Stop Using Weak Passwords
In most up-to-date applications, the code and logic are sound, the cryptography is proven, but our preferred passwords are simple, short, often repeated, and dangerously ineffective to motivated or sophisticated attackers.
Stop Using Weak Passwords
0
By Ops Tech Alliance Security June 3, 2020

Ineffective Passwords

Passwords are part and parcel of living in the modern information age, and they are unfortunately one of the 

weakest attack points in any computer system or application.  Consider the hundreds or thousands of development hours behind securing the most popular eCommerce, gaming, or social media sites, and then the 12 seconds it took you to type and create an easy-to-remember password.  In most up-to-date applications, the code and logic are sound, the cryptography is proven, but our preferred passwords are simple, short, often repeated, and dangerously ineffective to motivated or sophisticated attackers. This is like using a high end, fireproof, triple-wall document safe, and then securing the hatch with only a twist tie.

This post will briefly discuss password attacks, ideal password strategies, password managers, and tips for creating effective but memorable passwords.

Best practices are to use a long and completely random string of numbers, letters, and special characters…

Hacking Passwords

Hackers have developed several effective methods to defeat and crack passwords and hashes. Some popular techniques include:

  • Dictionary attacks – Password dictionaries or word lists are robust collections of captured, stolen, or common passwords that attackers may use to discover and match with your password. The aim during password creation is to be unique enough that your password is never on a published list.Also, as companies or organizations are breached and passwords are stolen, affected users should immediately update and change their password. The website Have I Been Pwned is a great resource that maintains a record of the most recent and destructive data breaches.
  • Social engineering – By learning details about a particular person, attackers compile lists of keywords (e.g. pet names, hometowns, hobbies, sports teams, birthdays, etc.) to integrate into a targeted word list, before mangling it to introduce numbers, special characters, and special combinations of those targeted words. Social engineering also includes less technical means, like simply masquerading as help desk support and asking for the person’s password.
  • Guessing – As simple as it sounds, a shocking percentage of people use common passwords. You can find various published lists of the top 10 to 1,000,000 password lists by region and year. **Pro Tip: 123456, password, and qwerty are not good passwords!
  • Brute Force – A sure proof but often prohibitively long method to crack a password is to throw everything you have got at it. A brute force attack involves trying every combination of letter, number, and special character until the correct password is discovered. Modern computational resources can crack shorter passwords in a matter of seconds or minutes, but with increased length, the processing time scales immensely. For example, an 8-character password (House28#) may take nine hours to crack, while the same password stretched just a little further (House28####), would require 400 years to defeat! You can learn more at How Secure Is My Password but be cautious of entering your actual passwords!

Best Practices

When creating a new password, the best practice is to use a long and completely random string of numbers, letters, and special characters because those passwords cannot be easily guessed, learned through social engineering, and will not be found in any dictionary or word list. This forces a hacker to attempt a brute force attack. They can crack your password, but after 345 quadrillion years it will not matter. By design, these passwords are incredibly difficult to remember. However, there are useful tools called Password Managers that help with creating, and organizing, and recalling these long and complex passwords.

A password manager like 1Password or LastPass integrates easily with web browsers, smartphones, and computers to help create, manage, store, and audit complex passwords. There are a multitude of free and paid services, but they typically require a password to gain access. So, what’s the best method to create a long, complex, and unique password that is also easy to remember?

 

Creating Strong But Memorable Passwords

Some of the best recommendations are to:

  • Use multiple languages
    • Most word lists or dictionaries are organized by target language; even anglicizing foreign words will help
  • Use unusual, abbreviated, or non-dictionary words
    • Combine or shorten normal words to create unique strings
  • Include upper- and lower-case letters, numbers, and special characters
    • Increasing complexity  increases cracking process time
  • Aim for a minimum of 15 characters
    • In length vs complexity, length dramatically increases the cracking process time and improves password strength
  • For the sake of memory, make it entertaining or themed
    • For example, Foods I like that my wife does not – NCBBQ!DietSoda&Kimchi98

With those tips, I easily created a 20+ character password with NC BBQ (combined abbreviations), Diet Soda, Kimchi (an anglicized Korean dish) plus some numbers and special characters. Attackers would likely need to brute force this password, while I can quickly recall it to gain access to my password manager where my other complex and less memorable passwords are kept.

 

In a future post, we’ll highlight simple tools and services, like Single Sign On (SSO) and Multi-factor Authentication (MFA), to further improve password strength and authentication effectiveness.

Related Posts

The Anatomy of the 2020 Twitter Hack

This hack has been called “the worst hack of a social media platform yet”….

0
22 Oct 2020
Crypto-Crime: A New Security Challenge

The rapidly rising popularity of cryptocurrencies puts investors directly in the sights of criminals looking to steal more crypto for themselves….

0
06 Sep 2022
Protecting Your Privacy Using a Travel Router

Learn how to protect your information and devices from prying eyes while connecting to WiFi during travel….

0
01 Jun 2022
Hardening Your Device’s Security

If your phone is confiscated or stolen, do you want all of your personal information in the hands of someone else? Not this guy!

0
29 Jul 2020
BIOS Security And Why It’s Important

If not secured, an intruder could use the BIOS to initiate damaging attacks that could compromise your privacy, data, and system functionality….

0
11 Mar 2021
8 Simple Tips to Make Your iPhone More Secure

Your phones care very little about your security and privacy out of the box….

0
15 Apr 2022
HTTPS, SSL, and TLS

Hyper Text Transfer Protocol Secure (HTTPS) is the solution to the security problem that plagued HTTP.

0
19 Aug 2020
Quick Tip: You probably don’t need that app

Occasionally, I find something outrageous, like a scientific calculator app that requests access to my contacts. Just unnecessary….

0
11 Feb 2021
Big Data & Artificial Intelligence

Lorem Ipsum. Proin gravida nibh vel velit auctor aliquet. Aenean sollicitudin, lorem quis bibendum auctor, nisi elit consequat ipsum, nec sagittis sem nibh id elit. Duis sed odio sit amet nibh vulputate cursus a sit amet mauris.

0
10 Jun 2020
Quick Tip: Update Your Apple Devices Now

Last week, Apple released a security update to address a zero-day, or previously unknown, vulnerability affecting IOS, IPadOS, and watchOS….

0
01 Apr 2021
Information Leakage on Social Media

Attackers know that social media profiles are treasure troves of personal information waiting to be harvested…

0
24 Jun 2020
7 Simple Tips to Make Your Android Phone More Secure

While privacy on Android may seem impossible, there are steps you can take to improve it….

2
16 May 2022
Scams Hiding In QR Codes

Should you be trusting of any random QR code that you find? I don’t think so….

0
21 Jan 2021
Insider Threats – The Vulnerabilities Within

The often-overlooked element of security is the insider who is already behind your wall of defense….

0
28 Jan 2022
Securing The Internet Of Things

It may seem harmless for a hacker to steal control of your refrigerator, but there are ways it can be valuable to them…..

0
07 Jan 2021

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.