Create stronger, more secure passwords: We are nagged to do it all the time, but few of us actually make the effort to do so. Meanwhile, passwords continue to get stolen, leaked, and cracked on a regular basis. So this time we’re hoping to get your attention by looking at it from the attacker’s side of the equation. We’ll show you how passwords are cracked and even how to do it yourself, so you can see exactly why a strong password matters.
As our brief foray with a cracking tool will show you, your only protection against a determined password cracker is—you guessed it—a long, complex string of 10 or more characters. Anything shorter, let alone simpler, is too easy to crack. Know that, and suddenly using a password manager (go.pcworld.com/bpmn) looks a lot easier than trying to create passwords all by yourself.
Read on to learn more about how passwords are hidden from crackers, and how crackers try to tease them out.
Note: We tried cracking tools on our own passwords for this story. Using cracking tools to break into a website, service, or file that’s not yours is at best unethical—and at worst illegal. Take our advice and don’t even think about it.
HOW HASHING PROTECTS YOUR PASSWORD
To deter crackers, a responsible website won’t store a password in its original form, in what’s known as plain text. Instead, it will use a hashing algorithm—common ones include MD5, SHA2, or SHA3, but there are many more—to turn your password into a hash, a string of seemingly random numbers and letters.
The site won’t advertise which hashing algorithm it uses, as that would only make life easier for crackers. It might even take that first hash and hash it again, or add what’s known as salt—a series of additional characters that makes your password even harder to tease out.
Creating an example hash is easy. For an MD5 hash, all you need to do is visit a site like MD5hashgenerator.com (go.pcworld.com/ md5h) and hash an example word. (We would recommend not hashing a password you actually plan to use, for security’s sake.) MD5 is an older algorithm that’s considered unsafe for a number of reasons, but it’s still useful for demonstrating how password hashing and cracking work.
Thus, the password maverick becomes 55f9c405bd87ba23896f34011ffce8da.
As a further safeguard, the hashing algorithms work in only one direction. By design, you can’t unhash a hashed password. Furthermore, with a one-way hash, the website or service doesn’t even need to know your password. The site just needs to hash your password and compare it to the hash stored on file. If the two match, you’re in. That’s also how we begin to crack passwords.
HOW HASHED PASSWORDS CAN STILL BE CRACKED
Hashing is an important and fundamental step in protecting your password, but it doesn’t make your password impervious. All a password cracker has to do is replicate the process: Guess a password, hash it, and then compare it to the leaked password hash. If a cracker guesses right, they’ve unfortunately learned your password. If they’re wrong, they try again…over and over and over.
However, you simply can’t try to log in to Amazon, pretend you’re Bill Gates, and guess and guess and guess passwords until you get lucky. Ditto for a bank. A smartly designed website will have some form of control built-in. Guess wrong too many times, and the site will probably flag the account or your IP address as a potential hacker, and either limit or block your login attempts entirely.
After a password breach, however, all bets are off. Take this example: In 2019, a massive trove of 2.19 billion email addresses or usernames and passwords leaked to the web (go.pcworld.com/lkwb), part of the Collections breach. Once those hashed passwords were published, there wasn’t any way of stopping those with access to them from downloading them to their own PC, then trying to crack them without any of the rate controls enforced by a live website.
Continue reading your story on the app
Continue reading your story in the magazine
HP Envy 14 (2021) : This budget content-creation laptop does it all
While you can find laptops that outperform the Envy 14, it’s harder to find one that can do so for the same price.
ThinkPad X1 Nano: Lenovo drops the mic with its light, fast, and long-lasting ThinkPad
This ThinkPad hits the sweet spot between power and battery life.
OnePlus 9 Pro: Revolutionary display, evolutionary camera
These are the early days of the Hasselblad camera partnership with OnePlus—and it shows.
Corsair K65 RGB Mini: Hands-on with the 60 percent mechanical gaming keyboard
It’s just so small.
ESSENTIAL TOOLS FOR PC BUILDING: DON'T GET CAUGHT WITHOUT THESE 10 ITEMS IN YOUR TOOLKIT
SOME ARE NO-BRAINERS, WHILE OTHERS YOU’LL BE GLAD TO HAVE ON HAND WHEN TROUBLE STRIKES.
AMD's new Ryzen 5000G chips wield Radeon graphics— and double the cores
The “G” stands for “graphics.”
Android loses a huge innovator as LG quits making phones
LG phones pushed the bleeding edge of innovation, but it wasn’t enough.
A PERFECT STORM: WHY GRAPHICS CARDS COST SO MUCH NOW
Ryzen 5000 failure rates: We reality‑check the claims
Problems with bad Ryzen chips may be overblown.
Microsoft Surface Pro 7+ : A giant leap in graphics performance
It’s the most potent upgrade the Surface Pro line has offered in years.
BIG TECH STOCKS FLEX MUSCLES AGAIN AFTER A ROUGH WINTER
Big Tech stocks are flexing their enormous strength again, after getting knocked around a bit earlier this year.
COME AT ME
When a gossip rag went after Jeff Bezos, he retaliated with the brutal, brilliant efficiency he used to build his business empire. From the new book Amazon Unbound , an untold story of money, sex, and power
Lenovo Legion Y25-25
IPS and 240Hz for a price you can afford
Marshall Uxbridge Voice
A stylish and powerful compact speaker
AMAZON BEGINS ROLLOUT OF PAY-BY-PALM AT WHOLE FOODS NEAR HQ
Amazon is rolling out pay-by-palm technology at some Whole Foods grocery stores near its headquarters to make paying quicker and more convenient.
FACEBOOK DELIVERS BIASED JOB ADS, SKEWED BY GENDER
Facebook is showing different job ads to women and men in a way that might run afoul of anti-discrimination laws, according to a new study.
Increase Online Engagement
3 Ways to Convert Your Website into a Sales Engine
VOTE COUNTING TO START IN AMAZON UNION ELECTION
Vote counting in the union push at an Amazon warehouse in Bessemer, Alabama, is expected to start as early as Thursday, but hundreds of contested ballots could muddy the outcome if it’s a close race.
AMAZON BRINGS BACK FORMER EXECUTIVE TO RUN CLOUD BUSINESS
Amazon said that it’s bringing back a former executive to run its cloud-computing unit, which has become the online shopping giant’s most profitable business.
AMAZON PRIME VIDEO TO STREAM 21 YANKEES GAMES
Amazon Prime Video will stream 21 Yankees games to members in New York’s broadcast market for the first season, a slate that starts with an April 18 matchup against Tampa Bay.