Passwords Are Still Too Easy to Hack – Here’s Why

Hollywood promised a future filled with flying cars, hoverboards, and robot overlords. One thing it never promised was unhackable passwords. Who guessed security would be a problem in the world of tomorrow? Brain implants that connect with worldwide computer networks seemed certain, didn’t it? The future had no need for passwords.

Yet in 2021—undoubtedly the future by classic sci-fi standards—we not only still use external devices, but we struggle to keep passwords safe. What’s worse is that it’s an unnecessary struggle because the passwordless future is already here. Before we go into that, however, let’s look at why passwords are still so easy to hack.

Understanding the Math Behind Hacking Passwords

Password hacking, like almost anything dealing with tech built on binary, boils down to math. Let’s say your bank asks you to create a 4-digit pin, which despite the appearance of a strong password is a very simple one. There are only 10 possibilities for each digit (0-9), and 4 selected digits, so that’s 10 x 10 x 10 x 10, or 10^4, which gives us 10,000 possible combinations.

For the billions of 4-digit PIN codes in the world, there are only 10,000 possible combinations. Simple computer algorithms crack them in seconds. Worse, most people don’t pick random 4-digit PIN codes. They use birthdays, old addresses, and patterns—things found on online databases and social media accounts.

Instead of sifting through numbers like 9240, 2917, and 1635, thieves try numbers like 1234, 5555, and 6969 (this approach is password spraying). Understanding human behavior and password patterns means thieves don’t need sophisticated software to crack your code, they keep guessing until they find it. These techniques are brute force attacks, and they’re much more common and successful than you’d expect.

Using Math to Strengthen Passwords

How do we make passwords stronger? Simple, add more possible combinations. To do that, we need to add more digits, more possibilities, or both.

Adding more digits means an 8- or 15-digit code instead of a 4-digit PIN. More possibilities means expanding beyond digits. In addition to choosing from 10 numbers, there are 26 letters, or 52 letters including both upper and lower case. Adding more numbers and symbols to those sets creates an even larger pool of possibilities.

For example, using only the 26 lowercase letters of the alphabet for an 8-character password (26^8) nets more than 280 billion possible combinations. That’s an enormous leap from the 10,000 possibilities derived from 10 numbers and 4 digits, which makes it harder to crack using simple methods. The more possibilities and digits/characters added to the equation, the higher the number of possible combinations making passwords harder to crack.

Why Math Can’t Protect Your Passwords

Make passwords look like jFn4$#o4gjR3Nrw,os&$(204L and you’re safe. Case closed, right? In a word, no. Even passwords like the one above aren’t strong enough. This is because passwords as a security measure are no longer strong enough.

Thieves evolved and became more skilled over time while passwords did not. Their tools and methods became more sophisticated and effective while passwords as security stayed static. Think of it as a very old lock and a very modern locksmith. These newer methods include:

  • Credential Stuffing. Data breaches affect millions of consumers all the time. Credentials scooped up by thieves and scammers find their way onto the dark web for sale. Because many people use the same email, usernames, and passwords for multiple sites, it only takes one of the less secure sites to get hacked and your information is compromised. Criminals buy that information from in a data dump and use computer programs that enter your information into hundreds of secure sites, like credit card companies and banks. People who used the same login credentials across multiple sites may find whatever accounts they used to access those sites hacked.
  • Keylogging. Keylogging is one of the more difficult methods of hacking. However, if someone gets access to one of your devices it becomes very easy. Keylogging requires a program that records all your keystrokes, including those of your login credentials and other sensitive data. Thieves then use the logs to duplicate everything you used to access your accounts to clean them out. A less technical version of keylogging is called ‘local discovery’. This happens when a hacker or thief swipes your credentials from a notepad or card you left in plain sight. This version is more common in an office setting.
  • Phishing. Phishing uses an email that appears like a genuine communication. It fools people into thinking it’s from a friend, relative, coworker, or some other familiar institution or trusted email account. Some phishing scams are well-researched and very personal. Somewhere in the email is a link that entices you to enter your credentials on a fake landing page which allows the fraudsters to steal them. Now they can go ahead and use your credentials to access your accounts, lock you out of them, or whatever they wish to do.
  • SIM Swap Fraud. SIM swap fraud occurs when a fraudster calls up a wireless carrier and convinces a customer service agent that they are the legitimate owner of the device. They make up stories about losing access to their phone—their victim’s phone—and answer some basic questions to verify the owner’s identity. This is often information anyone can find online. The customer service agent then switches the legitimate account over to the scammer’s SIM card while locking the phone and SIM card of the legitimate owner. The fraudster has only to reset passwords which they can do by receiving SMS text codes to verify it’s you changing them. Then, they can log in and do whatever they want.

Password Hacking Is Mostly Avoidable
The common denominator in every hack mentioned here is the password. No matter how much professional training or sophistication goes into crafting passwords, they’re still hard to remember, easy to forget, and even easier to steal.

ZenKey has a faster, easier way to register for new accounts, access existing accounts, and conduct secure transactions, all without ever creating another password. Learn more about how ZenKey works and enter the future of online security.

Get in Touch

Need tech help or want to leave feedback? Questions about partnerships or employment? Need to make a media inquiry or contact sales?

Let's Talk

News

Stay up to date on the latest ZenKey news and press releases.

Learn More