Your Passwords Can Be Cracked in Approximately 100 Guesses

How it's done — and how you can prevent it

November 10, 2016 9:00 am

You’re tech-savvy. Your passwords are lightyears beyond “123456.” Or, you know, “password.”

So how many guesses do you think it would take to crack it?

Less than 100.

The hacker? TarGuess, an algorithm created by five Peking University researchers and outlined in a new study. By using available online data, TarGuess produced passwords in less than 100 guesses with up to a 73% success rate..

The point, in less scholarly terms, is to demonstrate that our passwords suck — which is primarily due to our ignorance about the data being used in these hacks: sister passwords and personally identifiable information (PII).  

PII is what you freely write on every website, from Facebook to LinkedIn, including usernames, birthdays and hobbies. If all of your social media accounts list the Green Bay Packers as your favorite team, that will be used to guess your password.

As for sister passwords (those from other accounts), Forbes points out that previous hacks have made many accessible to cybercriminals. Half a billion users from Yahoo, 21 million government employees and contractors, probably another big one that happened between the time we wrote this and you’re reading it … So if any of your passwords are the same or similar, that is also being used against you.

To help you out, we’ve got a few tips for you and your passwords. 

Chances are you’re not as safe as you thought.

Telepathwords: An online tool created by researchers at Microsoft that guesses password characters before you type them. If it gets all or most of your characters, you’re at risk.

O vs. 0: If you know about common character substitutions like the number 0 for the letter O or the $ symbol for S, so do the people trying to get your password. Get more creative.

Reuse and lose: Facebook, Twitter, Instagram, Snapchat, LinkedIn, Google — we understand the desire to reuse passwords with so many accounts. Don’t do it. Even if you rework passwords for different websites, the breach of one account leaves others much more vulnerable. Afraid you won’t be able to keep track of them all? Use Passpack.

We know. You don’t want to spend energy to create and rememeber crazier passwords.

But it’s better than getting the call from your bank asking about a suspicious charge in Tijuana.

(Just kidding. We know that one was you.)

The InsideHook Newsletter.

News, advice and insights for the most interesting person in the room.