By Davey Winder

With just a few dollars, a little time, and a smart brute-force guessing algorithm, most passwords can be cracked in much less time than you might imagine. According to a new analysis from the experts at Kaspersky, 59% of 193 million actual passwords were cracked in less than 60 minutes, and 45% were cracked in less than 60 seconds.

The basis of a brute-force attack is where the perpetrator iterates all possible combinations in order to find a match for the password in question. However, Antonov explained, “smart guessing algorithms are trained on a passwords data-set to calculate the frequency of various character combinations and make selections first from the most common combinations and down to the rarest ones.”

Brute Force And Smart-Guessing Combine To Quickly Crack Passwords

Although very popular due to the point-and-fire simplicity of a brute-force attack, it remains suboptimal as far as password-cracking algorithms are concerned. When you consider that the vast majority of passwords in daily use contain similar characteristics involving the combination of dates, names, dictionary words and keyboard sequences, adding these to the guessing-game mix speeds things up considerably.

The Kaspersky study revealed that when it comes to the percentage of passwords crackable in any timeframe using each method, while 10% of the password list analyzed was broken in under a minute by brute force, that increased to 45% when smart-guessing was added to the algorithm. Allowing for between a minute and an hour, the difference was 20% compared to 59%

The Smart-Guessing Algorithm Advantage Explained

Because humans are creatures of habit, we make for very poor password creators. The truth is that the passwords we choose for ourselves are rarely, if ever, truly random. We rely upon all the things that smart-guessing algorithms are designed to detect: common names and phrases, important dates both personal and historical, and patterns, lots of patterns. To give you an idea of how predictable we are, one YouTube channel took a sample of more than 200,000 people and asked them to choose a ‘random’ number between 1 and 100. Most people gravitated towards the same relatively small set: 7, 37, 42, 69, 73, and 77. Even when trying to be random with character strings, we fail as most people will favor the center of the keyboard for their selection, according to Kaspersky.

“Smart algorithms make short work of most passwords that contain dictionary sequences,” Antonov said, “and they even catch character substitutions.” In other words, using p@ssw0rd instead of password won’t slow the algorithm down that much at all.

How To Strengthen Your Accounts Against Smart-Guessing Algorithm Attack

Kaspersky recommends the following password usage strategy:

Generate strong and truly random passwords using a password manager.

Don’t reuse passwords across sites and services or hacking one basket will enable access to many more eggs.

If you don’t, or won’t, use a password manager, then use mnemonic passphrases rather than dictionary words and numeric combinations.

Don’t save passwords in web browsers.

Use a password manager protected by a strong master password.

Use two-factor authentication for all accounts that support it.

Follow me on Twitter or LinkedIn. Check out my website or some of my other work here.