Password Security: How Easily Can Your Password Be Hacked?
AbstractWe use passwords every day for our email and other computer accounts. How secure is the password that you use? How hard would it be for someone to guess your password? How hard is it to write a computer program to guess a password? You can see for yourself by writing a simple password guesser in the computer language Python. We will get you started with some ideas, a little sample code, and a few passwords for your computer program to try and guess.
Howard Eglowstein, Science Buddies
Edited by Ben Finio, PhD, Science Buddies
- Python™ is a registered trademark of Python Software Foundation.
- Microsoft® is a registered trademark of Microsoft Corporation.
- Apple® and Mac® are registered trademarks of Apple Inc.
- Raspberry Pi® is a trademark of the Raspberry Pi Foundation.
- Linux® is a registered trademark of Linus Torvalds.
Evaluate how difficult different types of passwords are to crack and then write a simple password-guessing program to try to guess sample passwords.
Keeping yourself and your data safe is often referred to as cybersecurity. Providers of computer services (like banking, email, or social media) have the responsibility of keeping hackers out of people's systems. As a computer user, you can do your part by being careful about who you talk with over the Internet, what information you share, and by picking and using strong passwords. Computer passwords are one of the most important tools used to protect information on computer systems. Just as you do not want anyone stealing your password and gaining control of your Instagram account, banks have to take precautions to keep criminals from stealing money. Because passwords are so important, it is a crime to steal passwords and to intentionally access other people's computers.
You use computer passwords every day, whether to access your email account, social networking sites, or even to do online banking. One of the challenges you may have when picking a password is making it easy for you to remember, but hard for other people to guess. It may not be a good idea, for example, to use your dog's name, your street address, or any information that's somehow connected to your username. For instance, if Sue Jones uses the login "SJones" to access her email and lives at 314 Apple Pie Road, the password "pie314" might not be a good choice. Do you see why? Though it might be easy for her to remember, it is very short and contains her street address. A stronger password might be "9J8LZcWAMzjJQUnD"...if she could remember it. That is certainly much longer, it's not a word, and it does not have any identifiable information. But who can remember that? And if you write it down and misplace the piece of paper, that isn't really more secure.
A strong password is one that you can remember easily, but that is pretty long, is made up of a couple of words, numbers and punctuation, but doesn't have anything in it that someone would guess if they looked you up on the Internet. There are a lot of strategies for creating strong passwords.
- The example is from an online totally random password generator. It simply picked 16 characters at random.
- Another strategy is to start by thinking of a passphrase, which is a phrase you like or a quote from a movie. Then use the first letter of each of the words and put in a number or punctuation in there somewhere. If your password is "T4IdtwiKa", can you remember it more easily if you're a fan of the Wizard of Oz? "Toto, I don't think we're in Kansas anymore." The number 4 takes the place of the comma and is the number of legs Toto has.
- Another common approach is to use two completely unrelated words and separate them by numbers or characters; is "deaf+anteater" easy to remember? Is it still easy to remember if you sprinkle in some numbers, like perhaps the phone number where you used to live? "deaf555+4715anteater" might be harder for someone to guess.
- Or consider a nonsense word that doesn't mean anything, but you can still pronounce it, like "USiFiPiZOG" is an example of a pronounceable random password. Compare that to the one starting with "9J8" in the paragraph. Is it easier or harder to remember? Memory tricks that help us remember things are called mnemonic devices. Try saying the two random passwords out loud and see which one you remember.
You can see that there are as many possible passwords as stars in the sky.
|Password Type||Example Password|
|Easy to guess based on personal knowledge||pie314|
|Completely random (hard to guess)||9J8LZcWAMzjJQUnD|
|Passphrase||T4IdtwiKa (Toto, 4I don't think we're in Kansas anymore)|
|Two unrelated words||deaf+anteater|
|Two unrelated words + personal info||deaf555+4715anteater|
Table 1. Different types of passwords and some examples.
With so many possible passwords, how is it possible for anyone to guess yours and steal your email account? The fact is that people are not good at picking random things and are terrible at remembering things that do not make sense in some way. In the 'deaf anteater' examples, you may have trouble remembering that second one if your phone number was never 555-4715. People like to pick things that connect to something else in their experience and make some sense. We do not remember nonsense very well at all. We also do not like to remember things that are long and detailed; yet, a long, difficult password is exactly the kind we should have if we do not want anyone guessing it. This is the challenge then; how do we balance between "easy to remember" and "really hard to guess"?
The first part of this science project is to do some research on the Internet about password security. When you do your research, you will find literally thousands of sites that offer up password suggestions or offer to evaluate your passwords and tell you how strong they are. Some have explanations about the math that shows why making a weak password a little bit longer will make it a strong password. You will want to read about why some passwords are better than others and why people pick the passwords they use. Police detectives have to think like a thief if they want to catch one, so while people trying to steal passwords use this information to help them, you can use it in this science project to make it easier to guess our samples and therefore, to improve your own passwords after the science project is completed. Once you have found some strategies for both hiding and guessing passwords, you will write a computer program to guess passwords using the strategies you have read about. Think about passwords like a typical user; how do you think a typical user picks a password? You will be writing a computer program to try out these techniques to guess some samples we offer, and to guess your own as well.
Remember that it was stated earlier that it is a crime to break into computers without permission? In this science project, you will be "breaking into" your own computer by simply guessing passwords. Once you guess the ones we provide, you have our permission to try them out on a special website we have set up.
The procedure contains some sample code to help you get started. Once you are at the programming stage, you can take this science project in one of several different directions:
- Modify the provided programming examples to try guessing the passwords Science Buddies has encrypted. How long does each password take to guess? What does this tell you about what types of passwords are strongest?
- Have friends or family make up weak versus strong passwords based on what you learn about password cracking. Test those passwords against your password-guessing program. How long do you think it will take your program to crack your own email password?
Terms and Concepts
- Strong password
- Totally random password
- Pronounceable random password
- Mnemonic device
- Weak password
- Exponential curve
- Brute-force attack
- Dictionary attack
- Integrated Development and Learning Environment (IDLE)
- Leading zeros
- What makes a password weak or strong?
- If you want to make a password that no one will guess, how would you pick one?
- If you want to guess someone's password, what information would you want to know and how would you guess they used it in their password?
The Internet is full of information about passwords and password security. A search engine will find many sites if you search for "password security," "secure passwords," or "password cracking." Here are a few to get you started.
- Imperva Application Defense Center. (2010). Consumer Password Worst Practices. Retrieved January 9, 2014.
- Burnett, M. (2012, September 5). 6 New Password Rules. Xato. Retrieved January 9, 2014.
- Burnett, M. (2011, June 13). How I Collect Passwords. Xato. Retrieved January 9, 2014.
- Lucas, I. (2009, July 10). Password Recovery Speeds. Lockdown.co.uk - The Home Computer Security Centre. Retrieved January 9, 2014.
- Shaffer, G. (2012). Good and Bad Passwords How-To. GeodSoft. Retrieved January 9, 2014.
These resources can introduce you to Python or serve as references:
Materials and Equipment
- Computer with internet access and Python 3 installed. You can download Python 3 from https://www.python.org/downloads/. Make sure you download the correct version for your operating system.
- Download these files and save them to the same folder on your computer:
- Lab notebook
- Pencil or pen
- Optional, but recommended: Python 3 reference book or online tutorial (see bibliography in the background section).
Cybersecurity projects can be fun, but they can also get you in trouble if you are not careful. Make sure you follow these rules when doing a cybersecurity project:
- Do not attack any individual, computer, system, or network without consent from the individual (or person who owns the computer). For example, do not try to guess someone's email password and log into their account unless you get their permission first, or try to hack into a website without permission from the owner of the website.
- Even if you have consent to perform an attack, the attack should be for learning purposes only, and you should help the individual or organization fix any problems you find (this is known as "white hat" hacking). For example, if you are able to guess someone's password, you should tell them they need to pick a stronger password (and help them learn how). Do not read their emails, change any of their account settings, look at private information or files like pictures, or tell anyone else their password.
- If your project involves human subjects, even if you have their consent, you may still need approval from your science fair or an Institutional Review Board (similar to the rules for psychology or medical experiments). See this page for more information.
- Do not pretend to be a different person, company, or other organization online. This includes pretending to be someone else on a social media site, setting up fake websites designed to look like real websites from reputable companies, or sending "phishing" or other emails designed to look like they were sent by someone else. (A controlled experiment where only study participants have access to examples of such websites or emails would be OK.)
- Do not use data that was illegally obtained (for example, contact information stolen from a company's employee database), even if it was stolen by someone else and already posted online.
- Do not publicly post sensitive personal information, even if it was obtained with consent. For example, if your project involves accessing people's contact information (legally), do not post someone's name and address in the "Results" section of your science fair display board. You should destroy any such information (by shredding paper or deleting files) when you are done with your project.
- Do not install or run any malicious software (viruses, malware, spyware, trojans, etc.) on a computer that is connected to the internet. The software could easily spread to other computers and get out of your control.
If you have any doubts or questions about your project, check with your teacher or science fair administrator before you start.
Calculating the Strength of a Password
Do an online search and find a table that discusses the number of possible passwords for a given length and a given style. For example, consider the standard suitcase or cash box lock (Figure 1).
Figure 1. A standard cash box or suitcase lock has three dials; each can be set from 0 to 9 for a total of 1,000 combinations.
- Since each of the dials can be set from 0 to 9, how many possible combinations are there? You may immediately know it is 1,000, but why? Each dial has 10 positions. If you think of the dials as C, B, and A, where A is the one farthest to the right, for every possible setting of C and B, A can be set to 10 positions. For each possible setting of C, B can be set to 10 positions, and for each of those, A can be set to 10 positions. If we ignore C & B and only consider A, there are 10. If we ignore C and only consider B & A, there are 10×10, or 100. When we consider C as well, there are 10 positions for C and for each of those we have 100 positions for B & A. So that's 10×10×10, or 1,000. For a lock (or password) that is only composed of numbers from 0 to 9 then, the number of possibilities is 103, or 10×10×10 = 1,000. If the lock has 4 dials, it will have 104 or 10×10×10×10 = 10,000. If you can try one combination per second (s), how long would it take to guess the combination of a cash box with one dial (in the worst case scenario where you have to try all the numbers)? 2 s? 3 s? 4 s? Make a table in your lab notebook showing your time estimates for different numbers of "dials."
|Number of Dials (0–9 on each dial)||Time to Guess (one guess per second)|
|2||100 s (1 minute [min], 40 s)|
|3||1,000 s (16 min, 40 s)|
- Graph the information from Table 2 on a chart, with number of dials on the x-axis and time to crack the password on the y-axis. The resulting curve is called an exponential curve and shows that as you add just one more dial, the difficulty in cracking that combination goes up exponentially.
- In a different table, consider now that each of the dials on your lock contains the letters from A–Z, 26 of them to be exact. If you have one dial, how many possible combinations are there? 261 = 26. How about two dials? 262 = 26×26, or 676. Fill in your table with the possible combinations for 1–8 dials. Every time you add a dial, you've increased the possible combinations by 26 times. It gets big very fast, doesn't it?
|Number of Dials (A–Z on each dial))||Time to Guess (one guess per second)|
|1||26 s (1 min, 2 s)|
|2||676 s (11 min, 16 s)|
- This science project will not deal with dial locks though; you will be investigating computer passwords which are even harder to guess. Make a third table that is more appropriate. How many possible characters can you use in a password? A–Z for sure, then lowercase a–z, the numbers 0–9, and some of the characters along the top of the keyboard. There are at least 62, and that is if you only use letters and numbers. So imagine a set of really big dials that have at least 62 positions, and make a table showing the number of possibilities. Most computer systems require six or more characters in a password and allow quite a few, perhaps 20 or more. When you start calculating how many possibilities there are for a 62-position dial, you get 621, 622, 623, etc. With just eight of these dials that is 628, or 218,340,105,584,896 (218 trillion also written in scientific notation as 2.18×1014) possible combinations. What if your password was 12 characters instead of 8? What about 16 or 20 characters?
- To demonstrate how effective it can be to simply add extra characters to a password, create a table or graph illustrating this data for your science project. Use different colors to show the size of the dials on your virtual dial lock.
- Using data and suggestions you have located in your research, think about images and graphics to explain what not to do when picking passwords, as well as how to go about picking a strong one. If a person were to try typing in all the passwords needed to steal your email, how long would that take for passwords of different lengths? A display comparing that amount of time to something longer—perhaps the age of Earth—can help show the advantages of a strong password.
Cracking a Password
A Note About Plagiarism: This project involves example code written by Science Buddies. When things are open-source like this, it can be confusing as to what is plagiarism and what is not, so Science Buddies has created this clear set of definitions to guide you. If you:
- Use the programs as they are and give Science Buddies credit— this is not plagiarism.
- Modify the programs and say that they were adapted from Science Buddies— this is not plagiarism.
- Write your own programs from scratch— this is not plagiarism.
- If you use the programs as they are (or modify them) without mentioning Science Buddies— this is plagiarism.
Now that you have seen how many possible passwords there can be with just 8 or so characters, consider the human factor. People are unlikely to choose long passwords of completely nonsensical characters. In this part of your science project, you will consider different ways of guessing what someone might pick and write a computer program to try 'cracking' a password. There are many different algorithms you can use to guess a password. For example, you could try a brute-force attack where you check every possible combination of letters, numbers, and symbols. This would be like trying every possible combination on the lock in Figure 1. You could also try a dictionary attack where you guess common passwords or other words. You can even try combinations of these methods (for example, combining two words). Computer scientists use flowcharts to represent their algorithms, like the ones in Figures 2 and 3.
Remember: this is not a beginner-level programming project. If this is your first time using Python (or doing any computer programming at all), this project may be too difficult at first. You will need to devote some time to practicing Python, do some online tutorials, and possibly try some simpler projects before you try to tackle this one.
Note: some users have reported errors when trying to run the code supplied for this project. This error appears to only affect certain computers, and is related to how the code is indented. Nested code on Python should be indented in multiples of four spaces (4, 8, 12, 16...). If you get an "unexpected indent" error, check to make sure that the indentation of the line is correct (for example, if the line is indented 5 spaces, delete a space and change it to 4 spaces). You can also comment out any "print" statements that cause an error message.
- Go to http://www.python.org/download and download the correct version of Python 3 (not 2) for your operating system. The download will install the Integrated Development and Learning Environment (IDLE), which can be used to edit and run Python programs. Python is a popular language for automating computer processes in web servers and industry, and the example code for this project is written in Python 3. However, if you are familiar with another programming language (C, C++, BASIC, Pascal, etc.), you can use that instead.
- Download and save the files crack_password.py and passwords.txt to the same folder on your computer. crack_password.py is an example program written by Science Buddies that includes four different password-cracking algorithms:
- Method #1: brute-force attack with numbers 0–9 only. This is like trying to guess the combination on a bicycle or suitcase lock, like the one in Figure 1. If you think someone uses only numbers for a password (such as for a PIN [personal identification number] at an ATM or on their smart phone), one method is simply to count from 0 to 999 and try each of these as a password. Since all the dials on the lock are always used, you fill the number with leading zeros to give "000", "001", etc. all the way up to "999".
- Method #2: brute-force attack with numbers and upper/lowercase letters. Imagine a lock that also has letters a–z and A–Z on each wheel. This gives 62 characters per wheel instead of 10. This method will start out with a single "wheel" and test all 62 possibilities. It then adds a second, and tries all 622 possibilities, then a third and tries 623, etc., up to 8 characters. This method can take a very long time to run for longer passwords, so we actually save it for last in the program (look at what you filled in for Table 3—how long would it take to guess an 8-character password, even if a computer can make a million guesses per second?).
- Method #3: dictionary attack using a list of common passwords. A third method takes advantage of a list of passwords that people often use in real life. Mark Burnett, the author of the book Perfect Passwords compiled a list of the 500 most common passwords used in 2005. We started with that list to make a list of 400+ words, saved in passwords.txt. This third method tries all of these passwords. Since people may use capital letters or not, it also tries each word with the first letter as a capital.
- Method #4: advanced dictionary attack that combines words. The fourth method builds on the third and takes advantage of the fact that people very often use passwords that combine two words with a number or punctuation in between. A fan of wizarding stories might use the password "Harry+Ginny" for example, where the password is much stronger than either "Harry" or "Ginny" alone (unless someone knows you like those characters). It also changes the punctuation in the middle and utilizes capital letters at the beginning of words as well.
- crack_password.py contains seven passwords for you to try and guess (variables password0 through password6 in the program). The first one (password0) is displayed as plaintext. This means that you can see the real value of the password, so you can easily confirm if your program can guess it properly. The other passwords are encrypted using something called hashing. Hashing takes a word (or any piece of data) and uses precise mathematical operations to convert it into a (seemingly) gibberish series of numbers and letters. This operation is repeatable—it will always give you the exact same answer—but it is nearly impossible to do it in reverse. It is also unique, meaning the hash values of any two different passwords should never equal each other. This means that, in order to test if two passwords match, you can compare their hash values instead of their plaintext. Sound confusing? Don't worry. Read the code and comments in crack_password.py and you will understand the process better. Do a web search for "MD5 hashing" if you want to learn more about the topic (MD5 is the specific hashing algorithm used in this project).
- Open crack_password.py in IDLE. If you properly installed Python, there should be a desktop or start menu icon for IDLE on your computer. You can also right-click the file (on Windows) and select "Edit with IDLE." Do not just double-click crack_password.py or it might not run properly.
- Read through the code and read the comments. It is a big program, so it might seem overwhelming at first. Do not worry if you do not understand every single line of code right away.
- Scroll down to the "main" function at the bottom of the program. This is where you can set the value for password0. Leave it as the default value for now.
- Run the program. In IDLE, select Run→Run Module, or press F5.
- A new window (the Python "shell") should open. Follow the on-screen prompts to run the program. Tell the program to guess password 0 and watch the output. Does its guess match the value set for password0 in the "main" function?
- Which of the four methods did the program use to successfully guess the password? Look at the code for that method in crack_password.py. Can you understand how that algorithm was able to find the password?
- Try changing password0 to something else (as explained in the comments, remember to do this in the "main" function at the bottom of the program, not when the variable is initialized at the top of the program), like a word from passwords.txt. Save crack_password.py, run the program again, and select password 0. How does your output change? Which method finds the password this time?
- Try running the program for passwords 1–5. The example code should be able to guess these passwords without any modifications. Each time, examine the code's output. Which algorithm found the password? Do you understand how?
- The example code will not guess password 6 without some changes. You will need to modify the existing algorithms or write your own. Here are just a few ideas you can try:
- Modify method 2 to include punctuation in addition to numbers and letters.
- Modify method 3 to try with the entire word capitalized, with alternating uppercase/lowercase letters, or with the word spelled backwards.
- Modify method 4 to try combining three words instead of two.
- Try combining different methods. For example, combine methods 1 and 2 to try a word followed by a number.
- The example code measures how many attempts, and how long, it takes to find the password using each method. Can you change the code to be more efficient and find the passwords faster?
- If your program gives an error or you do not understand something, you will need to try debugging. Here are some tips to help you debug your program:
- Read error messages carefully. They probably refer to a line number, so you can look for the problem in a specific place in your program. You can also try copying and pasting the text of the error message into a search engine. You may find some help documentation or a forum thread about that error message.
- Add "print" statements to the program to display output or the values of variables at specific points. The example program already contains many print statements that are commented out by default. You can uncomment them to print each password guess. This will slow the program down quite a bit, but may help you understand how each search method works.
- Use the line 'input("Press enter to continue.")' to pause the program until you press enter. This can help you slow the program down, in case the output in the shell window happens too fast for you to understand what is going on.
- When debugging, only change one line of code at a time, and then run your program again. If you change multiple lines at once, you might not know what caused (or got rid of) an error message.
- Once you have one of the six passwords cracked, you can go to Science Buddies password test site. It is a simple website that confirms that you have guessed one of our passwords correctly. What is the fun of guessing passwords if you do not try them on a real website?
- Try thinking of a password that you think would be hard to crack, or as a friend to think of one. Enter that password for password 0 in the program. Can your algorithm crack the password? How long does it take?
For a 3 digit lock, start at 000, convert the value to a hash and compare it to the existing password hash value. If the hash values match than you've figured out the password. Otherwise, move to the next number and repeat the process until you find a matching hash or all possible options less than or equal to 999 are tested.
Figure 2. A simple flowchart of the "cashbox" password algorithm to try all possible three-digit numbers as a password.
This algorithm takes 3 lists and combines them into different combinations to try to hack a password. The first list consists of preset words, the second list is of punctuations, and the third list is another set of words. A counter is set at the top of each list, and the first item in each list is taken to create a password. If that fails, then the counter in the third list will move onto the next word in the list and a new password with the a different list 3 word will be tried. If the third list runs out of new words to count to and use, then it will reset to the top of the list and the counter in the second list will move to the next punctuation and the whole process is repeated. If no password is successfully found after the second list runs out of new punctuations to count to than the list will reset the counter to the top and the counter for the first list will move down to the next word in the list and the whole process is repeated. If the first list is exhausted of new words than you have not guessed the correct password.
Figure 3. Using two words instead of one is a very common way people try to outsmart hackers. This algorithm uses words from the list, but combines them, two at a time, with a different single punctuation character in between.
Ask an Expert
This project explores topics key to Industry, Innovation and Infrastructure: Build resilient infrastructure, promote sustainable industrialization and foster innovation.
- If you have your own web server or feel comfortable adding one to your computer, try writing a website you can "attack" with your program. Using the same computer for both the website and the attack is a lot faster than going over the Internet, and it is never a problem if you break into your own computer.
- Find other word lists or come up with your own that may do a better job of guessing passwords faster than our list.
- Try using a password that you think is awesome and impossible to guess, or ask a friend to give you one. See how long it takes your program to guess it.
- Starting with a short password, guess that one and add one character at a time. Does the increase in time match what you would predict based on the math you did earlier?
If you like this project, you might enjoy exploring these related careers:
- Science Fair Project Guide
- Other Ideas Like This
- Computer Science Project Ideas
- Cybersecurity Project Ideas
- My Favorites