Creating strong passwords is among the important needs of today. After all, the digital world constitutes a large part of our lives. Most of us create and use complex passwords that we cannot remember later. So are these passwords really reliable enough? In other words, is it possible to increase usability and create easier-to-remember passwords? Let’s examine all the possibilities together. Let’s also take a look at what methods people need when trying to decipher passwords.
What are Decryptors and How Do They Work?
There are certain methods used to decrypt a password. I will talk about the most frequently used ones in my article. I would like to make a small reminder about this. Among you Mr. If anyone has watched Robot, they may remember a scene in which Elliot wants to access the social media account of his psychiatrist’s boyfriend. To achieve this, he resorted to a social engineering practice. He managed to enter the victim’s social media account by obtaining several parameters that he could use when creating a password, such as his pet’s name and year of birth, through social engineering and trying all possible combinations of them. In fact, Elliot carried out a brute force attack by testing possible possibilities here. We will be touching on these attacks respectively.
Most Popular Password Decryption Methods
Asking or Guessing
If you want to carry out this type of attack, you must have a close history with the person you designate as the victim. If you have gained enough trust from a person you are in a relationship with, you can learn their password by asking them directly. Or a brute force (Brute) where you can try all possible possibilities by using a few parameters such as the surname of the person you are close to, the name of his mother or father, the name of the pet, the name of his girlfriend/boyfriend, his date of birth, the year his favorite team was founded, the license plate of the city he was born in, the name of his favorite flower. If you apply a force attack, you can access the victim’s password at a high rate. In fact, you can generally use a period or a comma as a parameter to get better results (You can use both). Remember, if there is someone near you who wants to get your password, they will try all these possibilities. If you only create passwords with the parameters I mentioned above, I suggest you think again.
Brute Force Attacks
In short, you can think of Brute Force attacks as a method that tries all possible possibilities. Then we can simply say that if we use a long and complex password, it is more difficult to be exposed to a brute force attack. Here, you may ask, how can brute force attacks be carried out and the result achieved in such a wide range of possibilities? In an average brute force attack, 100 or 1000 guesses can be made per second. Then, even if it takes days if the correct password will eventually be found in the system we want to infiltrate, can we call this system reliable? So what precautions can we take in this regard? If you remember in the past years, Icloud systems were infiltrated and even photos of many celebrities were leaked. Well, did you know that a brute force attack was applied here?
Let’s think about it this way, let’s say you are exposed to a brute force attack that can produce 1000 guesses per second. Let’s assume that there is a 5-second waiting period for each password attempt. A system that can produce 1000 predictions per second must wait another five seconds to produce its second prediction. There is a high probability that a real user will not notice this 5-second waiting time. At the same time, if the person who tried to enter the password for every 10 incorrect attempts was given a 1-hour penalty and was then given the right to continue password attempts, could iCloud systems be infiltrated so easily?
Common Word Attacks
We can say that this attack method is a simple brute force attack, but it stands out from classical brute force attacks because it makes predictions within a more limited area. Prediction is made using the most commonly used words.
Dictionary Words
It uses the same method as the attack we mentioned before. However, it uses not only the most frequently used words but also all words in the dictionary for prediction.
Rainbow Table Attacks
Nowadays, databases do not keep their users’ passwords directly. This means that even if the database can be compromised in the event of a possible attack, user passwords cannot be accessed. For example, let’s assume that passwords are stored in a database using the MD5 algorithm. In this type of attack, let’s assume that the attackers have hashes of possible passwords encrypted with the MD5 algorithm and compare them with our database. In case of a possible match, the attacker will be able to access our password. In this part of our article, we have seen which attack methods attackers can use to access our passwords. So, what kind of passwords should we choose to protect ourselves from these attacks?
How to Choose a Strong Password?
Are we really fully protected by choosing a complex password? First, let’s compare two simple cases, let’s say one password is 4srt3 > the other password is hello. Considering that we are exposed to an attack that can make 1000 guesses per second, it will take 22 years to find the 4srT3> password using a brute force attack, and only a few minutes to find the word hello using a common word attack. Here, a brute force attack is performed using the words in the list of the most used words. Yes, when we look at this example, we can say that a complicated password is more reliable.
There is another issue I want to touch upon here: If a person was first attacking with a direct brute force attack instead of using a “Common word attack”, how long would it take to find the word hello? Since there are 29 letters in our alphabet, as many possibilities as the number of letters in the word Hello would have been tried. This means 29 to the 7th power, which means there are 17249876309 possible combinations. If we assume that 100 predictions are made per second, it will be a process that will take approximately 5.5 years. For this reason, the first method to be tried is generally a “Common words attack”.
Now let’s compare another two examples. Likewise, let’s compare the password 4srt3> with the password “life is very short” this time. In order to access the password “life is too short”, a brute force attack will need to be made using commonly used words. It is obvious that 3 different words are used in the password “Life is very short”. Considering this, it will take approximately 250 years for all its combinations to be revealed. As a result, we can say that the password “life is too short” is approximately 10 times stronger than the password “4srt3>”. When we consider which password will be easier to remember, it is clear that the password “life is too short” comes first. Then it is necessary to understand this dilemma well. Just because a password is very complicated does not mean it is very reliable. As we saw in this article, a password that is easier to remember (usability) will also be more secure.