Ineffective Passwords
Passwords are part and parcel of living in the modern information age, and they are unfortunately one of the
weakest attack points in any computer system or application. Consider the hundreds or thousands of development hours behind securing the most popular eCommerce, gaming, or social media sites, and then the 12 seconds it took you to type and create an easy-to-remember password. In most up-to-date applications, the code and logic are sound, the cryptography is proven, but our preferred passwords are simple, short, often repeated, and dangerously ineffective to motivated or sophisticated attackers. This is like using a high end, fireproof, triple-wall document safe, and then securing the hatch with only a twist tie.
This post will briefly discuss password attacks, ideal password strategies, password managers, and tips for creating effective but memorable passwords.
Best practices are to use a long and completely random string of numbers, letters, and special characters…
Hacking Passwords
Hackers have developed several effective methods to defeat and crack passwords and hashes. Some popular techniques include:
- Dictionary attacks – Password dictionaries or word lists are robust collections of captured, stolen, or common passwords that attackers may use to discover and match with your password. The aim during password creation is to be unique enough that your password is never on a published list.Also, as companies or organizations are breached and passwords are stolen, affected users should immediately update and change their password. The website Have I Been Pwned is a great resource that maintains a record of the most recent and destructive data breaches.
- Social engineering – By learning details about a particular person, attackers compile lists of keywords (e.g. pet names, hometowns, hobbies, sports teams, birthdays, etc.) to integrate into a targeted word list, before mangling it to introduce numbers, special characters, and special combinations of those targeted words. Social engineering also includes less technical means, like simply masquerading as help desk support and asking for the person’s password.
- Guessing – As simple as it sounds, a shocking percentage of people use common passwords. You can find various published lists of the top 10 to 1,000,000 password lists by region and year. **Pro Tip: 123456, password, and qwerty are not good passwords!
- Brute Force – A sure proof but often prohibitively long method to crack a password is to throw everything you have got at it. A brute force attack involves trying every combination of letter, number, and special character until the correct password is discovered. Modern computational resources can crack shorter passwords in a matter of seconds or minutes, but with increased length, the processing time scales immensely. For example, an 8-character password (House28#) may take nine hours to crack, while the same password stretched just a little further (House28####), would require 400 years to defeat! You can learn more at How Secure Is My Password but be cautious of entering your actual passwords!
Best Practices
When creating a new password, the best practice is to use a long and completely random string of numbers, letters, and special characters because those passwords cannot be easily guessed, learned through social engineering, and will not be found in any dictionary or word list. This forces a hacker to attempt a brute force attack. They can crack your password, but after 345 quadrillion years it will not matter. By design, these passwords are incredibly difficult to remember. However, there are useful tools called Password Managers that help with creating, and organizing, and recalling these long and complex passwords.
A password manager like 1Password or LastPass integrates easily with web browsers, smartphones, and computers to help create, manage, store, and audit complex passwords. There are a multitude of free and paid services, but they typically require a password to gain access. So, what’s the best method to create a long, complex, and unique password that is also easy to remember?
Creating Strong But Memorable Passwords
Some of the best recommendations are to:
- Use multiple languages
- Most word lists or dictionaries are organized by target language; even anglicizing foreign words will help
- Use unusual, abbreviated, or non-dictionary words
- Combine or shorten normal words to create unique strings
- Include upper- and lower-case letters, numbers, and special characters
- Increasing complexity increases cracking process time
- Aim for a minimum of 15 characters
- In length vs complexity, length dramatically increases the cracking process time and improves password strength
- For the sake of memory, make it entertaining or themed
- For example, Foods I like that my wife does not – NCBBQ!DietSoda&Kimchi98
With those tips, I easily created a 20+ character password with NC BBQ (combined abbreviations), Diet Soda, Kimchi (an anglicized Korean dish) plus some numbers and special characters. Attackers would likely need to brute force this password, while I can quickly recall it to gain access to my password manager where my other complex and less memorable passwords are kept.
In a future post, we’ll highlight simple tools and services, like Single Sign On (SSO) and Multi-factor Authentication (MFA), to further improve password strength and authentication effectiveness.