In several independent researches published between 2012 and 2016 suggest that between 59 and 61 per cent of consumers reuse a single password on multiple accounts, as normally people can’t remember each different password for different accounts.
An Online Survey in 2016 resulted that among 2000 English speaking People, an average person at least Log In’s into 27 discrete accounts normally.
Trying to Find Hidden Passwords in Someone’s PC 😉
Now, let us assume that you want to Hack into any account then this process would be fairly easy for anybody with basic programming skills.
For that you’ll need a full version of Elcomsoft Internet Password Recovery 3.0 (or newer). Launch the product and push the “Export Passwords” button on the toolbar (highlighted). Once you push the button, you’ll be prompted for a file name to save your password list. Enter the name and wait a few seconds. Elcomsoft Internet Password Breaker will automatically scan your computer for available passwords including password storage systems in Chrome, Internet Explorer, Edge, Outlook, Windows Mail and about a dozen other browsers and email clients. Once the list is saved, open it with any viewer or editor that supports Unicode.
Using Brute Force Attack.
According to Elcomsoft, “If you are given a task of unlocking a bunch of password-protected documents, you’re assigned a tough job. Even if you use one of the best password recovery tools running on top hardware, you’re still looking at about 7,000 passwords per second when breaking an Office 2013 document on a PC with a single NVIDIA GTX 1080 board. With this kind of a speed, brute-force is no longer an optimal strategy.“
A quality custom dictionary is absolutely necessary when attacking files protected with strong encryption. Can you imagine a higher quality dictionary than one containing the user’s other passwords?
1.Assuming that your passwords were saved into a file named “password-list.txt” here’s how you configure the pipeline. Use “password-list.txt” as a custom dictionary; no mutations.
2.Using the same dictionary, enable a single mutation that appends 0 to 4 digits to the end of the password.
3.Using the same dictionary, configure the following mutations (Case/Digit/Year) as shown on the screen shot:
Using the first attack only takes a moment, and can solve up to 60 per cent of cases. The second attack is slower, but it still takes just a couple minutes (assuming that the custom dictionary consists of 100 or less unique passwords). The final attack may take a lot longer; you can customize it so that it tries a reasonable number of combinations. However, considering the tiny size of the custom dictionary we’re using, you still have great chances of this attack finishing in reasonable time. Statistically, the two attacks can solve up to 70 per cent of cases, albeit the last one can take longer than just a few minutes.
A typical 8-character alphanumeric password has 2.8 trillion possible combinations.
There are two ways to speed up the attack: increasing attack speed or reducing the number of passwords to try.
According to Mark Burnett, there are still a huge number of people who pick from a very small list of common passwords. Here are some interesting facts gleaned from his most recent data:
- 0.5% of users have the password password;
- 0.4% have the passwords password or 123456;
- 0.9% have the passwords password, 123456 or 12345678;
- 1.6% have a password from the top 10 passwords
- 4.4% have a password from the top 100 passwords
- 9.7% have a password from the top 500 passwords
- 13.2% have a password from the top 1,000 passwords
- 30% have a password from the top 10,000 passwords