Anatomy of a hack: How crackers ransack passwords like “qeadzcwrsfxv1331”

For Ars, three crackers have at 16,000+ hashed passcodes—with 90 percent success.

Read the whole story

 

[Eldorito]

It took me forever to figure out the qeadzcwrsfxv1331 one, then I looked at my keyboard. I guess there's a limited number of patterns people will regularly use on one.

 

[Eldorito]

ror[/url]":1kpl96oz]"That means we have 13,000 humans who did not choose a good password."

how is Qbesancon321 not a "good" password? It could be strengthened by using a symbol, but sooner or later, Qbe$@ncon321 won't be a good password either. (For all I know, that's already the case).

seems like not reusing the same password is more important than strength. even if I have a password that I believe to be "strong", it's still in my best interests to change my password once its hash has been released.

The important thing is making it actually random. Besancon is a city, so it'll fall into a dictionary list. Testing the dictionary list matched with other common things (such as adding a letter on front and a bunch of numbers on the end) isn't that hard to do. As mentioned, when you can test billions of passwords, the key thing to do is just look at what people commonly do.

The article also goes through the same symbol replacement you used there, that's not really adding much complexity to your dictionary (they'll just run through the dictionary again and replace the characters with those commonly used 'tricks', 3 for e, 5 or $ for s). What you should do is add a symbol in there randomly to get the best out of it.