Why Your Passwords Are Not Secure Enough | The Truth About Common Passwords and Expert Tips for Better Security.

From ‘12345’ to ‘53cur3$P4ssw0rd’.

Let’s make a little test, grab one of your passwords (if you use only one password, you failed) and make a variation of it. Then go to this website and write it on the input bar, How many time would a hacker take to guess or break it?

Password Security test for “admin”

Now you’ve seen your passwords couldn’t be so secure.

Maybe some people are not warned about “what could happen if I don’t put many effort in protecting my data with strong passwords”. Let’s explain what could happen, starting with an explanation about how credentials and passwords work.

There are many Ethical Hacking tools for password security audit like JohnTheRipper of HashCat, those tools are sometimes used for evil causes like password cracking. Password cracking is the process of submitting a password to a tool which makes lots and lots of comparisons with a list of possible passwords until it matches the result (and the result is the guessed password).

Let’s dive deeper on how this “complex” process of password security works, firstly explaining the functionality of the credentials on a web server.

First, when you create a new username and password in a web application, they store your credentials in the web server credentials database but, it’s not stored as a plain text, web servers have a complex algorithm called “hashing” which permits the password to be “encrypted” in an irreversible algorithm, and then, the hash value is stored in the database.

Image created on Canva.

There are many hashing algorithms, but the most common used (for the security level) is MD5, Applying MD5 to “admin” password gives the result of “21232f297a57a5a743894a0e4a801fc3” and that’s the stored hash inside the database. Hashing is more secure than encryption because encryption can be decrypted, hashing is irreversible.

So, if Hashing is irreversible, ¿how authentication actually works?

It’s simple, the next time you log into your account, the process will be the following.

Image created on Canva.

This is the secure process of credential storing, hashing and authentication, but… What is the vulnerability or danger in this process?

Actually, there aren’t at this point, the dangers and problems come when this data is breached and filtrated. Obviously when a hacker filtrates a database of passwords they only got the hashes, not the plain text passwords. So that would be an obstacle, but there are many other hackers who put a special effort on playing the same authentication game with every password using complex techniques and algorithms, they crack the passwords doing the same password comparing method as authentication systems, when they guess the password and crack them, they already have the plain text password.

Here’s the scary and shocking thing, let’s take a look at this 2021 Statista’s most used password chart. Most of these passwords are easy to guess and easy to crack.

If the hash “f25a2fc72690b780b2a14e140ef6a9e0" is leaked, cracked and revealed that it’s translated to “iloveyou” password, a hacker would add that password into a list of cracked password (and have the common password of a majority of users, ready to be guessed) so the next time when a data breach occurs, the hacker can compare the current leaked hashes with a list of existing and cracked passwords that are even able to find on open internet (rockyou.txt is one of the most popular password lists, if your password is inside of it, you should change it…)

In cybersecurity, this is a potential threat to the CIA Triad, our passwords are no longer confidential, they are exposed to anyone and the information and privacy could be available to anyone.

It is noteworthy to say that this only means to be a threat if our credentials are leaked, that’s why we need to be aware of the data breaches of every web service we use on the internet, when a data breach happens, we need to change our password immediately.

And you’re maybe thinking and wondering, “but you said that we need to keep our passwords complex for better security and this has nothing to do with password complexity”. Well, you’re right, in this case the harder you protect your password the harder to guess its hash would be, but once a hacker reaches to crack your password hash you are completely done.

Password complexity and encryption has to do with something different and more elaborated attacks. Password and credential attacks like Man in the Middle, Brute Forcing are used to steal and crack passwords too. Let’s explain how computer communications work.

Communications and information storage are more complex, but this is a glance of it.

This could lead to many attacks like the previous mentioned, Man in the Middle refers to a special network attack when someone intercepts the packets redirecting them to itself. When a hacker uses a technique to intercept or steal information with some credentials inside, some of them are encrypted but the hacker can use a decryption tool or a brute forcing tool like the previous mentioned, and the hacker’s success depends of how complex your password is. Knowing this, let’s take a look at the most common used passwords image again… Hilarious, isn’t it?

Password Security in a digital world full of credentials, hackers and data breaches and struggles of having complex passwords.

In this digital world, having a password is important for every service, but usually we don’t care about the security of those for many reasons.

Those could be :

• We have nothing to lose or expose if they got leaked.
• We live pretending our information or data is not important as a simple person.
• We feel secure about our passwords because we’re not exposed or the chances of being hacked are so low.

It’s worth saying that this 3 comments are common myths inside password security and cybersecurity. Every person’s information are important and worth millions inside data-breaches forums inside the deep web. Even if you’re a child, and adult or a business person. Every person in the world is on the hackers sight so maybe we need to worry a little more about our passwords, but…

Dealing with passwords is really boring and sometimes is hard, and gets worse for those who are not used to use web services with credentials.

When creating new passwords, we face some challenges on the way. The most popular are:

• We don’t want to create many passwords because they’re hard to remember.
• When we want to remember our passwords we store them at insecure sites or places.
• We don’t know how to create secure passwords and we decide to create simple and easy to remember ones.
• We’re so lazy about updating passwords from time to time.

So now, we are going to talk about each previous point. And give some advice along the way.

The best practices of creating strong passwords, storing them and being aware of attacks.

First, having the same password for every service and web application represents a very common potential risk on the web, having only one password for everything expose all your accounts to the same danger. Let’s talk about how.

Data breaches occurs so often and many databases are filled with different passwords of a same email, hackers even create their own tools to harvest different password for an email on different websites. For instance, a hacker has this Netflix credentials; “johnisthebest@mymail.com”. And the password; “12345admin”. Then he crafts a special tool (or buys one) which can harvest the email and look if that email is stored in another databases of credential leaks. If he finds another social media or streaming services attached to the email, he would try to access those with the same password, so let’s pray that John doesn’t use the same password, and do you?.

Creating passwords could be so stressful to work with, because some people is not able to remember many passwords or they simply don’t want, but there could be many solutions for that.

First of all, creating more complex and secure passwords.

This could be exhausting, because the best practice of having strong passwords is not repeating them in each service of authentication we use in different web applications or websites.

This can be easily managed implementing a password manager (we are going to aboard those later on this reading) now we are going to create better passwords for us.

We need to think about something easy to remember.

You can use anything, any phrase or any sentence, for example; we can use our favorite book quote of our favorite character of our favorite book. In my case I will use the first law of power: “Never outshine your master”.

This sentence is still a plain text and easy to guess and crack, since we cannot add spaces to our passwords, lets replace each with underscore: “Never_outshine_your_master”

This passwords works perfectly as the best standard for creating passwords is using a passwords more than 8 characters long. But most websites ask you to add numbers, upper case and other symbols.

You can just add random numbers, but if you want to harden your password even better you can use the L33T code, this will replace each vowel or letter with a similar-writting number, you can use this translator.

basic L33T translation of “Never_outshine_your_master”

And, if we use How Secure Is My Password, we can see the results.

Outstanding results for “n3v3r_0u75h1n3_y0ur_m4573r”

But, we can even harden our password better and harder to make it impossible to guess and crack.

Sometimes it’s good to know about cryptography, which is used to hide confidential plain text from unwanted access. In this case we can use an existent symmetric encryption method or create ours, creating our encryption method makes our password to be only encrypted and decrypted by ourselves.

One common encryption method used is Caesar’s Cipher which is easy to understand, there are many converters on the internet, I used this to convert the previous password into a new one.

Caesar cipher result with a key value of 15.

The new password has greater number of years to crack than the previous one.

Results from “C3k3g_0j75w1c3_n0jg_b4573g”}

Finally, you can decide which password you would like to use, the L33T or the ciphered, you can mix both for more confidentiality.

Lets say, for instance, I can save my passwords in the password manager or notebook in ciphertext, this can help to endurance confidentiality if your password storage tool gets lost.

Use a password storage tool.

This is the best option, some people tends to use Journaling notebooks or Password notebooks to store them. Using them have many pros, but critical cons.

The first point against is, What happens if you lose the notebook?. You’re not only going to lose your passwords, you are going to expose every password to whoever who finds your notebook.

But the best solution for this is simple, don’t use your notebook outside, don’t carry them in a bag or any place which could be easier to forget or lose. Another way to protect your password exposure is, don’t write your credentials in plain text, be smarter, try to use riddles or single-word clues to guess your passwords.

For example, don’t do this :

• Website : Amazon.
• Username : IamJohn
• Password : IloveApples_2005

Do this instead :

• Website : The store with a smile.
• Username : Introducing myself.
• Password : The fruit I love the most and year of marriage separated by an underscore.

This is way better and more secure.

Another best practice about data storage is staying focused on cybersecurity news about data breaches, if a service or web application you use everyday had a data breach, change the password ASAP.

The disadvantage of using physical tools for storing passwords.

The frequent and most common risk of storing passwords on physical tools or devices like USB or Notebooks is the probability of losing them. So everytime we store passwords in this devices or items we need to think about what are we doing and were are we leaving them.

Losing a USB is even more common than losing a notebook, maybe you can implement this technique of storing passwords in a book only to use it inside your house where you cannot expose your sensitive information and passwords, the same for your USBs.

If you loose your password storing device or tool, you will need to update and change any single password you wrote or stored there, this in order to prevent malicious authentication after a password filtration.

Another flaw is storing your passwords in a web browser password manager, the reason is because they store them in plain text locally, and sometimes in a very weak cyphertext easy to crack and extract for a hacker who has access to your computer, or any person who has access to your computer too.

The best alternative to store passwords securely.

Have you ever tried Password Manager Tools?

They are a better way to store your passwords efficiently with the main struggle and risk of losing your passwords in a password leakage (losing your physical password storage).

Image of Password Managers provided by “Joel Witts” at Expert Insights about “The Top 10 Password Managers For Business”

How do they work?

You only need to download a password manager of your preference, and have a master username and password to access all your credentials information which you’re going to manage inside the software.

Once you authenticate with your master password, you can start managing your different accounts and credentials of different websites and storing the information. Some password managers are installed or used along with browser extensions, this can help your authentication process to be automatic, for example; You have an Amazon store credential stored in your password manager, and then you try to authenticate in amazon, the browser extension will fill the authentication form with your username and password automatically just authenticating yourself with your master username and password before.

Local Password managers and Cloud Password Managers.

There are many password managers over the password security online market, most of them are cloud-based, which means that your passwords are stored into another device instead of yours.

This can help you to protect your password and credential information of data exposure or leakage by losing your storage device. If you lose your password which you use to manage and authenticate, your passwords and credentials are still safe since they are stored in cloud.

This can be a good example of risk mitigation, but it isn’t as good as it sounds, when you store your passwords in the cloud they are exposed to a data breach, and it could be even worse than you imagine. If the company of the password manager got attacked and exposed by a data filtration, that means that every password you had stored in your manager now is free and surfing along the web, waiting to be decrypted and used.

And this means, when you realize that your password manager company have been hacked, you need to change every password inside your password manager and your authentication services, pretty annoying and time-consuming, isn’t it?

On the other side, we have local password managers like “KeePassXC”, which works similar to the cloud-based managers, but instead of storing the passwords and credentials in cloud, they store it locally in your device in an encrypted file. Some local password managers have sophisticated methods of encryption which can use your master password or master credentials as a public or private key. This helps you to store them in a physical device securely, if you lose that physical storage it would be impossible or hard to decrypt.

So, in conclusion, both types of password managers have their own flaws and exposures, one worse than the other, but the choice is yours to implement, at the end of the day they’re both worth to harden your password security.

And last but not least, don’t forget Multi-Factor Authentication.

Probably you have heard of this term before in many websites, they recommend you to use it and harden your security. But, what is this for?.

MFA is a basic concept of Cybersecurity and Authentication. MFA help authentication to prevent fraud and unwanted login, it helps to keep confidentiality of sensitive data.

MFA works with different types of authentication methods, such as:

1. Something you know. Like username, password or PIN.
2. Something you have. Like ID, Passport, Access Card or Tokens (Yubikey).
3. Something you are. Biometrics.

Most times and most cases, websites allows us to authenticate with something we have, like a cellphone or an authentication app.

Google has its own app to authenticate called “Authenticator”, some websites ask you to use that app to link your MFA process and receive codes to authenticate each time you want to log into a different website or service, those codes are updated every minute.

Some physical devices like smartphones have facial recognition or fingerprint readers to implement the third type of authentication (biometrics), some banking or health applications use this features as a technical access control to implement MFA on their apps.

So, everytime you have the opportunity to implement MFA, just set it into your accounts. This would help you to harden your login and authentication process if your credentials are exposed or leaked by yourself or a data breach.

In conclusion, password security is crucial in today’s digital landscape. Weak passwords put us at risk, so it’s vital to use strong and unique combinations. Implementing two-factor authentication adds an extra layer of protection.

I encourage you to continue exploring this topic and staying informed about emerging threats and advancements in password security. By sharing knowledge and actively participating, we contribute to a more secure digital future.

Thank you for your readership and ongoing support as we delve deeper into the realms of cybersecurity and beyond. Happy reading!