Year after year the most common passwords discovered in various data breaches, include the same “123456”, “qwerty” and “password”. It’s the end of 2019 and it’s time to change that.
FSM EXCLUSIVE DEAL A password is the most widely used form of authentication around the world. It doesen’t matter if it’s a bank account, an ATM, an email account etc, a username and a password will be used to authenticate. It’s imperative to choose strong passwords.
It’s also important to note that giving the motivation, enough time and resoueces, there is NO password a hacker can’t break. However, this shouldn’t discourage you because hackers attack the low hanging fruits first.
Hackers don’t just simply try to guess your password. That would be idiotic. Instead, they attack a vulnerable system and steal the storage of passwords. In the storage, passwords are encrypted in the form of a hash.
Hashes are one-way encryption that are unique for a given input. MD5, SHA1 or SHA256 is often used to hash passwords.
Once hackers has those hashes, they can take as much time as needed to crack the password(s).
NOTE: cracking the password is not always necessary for a hacker to access password protected information. IF it’s possible for hackers to replay a cookie, seassion ID, an authenticated session etc, they can access password protected resources without having access to the password.
Let’s start with the basics…
Password characters can be:
- Lowercase: a, b, c,…
- Uppercase: A, B, C,…
- Digits: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9
- Special Characters:
| Character | Name | Unicode |
|---|---|---|
| ! | Exclamation | U+0021 |
| “ | Double quote | U+0022 |
| # | Number sign (hash) | U+0023 |
| $ | Dollar sign | U+0024 |
| % | Percent | U+0025 |
| & | Ampersand | U+0026 |
| ‘ | Single quote | U+0027 |
| ( | Left parenthesis | U+0028 |
| ) | Right parenthesis | U+0029 |
| * | Asterisk | U+002A |
| + | Plus | U+002B |
| , | Comma | U+002C |
| – | Minus | U+002D |
| . | Full stop | U+002E |
| / | Slash | U+002F |
| : | Colon | U+003A |
| ; | Semicolon | U+003B |
| < | Less than | U+003C |
| = | Equal sign | U+003D |
| > | Greater than | U+003E |
| ? | Question mark | U+003F |
| @ | At sign | U+0040 |
| [ | Left bracket | U+005B |
| \ | Backslash | U+005C |
| ] | Right bracket | U+005D |
| ^ | Caret | U+005E |
| _ | Underscore | U+005F |
| ` | Grave accent (backtick) | U+0060 |
| { | Left brace | U+007B |
| | | Vertical bar | U+007C |
| } | Right brace | U+007D |
| ~ | Tilde | U+007E |
NOTE: special characters can also include the ‘Extended ASCII’ codes, however most accounts won’t support them.
Types of Attacks
1. Dictionary – the simplest type of attack and often the first approach when atempting passoword cracking. This attack uses a dictionary of words and tries each one of them to see if it works. Computers can go through millions of words in a relatively short amount of time.
2. Rainbow Table – as mentioned above password are not stored in plain text. They are stored in a hash. So even if hackers gets the storage of a system, they will get the encrypted password. Now they’ll have to crack the encryption. One way to do that is to take a dictionary file, hash each word and compare it to the hashed password. This is impractical as it’s very time intensive and CPU intensive. Instead, the hackers can use a table with all the words in the dictionary already hashed and compare the hash from the password file to the list of hashes. When there’s a match, they’ve got the password.
3. Brute Force – the most time consuming method of cracking password. This method attempts all combinations of letters, numbers and special characters ( see above ). More computing power = higher success rate.
4. Hybrid – this attack uses a combination of dictionary words, letter, numbers and special characters. Usually such an attack uses dictionary words with numbers appending and prepending them, and replaces letters with numbers and special characters. For example… let’s take one of the most commonly used passwords – ‘password’. A hybrid attack will look for ‘123password’ or ‘passowrd123’ or ‘p@$$w0rd123’.
Best Practices
1. Size does matter.
The lenght of your password should be the maximum number of characters that the system will accept. Absolute minimum should be 20-25 characters. I would say that anything below that is worthless in 2020 and beyond. Reasoning behind a long complex password? The longer the password, the longer it takes to crack. The longer it takes to crack, you’re not the low hanging fruit anymore and chances are very high that the hacker will move on.
2. NEVER use just numbers or dictionary words.
There are 10 digits (0-9). Even if your password is 10 characters long, a numeric-only password only amounts to 10 billion possibilities. This might sound like a lot, but it’s simply child’s play.
As for disctionary words-only password… also child’s play. The words you choose are not unique nor obscure. It doesen’t take long for even the beginner hacker to test every word and word combination in the dictionary.
Don’t think that if you add a few numbers and maybe a couple of special characters to your dictionary words password, you’re safe. There are tools that lets the hacker create custom wordlists and a lot more tools that will help the hacker crack your password using the custom wordlists.
3. Use ALL allowed characters.
Brute force password cracking is when hackers try every possibe combination of words, numbers, and characters until they find your password. To do this, it can require a lot of time and computing resources.
But with recent developments in supercomputers, ASICs, GPUs and botnets, brute-forcing passwords becomes (eventually) trivial.
You’ll want to choose a password that forces hackers to take long enought that they will give up and move on to the next target.
So make sure your password includes at least one lowecase, one uppercase, one number and one special character.
Let’s do some math…
Let’s take one of the most common used passwords – ‘password’. An 8 charcater, all lowercase password.
There are 26 letters in the alphabet. So this password becomes 26 raised to the 8th power or 208,827,064,576 (almost 209 billion) possible combinations. That’s a huge number right? It is, but not for a computer.
Now let’s take a password that’s also 8-character long but you use lowercase, uppercase, digits and special characters. Now your password becomes 94 ( the sum of 26 lowercase letters + 26 uppercase letters + 10 digits (0-9) + 32 special characters ) raised to the 8th power. Or 6,095,689,385,410,816 (over 6 quadrillion ) possible combinations that a hacker has to try.
Now imagine having 50 or more characher long password….
4. Change your password often.
It’s important to change all of your passwords from time to time. Everybody uses the word ‘often’ when reccomending to change your passwords. But ‘often’ is a relative term.
Let’s simplify this…
Ask yourself one question: “What’s the value of the data behind the password?”. When you answer that question, you’ll figure out how ‘often’ you’ll want to change your passwords.
For example…. if it’s your bank account or other similar accounts I don’t think it’s an overkill to change your password once a month, but can be up to three months. If it’s your email, three months should be fine. Other accounts can be 6 months to a year.
Why would you want to do this? Let’s see if this is an easy answer…
Let’s say there’s a breach on a service you’re using. The same services is used by thousands and thousands of people. Some use long and complex passwords others use “mypassword”. By the time the hacker gets to your password, you’ve already changed it, so even if the hacker cracks your password, it’s worthless.
Also…
Use Have I been pwned? to your advantage. First check if any of your existing accounts have been breached. Next, use their RSS feed to stay up to date with the latest breaches. If you see that a service you’re using was breached, get on top of things immediately.
5. NEVER use the same password on different accounts.
This should be self-explanatory by now. But let me explain… you use the same password for all of your accounts. The password is stored all over the world in various accounts, websites etc. All it takes now for your info to leak is for a hacker to gain access to the weakest system that’s storing your password.
Let me illustrate…
You’re bored and find an online game that asks you to create an account before you can play. You use the same password as everywhere else. If there’s a data breach on the servers used by that company, the hacker has no interest in your on-line game data. But what happens when the hacker tries the same password on your bank account?
This is assuming that the service you use ( an on-line game in this example ) is trustworthy and will not sell its database.
And while we’re on the subject. DO NOT use the same username for all your accounts. This not only allows you to be profiled even more easily, but it also makes the hacker’s job easier.
6. Use 2FA
2FA simply adds an extra layer of verification to the login process. So, instead of just typing in your username and password to sign in, you will also have to provide some sort of 2FA credential before you can access your account. Using 2FA, even if a data breach compromised the password, the account would still be safe.
More on 2FA and other useful tips here.
7. Use a password manager.
You don’t have to remember tens or hundreds of long, complex passwords. Just use a password manager, which will take care of that while also make it easier to change your passwords and generate the long and complex passwords you need.
There’s a lot of password managers available on the market. Some as paid apps or services, others free. I’ll recommend you take a look at KeePass or Bitwarden.