Megabyte has claimed a new world record in the category “Client who actually uses the weakest password” – as measured by the strength-o-mometer at howsecureismypassword.net. The password’s strength is measured in the amount of time that a single, average desktop PC hitting the password with 4 billion calculations/sec would take to crack the password. Now, where typically PC users should be aiming for the higher numbers – millions of years or better, Megabyte claims the record of shortest amount of time taken to crack a password that is actually in everyday use in an online application.

The record requires a unique combination of outdated technology along with lackadaisical security considerations by the application service provider (most, in fact almost all, passwords are required to meet a minimum standard) and a uniquely blase mindset held by the blissfully ignorant user who proffers up this sickeningly feeble password which the primitively coded web page accepts.

The password in question contains 6 characters & is in everyday online use with a local ISP in Auckland, New Zealand. Used to access the open-source Squirrel Mail application, which I would doubt whether it has any real security in place whatsoever. The astounding returned result is claimed as a new world record – 0.00025 sec!! Almost instantly. There’s nothing you’ve done today in anything approaching that time – it takes .1 sec to blink, so you could crack this password 400 times in the time it takes to blink once. Truly, a magnificent effort in mediocrity. I don’t know how he’s survived for so long.

Evidence supporting Megabyte’s claim for a new world record:

When I explained the mechanics of online security and the dangers of weak security, the client appeared interested for oh, a nanosecond, then responded with what I suggest is his catchphrase in life – “Yes, but!” Still, I thought you can’t possibly be so ignorant, this man’s house – 1 back from the seafront and in the same suburb as billionaire Graham Hart’s residence, is $2,000,000+, he has a national & international profile in his industry and is regarded as a smart, savvy operator by all who deal with him. So, surely, you’re going to implement an immediate password change. The one we discussed is easy for him to remember, and incredibly difficult to brute-force – 392 quadrillion years. By which time I expect him (all of you actually) to have a new password.

Evidence of a safer way:

So imagine my amazement when a couple of days later I took a call from this guy in a frustrated rage – his email box was full and refusing to send mail, plus his desktop email client – Windows Live Mail (using Microsoft programs online huh? What could possibly go wrong?) couldn’t delete the online copies of the mail that was choking the server that his ISP (alright, I give in, it’s Compassnet, ok?) stores his mail on. So I opened up Chrome at home, went to his webmail interface, entered his email address & the new password and promptly got rejected. So I tried the pathetically weak one. Straight in.

Do you know what this man was emailing to his son, in Perth, Australia? Pre-signed family trust papers involving security over some properties which would enable funds to be released in Western Australia later that day. Oh man, have you got your head in the sand or what? It wouldn’t be any more difficult than trivial to have diverted a 7-figure amount, leaving no trace and the victim would have only himself to blame. “Yes, but!” Yes, but it takes a long time to pay that 7-figure debt back to your family trust, and if you’d just listen instead of “Yes, but!” then you wouldn’t be exposing yourself, your wife, your shareholders and stakeholders and your children to an unacceptable level of risk.

While I, I claim a new world record!!

Use the howsecureismypassword.net strength-o-mometer as an essential tool to fail-test your passwords.

If you can provide evidence of an actual password in current online use that cracks quicker than this one, then please post in the comments section below.