Home Store Project Ideas Project Guide Ask An Expert Blog Careers Teachers Parents Students

Password Security: How Easily Can Your Password Be Hacked?

Difficulty
Time Required Average (6-10 days)
Prerequisites To complete the programming portion of this science project, students should have access to a machine capable of running Python™ 3 (Microsoft Windows™, Apple Mac, Raspberry Pi®, or some other Linux computer), permission to install software, and a basic grasp of programming (or ready access to a willing helper who knows a little Python).
Material Availability Readily available. See the Materials and Equipment list for details.
Cost Very Low (under $20)
Safety Hacking into other people's password-protected accounts is a federally prosecutable offense. The program example given in this science project will only work in the context of this science project.

Abstract

We use passwords every day for our email and other computer accounts. How secure is the password that you use? How hard would it be for someone to guess your password? How hard is it to write a computer program to guess a password? You can see for yourself by writing a simple password guesser in the computer language Python. We will get you started with some ideas, a little sample code, and a few passwords for your computer program to try and guess.

Objective

Evaluate how difficult different types of passwords are to crack and then write a simple password-guessing program to try to guess sample passwords.

Credits

Howard Eglowstein, Science Buddies

  • Python™ is a registered trademark of Python Software Foundation.
  • Microsoft® is a registered trademark of Microsoft Corporation.
  • Apple® and Mac® are registered trademarks of Apple Inc.
  • Raspberry Pi® is a trademark of the Raspberry Pi Foundation.
  • Linux® is a registered trademark of Linus Torvalds.

Cite This Page

MLA Style

Science Buddies Staff. "Password Security: How Easily Can Your Password Be Hacked?" Science Buddies. Science Buddies, 5 Aug. 2014. Web. 31 Oct. 2014 <http://www.sciencebuddies.org/science-fair-projects/project_ideas/CompSci_p046.shtml>

APA Style

Science Buddies Staff. (2014, August 5). Password Security: How Easily Can Your Password Be Hacked?. Retrieved October 31, 2014 from http://www.sciencebuddies.org/science-fair-projects/project_ideas/CompSci_p046.shtml

Share your story with Science Buddies!

I did this project I Did This Project! Please log in and let us know how things went.


Last edit date: 2014-08-05

Introduction

Keeping yourself and your data safe is often referred to as cybersecurity. Providers of computer services (like banking, email, or social media) have the responsibility of keeping hackers out of people's systems. As a computer user, you can do your part by being careful about who you talk with over the Internet, what information you share, and by picking and using strong passwords. Computer passwords are one of the most important tools used to protect information on computer systems. Just as you do not want anyone stealing your password and gaining control of your Instagram account, banks have to take precautions to keep criminals from stealing money. Because passwords are so important, it is a crime to steal passwords and to intentionally access other people's computers.

You use computer passwords every day, whether to access your email account, social networking sites, or even to do online banking. One of the challenges you may have when picking a password is making it easy for you to remember, but hard for other people to guess. It may not be a good idea, for example, to use your dog's name, your street address, or any information that's somehow connected to your username. For instance, if Sue Jones uses the login "SJones" to access her email and lives at 314 Apple Pie Road, the password "pie314" might not be a good choice. Do you see why? Though it might be easy for her to remember, it is very short and contains her street address. A stronger password might be "9J8LZcWAMzjJQUnD"...if she could remember it. That is certainly much longer, it's not a word, and it does not have any identifiable information. But who can remember that? And if you write it down and misplace the piece of paper, that isn't really more secure.

A strong password is one that you can remember easily, but that is pretty long, is made up of a couple of words, numbers and punctuation, but doesn't have anything in it that someone would guess if they looked you up on the Internet. There are a lot of strategies for creating strong passwords.

  • The example is from an online totally random password generator. It simply picked 16 characters at random.
  • Another strategy is to start by thinking of a passphrase, which is a phrase you like or a quote from a movie. Then use the first letter of each of the words and put in a number or punctuation in there somewhere. If your password is "T4IdtwiKa", can you remember it more easily if you're a fan of the Wizard of Oz? "Toto, I don't think we're in Kansas anymore." The number 4 takes the place of the comma and is the number of legs Toto has.
  • Another common approach is to use two completely unrelated words and separate them by numbers or characters; is "deaf+anteater" easy to remember? Is it still easy to remember if you sprinkle in some numbers, like perhaps the phone number where you used to live? "deaf555+4715anteater" might be harder for someone to guess.
  • Or consider a nonsense word that doesn't mean anything, but you can still pronounce it, like "USiFiPiZOG" is an example of a pronounceable random password. Compare that to the one starting with "9J8" in the paragraph. Is it easier or harder to remember? Memory tricks that help us remember things are called mnemonic devices. Try saying the two random passwords out loud and see which one you remember.

You can see that there are as many possible passwords as stars in the sky.

Password Type Example Password
Easy to guess based on personal knowledge pie314
Pronounceable random USiFiPiZOG
Completely random (hard to guess) 9J8LZcWAMzjJQUnD
Passphrase T4IdtwiKa (Toto, 4I don't think we're in Kansas anymore)
Two unrelated words deaf+anteater
Two unrelated words + personal info deaf555+4715anteater

Table 1. Different types of passwords and some examples.

With so many possible passwords, how is it possible for anyone to guess yours and steal your email account? The fact is that people are not good at picking random things and are terrible at remembering things that do not make sense in some way. In the 'deaf anteater' examples, you may have trouble remembering that second one if your phone number was never 555-4715. People like to pick things that connect to something else in their experience and make some sense. We do not remember nonsense very well at all. We also do not like to remember things that are long and detailed; yet, a long, difficult password is exactly the kind we should have if we do not want anyone guessing it. This is the challenge then; how do we balance between "easy to remember" and "really hard to guess"?

The first part of this science project is to do some research on the Internet about password security. When you do your research, you will find literally thousands of sites that offer up password suggestions or offer to evaluate your passwords and tell you how strong they are. Some have explanations about the math that shows why making a weak password a little bit longer will make it a strong password. You will want to read about why some passwords are better than others and why people pick the passwords they use. Police detectives have to think like a thief if they want to catch one, so while people trying to steal passwords use this information to help them, you can use it in this science project to make it easier to guess our samples and therefore, to improve your own passwords after the science project is completed. Once you have found some strategies for both hiding and guessing passwords, you will write a computer program to guess passwords using the strategies you have read about. Think about passwords like a typical user; how do you think a typical user picks a password? You will be writing a computer program to try out these techniques to guess some samples we offer, and to guess your own as well.

Remember that it was stated earlier that it is a crime to break into computers without permission? In this science project, you will be "breaking into" your own computer by simply guessing passwords. Once you guess the ones we provide, you have our permission to try them out on a special website we have set up.

The procedure contains some sample code to help you get started. Once you are at the programming stage, you can take this science project in one of several different directions:

  • Modify the provided programming examples to try guessing the passwords Science Buddies has encrypted. How long does each password take to guess? What does this tell you about what types of passwords are strongest?
  • Have friends or family make up weak versus strong passwords based on what you learn about password cracking. Test those passwords against your password-guessing program. How long do you think it will take your program to crack your own email password?

Terms and Concepts

  • Cybersecurity
  • Strong password
  • Totally random password
  • Passphrase
  • Pronounceable random password
  • Mnemonic device
  • Weak password
  • Power curve
  • Flowchart
  • Leading zeros
  • Hashing

Questions

  • What makes a password weak or strong?
  • If you want to make a password that no one will guess, how would you pick one?
  • If you want to guess someone's password, what information would you want to know and how would you guess they used it in their password?

Bibliography

The Internet is full of information about passwords and password security. A search engine will find many sites if you search for "password security," "secure passwords," or "password cracking." Here are a few to get you started.

When using the Internet, passwords are just one of the safety issues you should be aware of. This resource has more details:

Materials and Equipment

  • Computer with any type of web browser
  • Lab notebook
  • Pencil or pen
  • Calculator
  • Optional: Python software running on a computer. We recommend Python 3, and the example code we provide is written for Python 3.
  • Optional, but recommended: Python 3 reference book
Files to download (on many browsers, right-click on the link and 'Save As'):

Share your story with Science Buddies!

I did this project I Did This Project! Please log in and let us know how things went.

Experimental Procedure

Calculating the Strength of a Password

Do an online search and find a table that discusses the number of possible passwords for a given length and a given style. For example, consider the standard suitcase or cash box lock.

Cash boxes and suitcases often use a combination lock with three dials
Figure 1. A standard cash box or suitcase lock has three dials; each can be set from 0 to 9 for a total of 1,000 combinations.
  1. Since each of the dials can be set from 0 to 9, how many possible combinations are there? You may immediately know it is 1,000, but why? Each dial has 10 positions. If you think of the dials as C, B, and A, where A is the one farthest to the right, for every possible setting of C and B, A can be set to 10 positions. For each possible setting of C, B can be set to 10 positions, and for each of those, A can be set to 10 positions. If we ignore C & B and only consider A, there are 10. If we ignore C and only consider B & A, there are 10 x 10, or 100. When we consider C as well, there are 10 positions for C and for each of those we have 100 positions for B & A. So that's 10 x 10 x 10, or 1,000. For a lock (or password) that is only composed of numbers from 0 to 9 then, the number of possibilities is 103, or 10 x 10 x 10 = 1,000. If the lock has 4 dials, it will have 104 or 10 x 10 x 10 x 10 = 10,000. If you can try one combination per second (s), how long would it take to guess the combination of a cash box with one dial (in the worst case scenario where you have to try all the numbers)? 2 s? 3 s? 4 s? Make a table in your lab notebook showing your time estimates for different numbers of "dials."
Number of Dials (0–9 on each dial) Time to Guess (one guess per second)
1 10 s
2 100 s (1 minute [min], 40 s)
3 1,000 s (16 min, 40 s)
4 ?
5 ?
6 ?
7 ?
8 ?
Table 2. Complete this table showing that the time required to guess a number increases exponentially when you increase the number of dials.
  1. Graph the information from Table 2 on a chart, with number of dials on the x-axis and time to crack the password on the y-axis. The resulting curve is called a power curve and shows that as you add just one more dial, the difficulty in cracking that combination goes up exponentially.
  2. In a different table, consider now that each of the dials on your lock contains the letters from A–Z, 26 of them to be exact. If you have one dial, how many possible combinations are there? 261 = 26. How about two dials? 262 = 26 x 26, or 676. Fill in your table with the possible combinations for 1–8 dials. Every time you add a dial, you've increased the possible combinations by 26 times. It gets big very fast, doesn't it?
Number of Dials (A–Z on each dial)) Time to Guess (one guess per second)
1 26 s (1 min, 2 s)
2 676 s (11 min, 16 s)
3 ?
4 ?
5 ?
6 ?
7 ?
8 ?
Table 3. Complete this table showing that time required to guess a password increases exponentially when you increase the number of dials.
  1. This science project will not deal with dial locks though; you will be investigating computer passwords which are even harder to guess. Make a third table that is more appropriate. How many possible characters can you use in a password? A–Z for sure, then lowercase a–z, the numbers 0–9, and some of the characters along the top of the keyboard. There are at least 62, and that is if you only use letters and numbers. So imagine a set of really big dials that have at least 62 positions, and make a table showing the number of possibilities. Most computer systems require six or more characters in a password and allow quite a few, perhaps 20 or more. When you start calculating how many possibilities there are for a 62-position dial, you get 621, 622, 623, etc. With just eight of these dials that is 628, or 218,340,105,584,896 (218 trillion also written in scientific notation as 2.18e14) possible combinations. What if your password was 12 characters instead of 8? What about 16 or 20 characters?
  2. To demonstrate how effective it can be to simply add extra characters to a password, create a table or graph illustrating this data for your science project. Use different colors to show the size of the dials on your virtual dial lock.
  3. Using data and suggestions you have located in your research, think about images and graphics to explain what not to do when picking passwords, as well as how to go about picking a strong one. If a person were to try typing in all the passwords needed to steal your email, how long would that take for passwords of different lengths? A display comparing that amount of time to something longer—perhaps the age of Earth—can help show the advantages of a strong password.

Cracking a Password

Now that you have seen how many possible passwords there can be with just 8 or so characters, consider the human factor. People are unlikely to choose long passwords of completely nonsensical characters. In this part of your science project, you will consider different ways of guessing what someone might pick and write a computer program to try 'cracking' a password.

  1. If you have access to a computer, install a programming language you're comfortable with or would like to learn. The examples in this science project are in Python, a popular language for automating computer processes in web servers and industry. Other choices could be C, C++, BASIC or Pascal if you have those. It's up to you; any language will be usable for this science project. We used Python—specifically Python version 3—because it runs on almost every computer available. Make sure the language tools are installed and try a few short test programs to make sure. If your computer does not already have Python 3 installed, get permission if you need to, then visit http://www.python.org/download to download the correct version for your computer. You want version 3.x, not 2.7. Python 2 is the old version and programmers recommend switching to Python 3.
  2. Now, think like a hacker for a minute. If you wanted to guess your friend's password, how would you do that? You might try every possible combination of letters and numbers. Or perhaps you know your friend always uses just numbers. Or maybe you would try his or her favorite words and combinations of those words. To explain how this algorithm works, computer programmers can use flowcharts, like the one in Figure 2, below, which explain the conceptual flow from one part of the algorithm to the next. The diamonds indicate a decision and the rectangles indicate something to do. If it helps, sketch out your ideas on how to guess passwords using flowcharts. You may also find them useful for your science project display board.
A simple flowchart showing how to paint a house
Figure 2. A simple flowchart of the "cashbox" password algorithm to try all possible three-digit numbers as a password.
  1. Your computer program will implement one or more of these algorithms you have found on the Internet or that you think up yourself. The basic idea is to generate every possible password that fits into the algorithm and compare it to one you already know. If it matches, then you have "cracked" that password. Imagine your program was really talking to a website whose password you lost. People who run websites do not like it when you try millions of logins, so trying out your password cracker on your own computer is not only faster, but it is also easier and more considerate.
  2. To help you along with the process of writing algorithms, Science Buddies has an example Python program (download and save crack2.py and passwords.txt to your computer) that implements a few of the ways a password-cracking program could be implemented. The methods are detailed below.

    A Note About Plagiarism: The programming examples below are available for you to download and run on your own computer and even to use, if your teacher agrees, for your science project. When things are open-source like this, it can be confusing as to what is plagiarism and what is not, so Science Buddies has created this clear set of definitions to guide you. If you:

    • Use the programs as they are and give Science Buddies credit— this is not plagiarism.
    • Modify the programs and say that they were adapted from Science Buddies— this is not plagiarism.
    • Write your own programs from scratch— this is not plagiarism.
    • If you use the programs as they are (or modify them) without mentioning Science Buddies— this is plagiarism.

    Methods

    • Method #1: Simulate the cash box. If you think someone uses only numbers for a password (such as for a PIN [personal identification number] at an ATM or on their smart phone), one method is simply to count from 0 to 999 and try each of these as a password. Since all the dials on the lock are always used, you fill the number with leading zeros to give "000", "001", etc. all the way up to "999".

      Python code simulating a combination lock with 0-9 dials
      Figure 3. Python code to simulate the three 0–9 dials on a cash box or suitcase lock.
    • Method #2: Simulate the 62-character dial. If you simulate the 62-character dial mentioned earlier, the code starts with one dial and tries all 62 possibilities. It then adds a second, and tries all 622 possibilities, then a third and tries 623, etc.

      Python code simulating a combination lock with 62-position dials
      Figure 4. Python code to simulate a number of larger dials, such a dial that has 62 positions.

    • Method #3: Simulate a list of real-life passwords. A third method takes advantage of a list of passwords that people often use in real life. Mark Burnett, the author of the book Perfect Passwords compiled a list of the 500 most common passwords used in 2005. We started with that list to make a text file that has 400+ words. This third method tries all of these passwords. Since people may use capital letters or not, it also tries each word with the first letter as a capital.

      Python program using a list of words to guess passwords
      Figure 5. A Python program that tries to guess a password by reading a list of known passwords and trying each one. The list is based on 500 common passwords and can be expanded by making the list file larger.
    • Method #4: Simulate the combination of words and other characters. The fourth method builds on the third and takes advantage of the fact that people very often use passwords that combine two words with a number or punctuation in between. A fan of wizarding stories might use the password "Harry+Ginny" for example, where the password is much stronger than either "Harry" or "Ginny" alone (unless someone knows you like those characters). It also changes the punctuation in the middle and utilizes capital letters at the beginning of words as well.

      Flowchart of an algorithm to try word pairs as passwords
      Figure 6. Using two words instead of one is a very common way people try to outsmart hackers. This algorithm uses words from the list, but combines them, two at a time, with a different single punctuation character in between.
      Python code generating passwords out of two words & punctuation
      Figure 7. Python code for the flowchart from Figure 6. Using two words instead of one is a very common way people try to outsmart hackers. This algorithm uses words from the list, but combines them, two at a time, with a different single punctuation character in between. It also utilizes the words with uppercase characters, just in case.

    • iv. To see if it guessed correctly, the program has to compare the guess to the right answer. It could just say "if guess=='Harry+Ginny'", but then it would be too easy to write your algorithm since you would already know the right answer. To make it a challenge, our example program has six passwords that you can guess, but they are encrypted using a method called hashing. Basically, you take a word (or any piece of data) and perform a series of precise calculations using it. The result is a series of numbers that just looks like garbage. It is not though; it is the result of carefully chopping up the original data in a way that is easy to repeat, but impossible to undo. The comparison code in the example takes advantage of Python's built-in support for hashing. It takes your guess, runs it through the same hashing as the password and compares the results. You pick which of our passwords you want to guess and try your program against it. To test your algorithms out, one password is left unhashed and you can set that one to anything you like.
Python code to compare a guessed password with a known one
Figure 8. The 'correct' answers in our example are encrypted using a hashing function to keep you from reading them and making an algorithm that just guesses it the first time.
  1. To test out your algorithms, put a test case in as password 0 and compare against that. Start with one that you know it will guess right away, then change the program and the password in different ways to make sure it is working right. Then launch your creation to guess our example passwords; can you get them all? They are a combination of number, random letters, and words, and the first five should be easy to guess using the example code provided. You can improve that code and make it more efficient. See if your code can find them faster than our code can. Do you see the weaknesses in the example code? Can these algorithms find any password? Think of one you would like to use for your email. Can our example program guess it? The tools for guessing our sixth password are there as well, but you will have to think outside the box a bit.
  2. Once you have one of the six passwords cracked, you can go to Science Buddies password test site. It is a simple website that confirms that you have guessed one of our passwords correctly. What is the fun of guessing passwords if you do not try them on a real website?

Share your story with Science Buddies!

I did this project I Did This Project! Please log in and let us know how things went.


Variations

  • If you have your own web server or feel comfortable adding one to your computer, try writing a website you can "attack" with your program. Using the same computer for both the website and the attack is a lot faster than going over the Internet, and it is never a problem if you break into your own computer.
  • Find other word lists or come up with your own that may do a better job of guessing passwords faster than our list.
  • Try using a password that you think is awesome and impossible to guess, or ask a friend to give you one. See how long it takes your program to guess it.
  • Starting with a short password, guess that one and add one character at a time. Does the increase in time match what you would predict based on the math you did earlier?

Share your story with Science Buddies!

I did this project I Did This Project! Please log in and let us know how things went.

Ask an Expert

The Ask an Expert Forum is intended to be a place where students can go to find answers to science questions that they have been unable to find using other resources. If you have specific questions about your science fair project or science fair, our team of volunteer scientists can help. Our Experts won't do the work for you, but they will make suggestions, offer guidance, and help you troubleshoot.

Ask an Expert

Related Links

If you like this project, you might enjoy exploring these related careers:

Computer programmer typing on a keyboard

Computer Programmer

Computers are essential tools in the modern world, handling everything from traffic control, car welding, movie animation, shipping, aircraft design, and social networking to book publishing, business management, music mixing, health care, agriculture, and online shopping. Computer programmers are the people who write the instructions that tell computers what to do. Read more
NASA flight software engineer

Computer Software Engineer

Are you interested in developing cool video game software for computers? Would you like to learn how to make software run faster and more reliably on different kinds of computers and operating systems? Do you like to apply your computer science skills to solve problems? If so, then you might be interested in the career of a computer software engineer. Read more
Mathematician at work

Mathematician

Mathematicians are part of an ancient tradition of searching for patterns, conjecturing, and figuring out truths based on rigorous deduction. Some mathematicians focus on purely theoretical problems, with no obvious or immediate applications, except to advance our understanding of mathematics, while others focus on applied mathematics, where they try to solve problems in economics, business, science, physics, or engineering. Read more
person graphing data on computer screen

Statistician

Statisticians use the power of math and probability theory to answer questions that affect the lives of millions of people. They tell educators which teaching method works best, tell policy-makers what levels of pesticides are acceptable in fresh fruit, tell doctors which treatment works best, and tell builders which type of paint is the most durable. They are employed in virtually every type of industry imaginable, from engineering, manufacturing, and medicine to animal science, food production, transportation, and education. Everybody needs a statistician! Read more

Looking for more science fun?

Try one of our science activities for quick, anytime science explorations. The perfect thing to liven up a rainy day, school vacation, or moment of boredom.

Find an Activity