With just a few dollars, a little time, and a smart brute-force guessing algorithm, most passwords can be cracked much faster than you might think. A new analysis from Kaspersky experts reveals that 59% of 193 million real passwords were cracked in under 60 minutes, and 45% were cracked in less than 60 seconds.
A brute-force attack works by iterating all possible combinations to find a match for the password in question. However, Antonov explained, “smart guessing algorithms are trained on a password data set to calculate the frequency of various character combinations and make selections first from the most common combinations and down to the rarest ones.”
Brute Force and Smart-Guessing Combine to Quickly Crack Passwords
Brute-force attacks are very popular due to their point-and-fire simplicity, but they remain suboptimal for password-cracking algorithms. Considering that most passwords in daily use share characteristics involving the combination of dates, names, dictionary words, and keyboard sequences, adding these to the guessing-game mix speeds things up significantly.
The Kaspersky study found that when examining the percentage of passwords crackable in any timeframe using each method, 10% of the password list was broken in under a minute by brute force alone. However, this number increased to 45% when smart-guessing was added to the algorithm. When the timeframe was extended to between a minute and an hour, the difference was 20% compared to 59%.
The Smart-Guessing Algorithm Advantage Explained
Humans are creatures of habit, making us poor password creators. The truth is that the passwords we choose are rarely, if ever, truly random. We rely on things that smart-guessing algorithms are designed to detect: common names and phrases, important personal and historical dates, and patterns. To illustrate how predictable we are, a YouTube channel sampled more than 200,000 people and asked them to choose a ‘random’ number between 1 and 100. Most people gravitated towards the same small set: 7, 37, 42, 69, 73, and 77. Even when trying to be random with character strings, we fail as most people favor the center of the keyboard for their selection, according to Kaspersky.
“Smart algorithms make short work of most passwords that contain dictionary sequences,” Antonov said, “and they even catch character substitutions.” This means that using p@ssw0rd instead of password won’t slow the algorithm down much at all.
How to Strengthen Your Accounts Against Smart-Guessing Algorithm Attacks
Kaspersky recommends the following password usage strategies:
- Generate Strong and Truly Random Passwords Using a Password Manager
Using a password manager to generate strong and truly random passwords is crucial. These tools create complex passwords that are difficult for both brute-force and smart-guessing algorithms to crack.
- Don’t Reuse Passwords Across Sites and Services
Reusing passwords across multiple sites and services is dangerous. If one account is hacked, the same password can be used to access many others. It’s essential to have unique passwords for each account to prevent a domino effect in the event of a breach.
- Use Mnemonic Passphrases Rather than Dictionary Words and Numeric Combinations
If you prefer not to use a password manager, mnemonic passphrases are a good alternative. These are easier to remember and harder for algorithms to crack compared to simple dictionary words or numeric combinations.
- Don’t Save Passwords in Web Browsers
Saving passwords in web browsers can be risky, as this information can be accessed if your browser is compromised. Instead, use a secure password manager.
- Use a Password Manager Protected by a Strong Master Password
Even when using a password manager, it’s vital to protect it with a strong master password. This adds an extra layer of security, ensuring that all stored passwords remain safe.
- Use Two-Factor Authentication for All Accounts That Support It
Two-factor authentication (2FA) provides an additional security layer by requiring a second form of verification beyond just the password. This could be a text message code, an email, or an authentication app. Enabling 2FA for all accounts that support it is a highly effective way to prevent unauthorized access.
The combination of brute-force and smart-guessing algorithms can crack a significant number of passwords in a remarkably short time. To safeguard against these threats, adopting robust password practices and leveraging tools like password managers and two-factor authentication are essential steps. As Antonov emphasized, “smart algorithms make short work of most passwords that contain dictionary sequences,” highlighting the importance of choosing unpredictable, complex passwords and securing them properly.