Cyber Security: Password Security

Introduction

Password security should be one of the biggest concerns in the daily lives of everybody. Since they serve as the bridges between us and our digital lives, passwords can literally change your life. Whether they are how you get into your checking account, retirement savings, email account, or phone service, passwords need to be secure.

As I discussed in a previous post, there are several ways that a hacker can crack your password. Unfortunately for us, the rise of cloud computing, big data analysis, deep learning, and virtual reality gaming has encouraged the growth of powerful graphics cards that are capable of cracking passwords with alarming speed. A powerful server, if equipped with the proper graphics cards and software, can compare password combinations at the rate of billions per second.

What this means to the average consumer is that our passwords need to be very complicated so that those password cracking algorithms can not break them. So, how can we do this?

unsplash-logoMarkus Spiske

Countering Brute Force

Brute force algorithms are powerful at cracking passwords that follow a simple ruleset and characterset. A ruleset is a set of patterns or recurring rules that hackers have come to recognize across the vast troves of passwords. Meanwhile, a characterset is typically what type of characters are used in a password as well as the length.

Many hackers expect that they will be successful at breaching some accounts with only brute force, but that the higher value accounts will not be so lightly secured. So, how is the brute force algorithm countered in password security? It is, thankfully, somewhat simple to prevent your password from being susceptible to these accounts:

  • Password length of at least 8 or more. Passwords that are shorter than this are weaker, as there are less characters for the cracking algorithm to guess.
  • Include symbols. Many brute force approaches don’t include character substitutions. This will be further discussed in the next section.
  • Include alphanumeric characters. Don’t ever limit your password to just strictly letters or strictly numbers. If you do that, your password can be cracked extremely easily.

unsplash-logorawpixel

Countering Dictionary Attacks

These types of attacks are difficult to defend against. They have become the method of choice for hackers to crack passwords. Combining common and previously used passwords, dictionary attacks are much more effective than brute force approaches. One of the key differences between brute force methods and dictionary attacks are that the rulesets used in dictionary attacks are much more expansive.

Take for example the following passwords:

power7shark5  
john52Cena96  
danpaulson1982  
Ilove2fishing123  
cookfood777  

These are all terrible passwords for protecting against dictionary attacks. Out of all these passwords, only Ilove2fishing123 and john52Cena96 strike me as potentially strong enough to escape a hacker’s immediate grasp. Many of these passwords follow a pattern of using common English language words conjoined with some numerals thrown in (and, typically at the end!). The more alarming thing is that these passwords don’t look all too bad at first glance. The password length is good for all of them, they all use alphanumeric characters, and some even have case-sensitivity. However, all of this is not enough for dictionary attacks.

The question then becomes, what can we do to protect ourselves? Here’s some things you should do when making a password to prevent dictionary attacks:

  • Password length of 8 or more, for the same reason as brute force.
  • Include symbols, especially spaces and underscores. Avoid common substitutions like (1 = l, 3 = e, and $=s to name a few).
  • Don’t be predictable with your symbol/numeral manipulation. A lot of people put their special characters and numbers at the end—don’t do it. Mix them around!
  • Common English dictionary words CAN be used, but use them with each of the above caveats taken into account.

Password Security Tips

You might be wondering now, “how am I going to remember my password with all these security stipulations and requirements?” For those in industries where security is paramount, this is especially true when passwords are required to be longer than the generally accepted 8 characters. When you must remember multiple passwords across different devices for both your work and personal life, it can be very tempting to pick an easy password to remember.

However, it is possible to create a password with good complexity that is relatively simple to remember! One of the more well-known methods is the ‘xkcd’ method—its namesake is derived from the comic source material. Essentially, a good password could theoretically be composed as follows:

  • A combination of relatively random, unassociated words that mean something to you (or that you won’t forget)
  • Put some spaces or underscores in-between them, whichever one is allowed in the system you are trying to create the account in
  • Don’t be predictable with symbol/numeral manipulation
  • If you must use substitution, it is actually not the end of the world in this case since the password length will be sufficiently long enough that most cracking algorithms won’t be effective

Sample passwords could potentially look like this:

H0rse car$ tr3e battery  
apollo Venus_zeuS plants  
harry_Fly_dog5Computers  
flag_staff de$3rt cake  

Obviously, these passwords should not be used since I’ve just put them online! Basically, each of these words chosen in the password would have some kind of meaning to the account owner. To the hacker, this would be a nightmare to try to break. There is enough complexity across the entire password that an algorithm would much too long to try and crack it. An excellent xkcd comic, though comical at first-glance, summarizes what I described in a graphic.

The other benefit to this is that it is fairly cookie-cutter—replace a few words, do some substitutions and spacing, and voila! However, asides from password generation, there are some other tips that should be followed when it comes to security. These following tips are just as important as a good password:

  • Don’t write down your password anywhere, unless it is obfuscated to a point where only you can understand it
  • Don’t login to a service or computer with other people watching
  • Don’t login to anything that is using HTTP
  • Don’t fall for spearphishing e-mails, and always be on the look-out against website copycats
  • Don’t use your name, social security number, birthday, email, etc. in your password. Basically, don’t use any personal information in it
  • Don’t use password, 123, or any other common password as your password
  • Don’t use your login name as your password

Conclusion

It is better to be safe than sorry when it comes to passwords. The extra bit of time it takes to remember your password to login to an account is worth it to protect your data. In other words, password complexity should never be sacrificed for convenience. Thankfully for us, there are ways to make good, secure passwords that are memorable to us yet very difficult to be breached.