCWorld
May 2021

Corsair K65 RGB Mini: Hands-on with the 60 percent mechanical gaming keyboard

It’s just so small.

2 mins read
PCWorld
May 2021

ESSENTIAL TOOLS FOR PC BUILDING: DON'T GET CAUGHT WITHOUT THESE 10 ITEMS IN YOUR TOOLKIT

SOME ARE NO-BRAINERS, WHILE OTHERS YOU’LL BE GLAD TO HAVE ON HAND WHEN TROUBLE STRIKES.

9 mins read
PCWorld
May 2021

AMD's new Ryzen 5000G chips wield Radeon graphics— and double the cores

The “G” stands for “graphics.”

3 mins read
PCWorld
May 2021

Android loses a huge innovator as LG quits making phones

LG phones pushed the bleeding edge of innovation, but it wasn’t enough.

2 mins read
PCWorld
May 2021

A PERFECT STORM: WHY GRAPHICS CARDS COST SO MUCH NOW

IT’S COMPLICATED.

10 mins read
PCWorld
May 2021

Ryzen 5000 failure rates: We reality‑check the claims

Problems with bad Ryzen chips may be overblown.

4 mins read
PCWorld
April 2021

Microsoft Surface Pro 7+ : A giant leap in graphics performance

It’s the most potent upgrade the Surface Pro line has offered in years.

10+ mins read
PCWorld
April 2021
RELATED STORIES

BIG TECH STOCKS FLEX MUSCLES AGAIN AFTER A ROUGH WINTER

Big Tech stocks are flexing their enormous strength again, after getting knocked around a bit earlier this year.

3 mins read
AppleMagazine
AppleMagazine #497

COME AT ME

When a gossip rag went after Jeff Bezos, he retaliated with the brutal, brilliant efficiency he used to build his business empire. From the new book Amazon Unbound , an untold story of money, sex, and power

10+ mins read
Bloomberg Businessweek
May 10, 2021

Lenovo Legion Y25-25

IPS and 240Hz for a price you can afford

3 mins read
Maximum PC
May 2021

Marshall Uxbridge Voice

A stylish and powerful compact speaker

2 mins read
Mac Life
Spring 2021

AMAZON BEGINS ROLLOUT OF PAY-BY-PALM AT WHOLE FOODS NEAR HQ

Amazon is rolling out pay-by-palm technology at some Whole Foods grocery stores near its headquarters to make paying quicker and more convenient.

1 min read
AppleMagazine
AppleMagazine #495 *Special Edition

FACEBOOK DELIVERS BIASED JOB ADS, SKEWED BY GENDER

Facebook is showing different job ads to women and men in a way that might run afoul of anti-discrimination laws, according to a new study.

4 mins read
AppleMagazine
AppleMagazine #494

Increase Online Engagement

3 Ways to Convert Your Website into a Sales Engine

3 mins read
Home Business Magazine
Spring 2021

VOTE COUNTING TO START IN AMAZON UNION ELECTION

Vote counting in the union push at an Amazon warehouse in Bessemer, Alabama, is expected to start as early as Thursday, but hundreds of contested ballots could muddy the outcome if it’s a close race.

2 mins read
Techlife News
Techlife News #493

AMAZON BRINGS BACK FORMER EXECUTIVE TO RUN CLOUD BUSINESS

Amazon said that it’s bringing back a former executive to run its cloud-computing unit, which has become the online shopping giant’s most profitable business.

1 min read
Techlife News
Techlife News #491

AMAZON PRIME VIDEO TO STREAM 21 YANKEES GAMES

Amazon Prime Video will stream 21 Yankees games to members in New York’s broadcast market for the first season, a slate that starts with an April 18 matchup against Tampa Bay.

1 min read
Techlife News
Techlife News #491