Secure Your Passwords in 3 Easy Steps
A Simple Guide to Share With Anyone Who Needs Stronger Password Security
Password security is a controversial subject. To cybersecurity professionals, it’s a non-negotiable in terms of securing any organization or in personal security. For those that don’t consider security as seriously, however, it can be a huge headache that adds nothing but stress and frustration. Passwords don’t have to be hard, though. We’re going to look at three simple steps that you can implement that will dramatically improve your overall security level.
Why Secure Your Passwords?
To the uninitiated, this may all just be arbitrary work that’s being added to an already annoying situation. It’s enough that you’re being asked to have a password that meets your organization’s security standards, now you’re being asked to go above and beyond? What’s the point? Aren’t we all going to be hacked, anyway?
Well, not so fast. For your personal accounts, your password is the first thing attackers will test when trying to break into an account. The strength of that password will dictate their next steps. If they can crack it, then they’re in, and depending on the account they’re breaking into, that will grant them access to other accounts or give them the ability to impact your life in some unfortunate ways.
“But won’t the organization hosting my account set the password requirements to be sufficiently secure?” you may be asking. Well, not exactly. A recent study showed that over 60% of passwords used in companies do not meet minimum standards. Even if you’re beating that statistic and using just the minimum standards, the average organization requires only 8 character passwords; barely enough to stop a determined attacker with sufficient hardware.
It’s not that attackers are not interested in your accounts, either. Hackers are targeting the path of least resistance to gain access to systems, often in the form of weak credentials. Once attackers have access, they will often either sell that access on criminal forums, upload malware (such as ransomware), or steal information for use in later attacks.
While it’s always critical to change your password if you suspect you’ve been breached, it may not be enough if the methodology you’re using to create and retain passwords is weak. An 8 character password that got cracked by an attacker being replaced by another 8 character password is not going to be enough to stop the attacker from cracking the new password. The methodology has to improve in order to prevent more serious damage.
Types of Password Attacks
It might help to know what types of password attacks exist to understand why we’re going to focus on certain password security tips. Think of cybersecurity as a big digital cat and mouse game between nerds. Attackers will employ one trick that defenders will learn about and make systems to negate and attackers will go back to the drawing board to come up with another trick. This is historically true with password attacks.
These attacks can be carried out in a number of ways against more than just your plain text password. It can be done offline if they have stolen a hash of your password or online by directly guessing the password. For now, we’ll just focus on the attacks themselves.
The first method is brute-forcing. You will probably know what this is already by the name, but brute-forcing is literally the guessing of every single possible combination until the attacker finds a match. Using various tools (which we’ll talk about momentarily), attackers can automate this process, given a sufficient amount of time and the hardware required for such a large amount of combination attempts. With bigger, better hardware comes the ability to make more guesses in a single attempt, thereby shortening the overall brute-forcing session.
The second method is a dictionary attack. With this kind of attack, the hacker will use a wordlist (rockyou.txt comes pre-installed on all kali machines, among many other wordlists in the /usr/share/wordlists folder) which is literally a long list of words, phrases, or previously learned passwords and attempt to use each one as the user’s password until access is granted or a match is found.
The final method is a rainbow table attack. This attack is performed when attackers gain access to the hash values of passwords and are attempting to find the plaintext version of a target’s password. This kind of attack can be negated by implementing the below steps since they will be matching the stolen hashes with a pre-computed list of hashes from a wordlist, so if your password is not previously known to the attacker, long, and complex, then the likelihood of the attacker actually finding a plaintext value for your hash is relatively low. Of course, there’s more to it than just that; you still have to factor in the hashing algorithm used, the likelihood of collision, and whether or not the organization storing the passwords uses salting for added security, but for our purposes, we’re going to focus on what you can control.
Impact to Hackers
Allow me to introduce you to John the Ripper. John is a tool used by most security professionals (and criminals) to audit password security (or straight-up break passwords if you’re a criminal). John is a free, open-source, widely available tool that you can run on your own machine to test your own password strength. Using a tool like John, attackers can crack an 8 character password (regardless of complexity) in up to 2.5 hours.
Using the information in this graph, upping the password length to 12 characters (the new standard in some organizations) with a minimum level of complexity (mixing upper and lower case letters) will buy you 300 years’ lead time on an attacker trying to brute force your password. Using an 18 character password with more complexity (upper and lower case letters, numbers, and special characters) and will take attackers 7 quadrillion years to try to crack your password. Not bad.
Granted, when trying to negate a brute force attack, length truly matters. When trying to negate a dictionary attack, complexity matters too. That’s why it may not be enough to have a long password that is only upper and lower case letters. While it will still be strong against a brute forcing attack, many attacker dictionaries mix words together to match a specified length and that can crack even a long password that doesn’t have sufficient complexity.
A long password that mixes in both letters of both cases, numbers, and special characters will negate both dictionary attacks and brute force attacks. That isn’t to say that those passwords are “unhackable”, but attackers will probably elect to not even bother and instead target weaker, less secure accounts and organizations.
Now that we’ve learned all about password attacks, what can we do to stop them?
Tip 1: Use long passwords
We showed earlier the impact that just a 12–18 character password can have. Now, let's up that to a 20–25 character password. Using long passwords negates not only brute forcing attacks, but also seriously challenges dictionary attacks if the wordlist does not have the passphrase you’re using.
Let’s hone in on that word I just used: “passphrase”. To achieve length, move away from using a “password” and instead create a “passphrase”. For instance, “iwillsubscribetostudioseconyoutube” is a pretty solid password, and it’s very easy to remember.
Tip 2: Use complex passwords
Now we’re really trying to make this password secure. Again, referring to the above graph, length isn’t the end-all-be-all with password security. Complexity must also come into play somehow.
Using the password we just made, you can add in upper-case letters for some element of complexity: “IWillSubscribeToStudioSecOnYouTube”.
Say you want more, so you add in numbers: “IWillSubscribeToStudioSecOnYouTube2021”.
Now, let’s add in some special characters for a true masterpiece: “IW!llSub$cr!b3T0Stud!0S3cOnY0uTub32021”.
Boom… Perfection.
Tip 3: Use a Password Manager
That password really is a doozie. How will you possibly remember it? Lucky for you, there are password managers. Password managers store your passwords in a secure vault, which is to say an encrypted area on your machine that you can authenticate into to retrieve your credentials. In this case, the only password you really need to remember is your master password used to log in to your password manager.
Most password managers even come with a browser add-on that you can use to auto-fill your credentials into login fields. With a password manager, you’ll be able to create, store, and use much stronger passwords and the login process will actually be faster than normal.
Bonus: Use Multi-Factor Authentication (MFA)
No account security strategy will be complete without MFA. MFA is where you log in using a password, but you then validate your identity again with another method, such as a one-time code via an MFA app, email, or text. This gives an extra layer of security in the event where your super-secure password gets cracked.
Password security doesn’t have to be difficult. It does, however, have to be done. Doing so not only protects yourself, it protects others using the same services you’re using, your colleagues, and your family members.
Large cyberattacks often happen when attackers are able to break into user accounts due to weak credentials. Those attacks lead to ransomware, data leakage, and other attacks. In using long passwords and adding complexity, and then storing them in a password manager with MFA enabled, you will be doing your part to protect both yourself and others.
Be sure to check out my YouTube channel where I cover cybersecurity topics, news, and Security+ material. Also follow me on Twitter @sec_studio, where you can tell me about how you passed the Security+!
