I’m writing this because a friend of mine became a computer hacking victim this past week. She, like millions of others, does her banking and bill paying on line. Among her other accounts with the same bank, two of them are checking.
Hackers accessed the smaller of the two accounts. Fortunately for her, the account had a small balance ($2,300) at the time. As well, she caught it almost immediately. While the matter was nightmare in the making, it had a happy ending.
Her first impulse was blaming the bank. However, while banks are greedy as hell, they’re typically not real stupid when it comes to their customer base’s online account security.
They use secure URLs (https:// instead of http://). And, their account access structure is 128-bit encryption at a minimum. So, unless someone, inside or outside the bank, provides hackers with “waltz-through” access, they’re not going to make it into a customer’s checking account.
In this case, the bank had ZERO blame. Hackers had busted the password she used to access her online provider and email, Comcast. And, in no way was Comcast at fault, either.
If I could somehow produce a list of fools in America, in descending order from the worst to least, both I and my friend would be on it. However, we’d be closer to the bottom than to the top. And, without a doubt, her name would appear well below mine.
Neither of us uses a one-size-fits-all password. We use different passwords for access to different online venues. But, for whatever reason, she used the same password to access her PRIVATE email account AND this particular bank account.
Making matters worse, the password she used consisted of 3-digits followed by 4-lower case letters. Psychologists have assigned a big fancy term to describe this sort of behavior. However, computer scientists use a much simpler and more direct term: STUPID! Here’s why.
All passwords require a specific order of entry. They must be entered in the same order in which they were set. So, even IF hackers manage to guess the characters used, they must also figure out the order of entry.
And, equally important is the fact that we can use repetitions when setting them. In other words, we can use the same characters more than once in the same password.
There are 26-letters in the alphabet, 10-numeric digits (0 through 9), and 32-special characters (%$*, etc.) available for password settings. However, password protocol recognizes upper and lowercase letters as different. This doubles the alphabet to 52-letters.
So, TECHNICALLY, the total number of characters available for passwords is 94 (52 alphabetic, 10 numeric, and 32 special characters). But, not all sites accept special characters. Even so, this is not a huge problem as long as you include some combination of everything else.
You can take my word for this or you can verify it for yourselves by taking an introductory statistics course to see the difference between combinations and permutations. Because order of entry and repetitions are involved, passwords fall under the permutation category.
Let’s look at my friend’s password scheme (4-digits and 3-letters). If she had used the entire pool of 94-characters to pick her 7-characters, there would have been almost 65-TRILLION (64,847,759,420,000 to be precise) seven-character permutations available.
For the curious, the arithmetic is simple; raise 94 (the number of available characters) to the 7th power (the number of characters in her password). In formula form it looks like 947.
However, she didn’t use the entire available pool. She used ONLY lowercase letters plus numbers. This reduced HER pool of available characters to only 36 (26-lowercase letters plus 10-digits). Using the same formula, 367, she had about 78-BILLION seven-character permutations available.
Assuming that a user randomly chooses the characters, 65-trillion or 78-billion possible seven-character passwords is a huge number of passwords for hackers to analyze and crack.
It’s a virtual impossibility if they’re sitting at a keyboard manually entering random combinations. But, they’re NOT doing it this way; they’re using sophisticated software capable of analyzing upwards of 1,000 permutations per SECOND.
Going through 65-TRILLION permutations at this rate would take about 2,000 years to crack a 7-character password, but a mere 2.5 years to crack one of only 78-BILLION.
But, this isn’t the way humans set their passwords nor is it the way hackers work. People using easy-to-remember passwords, plus thousands of adept hackers, using multiple computers, running ever-more sophisticated cracker software, significantly reduce the hack-time for passwords that reek of sheer STUPIDITY.
We tend to set our passwords using characters that are easy to remember rather than using random choices. God forbid that we’d have to memorize something. Hackers love this fact.
We can’t control ALL of the factors that affect our financial and personal security while we’re on the Internet. If the sites we log onto with passwords use inadequate means to protect our passwords, all we can do is stop using those sites.
If we give our passwords to others—even our most “trusted” friends, we reduce ourselves to security disasters in search of times and places to happen.
But, there is NEVER an excuse for hackers cracking our passwords directly as long as we take care in setting them. Even setting only 7- and 8-character passwords using ONLY letters and numbers can be crack-proof if we use both upper and lowercase letters along with the numbers.
My friend had set her email password only 39-months ago. She was lucky to catch the security breech immediately, before hackers could use her email address to send out volumes of spam email in addition to stealing her money.
Setting a password equal to the last 4-digits of your cellphone number plus your first, middle, and last initials may be easy for you to remember; it’s also immensely easy for hackers to break, something for which they remain eternally grateful.
Joe Walther is a freelance writer and publisher of The True Facts. Email comments here.