According to theage.com.au, one of the most sought-after (and currently incarcerated) hackers was identified and trapped because he used his pet’s name as his password to his Mac disk encryption. At least, he thinks that’s how it happened. He’s probably right, seeing how it was “Chewy123”.
In an interview conducted with Jeremy Hammond, who was given a 10-year sentence for hacking into government websites and other cyber-hijinks, the incarcerated hacker reveals not only his motivations, political and otherwise, but what happened on the day the feds bust through his door.
It almost sounds like he was expecting it:
Hammond was smoking pot and chatting with friends in the kitchen of his Chicago home when the front door was kicked in. Someone threw a flash bang.
“There were all these dudes with assault rifles,” he said.
Everyone else hit the floor, but Hammond dashed to his bedroom to slam shut his encrypted Mac laptop.
The above, of course, means that Hammond closed the lid of the laptop. By doing so, an encrypted Mac goes into its “protected state”: when full disk encryption] is used, the encryption is “on” when the computer is off or when the password has to be entered. Encryption is turned “off” when you’re working on the computer. By slamming shut his Mac, Hammond had ensured that his encryption kicked in, preventing third parties from browsing through and reading his computer’s contents.
Or at least, that was the idea.
Encryption works. This has been proven time and time again. Modern encryption, such as the AES encryption algorithm used in Macs are so powerful that cracking it by brute force would take decades, maybe even centuries.
And because of that, anyone trying to break into an encrypted system tends to target the password, since these tend to be much shorter and less complex, and thus much easier to crack. How much easier? According to some recent research, you can expect any password to fall within a week if the password is less than 15 characters in length. The current guidelines in certain circles call for a 22-character password if a password is going to be useful.
Chewy123 is not such a password. Furthermore, there are other problems to this particular password choice:
- Chewy is a dictionary word. Running a list of words found in a dictionary through the password prompt (if you will) is pretty easy and standard when it comes to cracking passwords.
- 123 is a very oft-used add-on to passwords when trying to create an alphanumeric password.
- Chew is also Hammond’s cat’s name. People looking to break passwords will use personal information like mother’s maiden names, birthdates, old addresses, names of friends, and names of pets.
What’s the moral of the story? I guess one is “don’t use weak passwords.” And I guess another is ” don’t do stuff that will get you arrested.” But regardless of what it may be, I think we can conclude one thing for certain: nobody wants to be using long, complex, “un-memorizable” passwords, not even hackers. But, that will cost you when you least expect it.