Last week I touched briefly on passwords as one of the basics you should “master”, or at least improve upon, in order to boost your security stance. I mentioned avoiding weak passwords, password reuse, and password managers. This week, I’ll expand a bit more into the how and why of each of these areas as well as something called multifactor authentication. I hope the following doesn’t seem too technical; my intent is to illustrate just how vulnerable our passwords really are.
Many people use passwords that are too weak. This isn’t necessarily the user’s fault either. Complex requirements make them difficult to come up with, make unique, and remember. Oh, and don’t write them down either! The strongest passwords you can use are completely random, long strings of upper- and lower-case letters, numbers, and special characters. But why is this? In order to understand this, we need to understand a little bit about the nature of passwords.
Passwords are not, or they should not be, stored in clear text. The standard practice is for passwords to be stored on systems as a hash. A hash is a special computation done on any text and results in a unique and non-reversible output. There are many kinds of hashes and a common one is called MD5. Here is an example of the title of this article converted into an MD5 hash.
Password Essentials – Passwords and Password Managers = 3205c736e2cdfba6c157c5fd2aab7660
The text will always equal the same hash value and a minor change will drastically alter the hash—even something as small as capitalizing a single letter. Also, a hash output will always be the same length regardless of the input length, even if it’s shorter. An MD5 hash output is always 32 characters long. Some hash algorithms, or formulas, produce shorter outputs while others produce longer ones.
Password Essentials – Passwords And Password Managers = 38d294bd451c137dd5c04fb600fdbf62
When you first create an account and an associated password, a password’s hash is generated and stored in the system. Then, each time you log into the system, your password is hashed again, and that hash is compared with the stored value. If the values match, viola, you are granted access.
Password Complexity & Search Space
Two things we need to understand are password complexity and something called search space. The easiest way to think of password complexity is the degree of randomness of your password. If your password is based on a word, using alternative characters (permutations), it’s not a good password and can easily be cracked with modern software. For example, using @ for a, or 5 for s, 0 for o, and so on. Typical password complexity requirements demand two uppercase, two lowercase, two numbers, and two special characters. Depending on the system, the minimum length can be between 8 and 16 characters. You can meet all of those requirements and still have a weak password, for example, [email protected]$W0rd!. This password wouldn’t last long at all in an attack.
While completely random strings of characters form the strongest passwords, they can be next to impossible to remember and lead us poor practices like writing our passwords down. If you prefer to remember your passwords, a passphrase is the next better option. A passphrase is where you take the first letter of each word and then permute, or exchange, the letters with uppercase, numbers or special characters. Ultimately, the best option is to use completely random passwords and I’ll cover that in a bit, however, here’s an example of creating a passphrase.
We the People of the United States, in Order to form a more perfect Union =
wtpotusiotfampu = wTp0#[email protected]
Note, I don’t recommend using a well-known or famous phrase, this sentence was selected for demonstration purposes only. Don’t forget, the bad guys know all of the security tricks too!
What about search space? Search space tells you how many different passwords can be created from various combinations of letters, numbers, and characters, and how long it would take a computer to guess that password starting at nothing and attempting every single combination possible—this is known as the brute force method. This concept plays into the next section on cracking. Search space tells you how much computing resources would be consumed in cracking your password. Put more simply, how much time it would take.
Hackers use automated tools to figure out, or crack, passwords. These tools are readily available on the Internet and easy to learn to use. In fact, password cracking is one of my favorite security challenges in competitions. To crack a password, you have to guess the hash. Having clues helps but if you don’t have clues, you have to resort to a brute force approach, and, as we’ve seen, that could take centuries with a very strong password. A “dictionary attack” is one very common approach that uses all of the words in a dictionary as starting clues. The cracking programs take each word and shift though all of its possible permutations, generating a hash for each one and checking for a match. A single word can have thousands upon thousands of permutations.
password = 5f4dcc3b5aa765d61d8327deb882cf99
Password = dc647eb65e6711e155375218212b3964
PassWord = a9d402bfcde5792a8b531b3a82669585
[email protected]$W0rd = f5cac69586d60b98d43a2ae34d64e876
[email protected]$W0rd1 = 423d75b7178fe5a93f93368589496c04
While this seems like a tedious process, modern computer processors are capable of calculating millions of permutations and generating their hashes each second. Yes, millions per second. Additionally, huge databases of already cracked passwords are available to help speed up the process. Think of all the data breaches you hear about in the news. This is what hackers are after, huge collections of account usernames and password hashes, among other things. Hopefully, this helps to highlight the danger in using common words as passwords. Check out this list of the most commonly used passwords in the past decade—“123456” is the reigning champion.
What I just described is called an offline attack method, where attackers already have the information on their own computers and are trying to decode it. Thankfully, there are safeguards in place to help prevent using automated tools for an online attack. Think of a time that you mis-entered your password X number of times and your account was locked out for a set time, or you had to call tech support to have it unlocked. This may seem like a pain, but its in place to keep our accounts safe. Want to check your email addresses to see if they’ve ever been involved in a known data breach? Check out the link below.
Password Reuse & Default Passwords
These are two cardinal sins in the world of password use that you really have to change now. If you reuse passwords across multiple platforms and websites, all of your accounts are in danger if even one account is compromised. This practice is understandable because we’re encouraged to never write down our passwords. Well, the next easiest thing is just make them all the same, or very similar. Remember from the previous section, once a password is known, it’s simple to use cracking software to generate thousands of permutations. This presents a massive risk if you’re using the same or similar passwords for everything from your social media to online banking accounts. Ok, if all of your passwords need to be unique and special, how can you possibly remember all of them without writing them down somewhere? Recall that I talked about creating a passphrase earlier. In practice, you could take your passphrase and append some information about the website you’re logging into, making it even stronger. For example.
Passphrase = wTp0#[email protected]
Website = www.facebook.com = fb, Fb, fB, or FB (easy to recall)
Passphrase + Website = wTp0#[email protected]Fb
Never, never, never keep a default password or a password that you are given. If you are given a password, you should be prompted to change it upon the first use—they typically expire after a set time anyway. If not prompted, change it right away yourself. Default passwords are easy for anyone to find. Below is a site organized by vendor, more than 500 of them, and over 2,000 default passwords. Default passwords are among the first that an attacker will attempt to use. Do you have a router, wireless camera, wi-fi enabled printer? I bet they’re on the list. Mine are.
Hopefully, you’re still with me by now. I know this has been a lot of information to take in, but as I said earlier, overcoming poor password habits can make a huge difference in your security posture. Before we move on, let’s recap. We must: 1) make passwords/passphrases long, complex and random; make them unique from one another; don’t reuse them; don’t’ write them down.
Thankfully, there’s a simple way to achieve this—password managers. A password manager helps you create, manage, and use strong, unique passwords. You only have to remember one, your master password, which needs to be a super strong passphrase. There are several password managers out there, 1Password, LastPass, Dashlane, and KeePass just to name a few, and all of them offer lots of features. However, it’s not my intent to promote a particular password manager, rather what you should look for in one. Using your browser’s built-in password manger is better than not using one, however, I do recommend using a third-party password manager. Their entire focus is password security.
In general, these are the main features you’ll want to look for in a solid password manager:
- Generates strong passwords
- Uses AES encryption
- Master password stored and encrypted locally
- Cross-platform compatibility (works on your computer/laptop, mobile devices, different operating systems, etc.)
Below are some links to reputable sources with recent reviews of several password managers. I encourage you to read through them and find one that works for you. Once you’ve picked one, I know it can feel like a daunting task to plug in everything. Some managers will recognize a website login and ask if you want to store it, so that can be a bonus. I recommend picking one area, like your most used accounts, and start with them. You might find it goes quicker and easier than you thought.
Another way to improve password strength is with multifactor authentication (MFA). You’ve probably used this before and didn’t know that’s what it was called. A common example is using an ATM card and a PIN. These are two authentication factors—something you have, the card, and something you know, the PIN.
There are three commonly used factors: something you have, something you know, something you are. Something you are constitutes your biometric information such as: fingerprint, iris, retina, palm print, face, etc. There are other factors that aren’t as common, such as something you do and somewhere you are. Something you do can be your signature, typing rhythm, or walking stride. Somewhere you are is just what it sounds like.
Using a password and a PIN doesn’t constitute MFA since they are both things that you know—this goes for a PIN that you have created versus one you are sent. The exception is if you log in to an account with your password, something you know, and are sent a one-time code to your phone, something you have. This is MFA. I highly recommend that you take advantage of any opportunity you have to use MFA with your online accounts. If your information is compromised and your password is cracked, the attacker will only have one factor and not be able to complete a log in.