Hackers can ‘crack’ our password in half a minute

We live surrounded by passwords. We use them to access our work computer, our email, our bank, music and video streaming platforms… Absolutely everything has a password. How can we remember them all?

Users tend to respond to this problem in two ways: by using the same password for everything or by setting passwords that are very easy to remember. In other words, two very bad solutions.

In the first case, the threat is especially important. If we only use one password and it is cracked, the attackers would have access to our entire digital life. And if the password is too easy to crack, the hackers’ access will be almost instantaneous.

According to a study by Hive Systems, cybercriminals are capable of immediately ‘cracking’ any password consisting of 11 numbers, 8 lowercase letters or 6 characters combining uppercase, lowercase, numbers and special symbols. If we add one more character to this combination, they would only have to spend 31 seconds to figure it out. And if we go up to 8 characters, the situation doesn’t get much better: it would only take 39 minutes.

The situation starts to improve if we go up to 11 alphanumeric characters and symbols, since this option would require the attackers to spend 34 years. And with one more, with 12 characters, we could be quite relaxed, because it would take 3,000 years to discover it. At least that’s how it is with today’s computing capabilities.

“If there are numbers, letters and special symbols, such as +, -, (, $, $, @, €, etc., from 10 characters onwards, it is considered that, with today’s computers, the time needed to find the password, if it is not a known word, is enough to not waste time trying,” says Jordi Serra, professor at the UOC’s Faculty of Computer Science, Multimedia and Telecommunications.

In addition to the length, he insists on the importance of the construction of the password. “If it is based on words that are in the dictionary, the length is not very relevant. There are tools that test combinations of known words by adding dates. For the rest, what you do is create combinations of letters and numbers and test them. The more letters you have, the more possible combinations you have to test until you find the right one,” he explains.

In any case, the traditional authentication system is being overtaken by the huge number of passwords we have to use on a daily basis, so it seems clear that there is a need to move towards other systems or, at least, to complement it with other methods.

Serra explains that there are currently three identification systems, which can be summarized as follows: “One is what we know (passwords), another is what we are (biometrics, fingerprint…), and the third is what we have (a unique device to which we send a code),” he explains.

With respect to biometrics, although it has many advantages, he points out that the problem is obtaining the data associated with the reading. For example, in the event that they obtain our fingerprint, “we would not be able to change that characteristic of our finger to change access, and we only have ten fingers”. And with the use of devices, he stresses that their security depends on them not being stolen or duplicated. Although he acknowledges that the biggest drawback is the usability of this system, which means that the device must always be at hand.

Thus, he believes that it is best to opt for dual or multifactor authentication methods (2FA or MFA), which combine two or more of these identification systems, a solution that is already being implemented in many services.