In the spirit of National Cyber Security Awareness Month (NCSAM), let’s talk about a security basic that many people overlook: passwords. These are one of the most fundamental aspects of website security, yet we too often see webmasters taking a lax approach to secure passwords.
In fact, the online security provider TeamPassword found that last year the most commonly leaked password was 123456. That edges out some real gems including qwerty and the always-popular password.
Thing is, everyone has their own password policy. It’s very personal and usually based on a set of assumptions about online security. Many users choose policies of efficiency over security. Even the paranoid among us have to confront the truth.
Like any defensive measure, best practices in password management can only minimize the level of risk.
Password management is a choice — and a habit. By taking a deeper look, users can make informed decisions and put better passwords into practice.
What makes a good password?
Let’s review a few of the key considerations to making a strong password.
You might have been told this before, but Password123! or 123456 or any obvious combination of sequential numbers and letters will be guessed very easily. It’s also not wise to use things like your birthday or pet’s name, as these pieces of information can be found without much effort by anyone on the web.
The longer your password, the better. If you have more characters, mathematically your password already has a higher probability of not being guessed. More characters equals a stronger password!
Adding numbers and unique characters will set your password apart. Anyone can use their dog’s name (Harry) as a password. By adding numbers, characters, and a mixture of lower and upper case letters, the original Harry becomes obscured as &H4RrY)*7 — and therefore much harder to guess.
Be sure that when you make your unique passwords, you never reuse them. If one of your accounts gets compromised, you want to ensure that account is isolated. If you had multiple accounts with the same password, all of those accounts will also be compromised — which can be devastating not only to your website but to your personal life as well.
Let’s talk about entropy
Entropy is the word used to describe how random a password is. The more entropy a password has, the stronger and less predictable it is. Using longer passwords increases entropy exponentially. Adding character sets (numbers, symbols, unicode) increases the permutations available for any length of password. If your password, or part of your password exists in a word list, it isn’t random.
If your password is based on a pattern or common base, it isn’t random. When password entropy is low, the password is easier to predict.
We still see that many password fields haven’t evolved past the simple eight-character requirement. It doesn’t help that password strength meters can differ greatly from one to the next. It can be frustrating trying to figure out exactly what makes a password “strong” or theoretically unpredictable. All the while, there is talk of quantum computers that aim to be so fast, they could break any encryption with ease.
How to remember passwords
If the thought of trying to remember every unique password for all of your accounts makes you woozy, then I have the solution for you! The easiest way to keep you on track is by using password managers such as LastPass, KeePass, or Dashlane.
They will keep all of your passwords in one “vault” and even auto-fill in passwords if you take advantage of the browser extension. You can also stop worrying about coming up with hard passwords as they can generate them for you.
Group your passwords
Here is a really good idea, group them so that they are a bit more manageable. You can group by anything:
- Important — Financial institution, infrastructure access, email, master accounts
- Medium — Social networks, websites, forums
- Low — Fake accounts, alias accounts, gaming accounts
This then allows you to categorize and create your own rules, something like this:
- Important — No less than 12 characters, use special characters, random generator
- Medium — No less than 8 characters, case, random generator
- Low — No less than 8 characters, human-generated passes are fine, quick access need
Be sure to give your groups serious thought. Something you think is low might in fact be high.
For example, think of your Amazon account. Some might think it’s low, but is it? It’s a medium at minimum.
If you log in, you’re likely to quickly gain access to the user’s profile information. That can be used to glean all kinds of personal information — things like your billing address, phone number, and credit card info. So, is it really low? Those snippets of information can become very dangerous.
How does a password get hacked?
Computers work incredibly fast, and hackers have access to huge amounts of data to help the computer guess more efficiently. On a typical US keyboard there are 94 possible characters. A brute force attack, in its basic form, attempts to guess every possible combination of these characters until the hacker gets into the account.
This method works quickly if the password is fairly short, but can be exhausting with longer passwords. A dictionary attack is a more efficient way to guess long passwords.
This uses the same technique as a brute force attack, but instead of guessing all the character combinations, it tries from a list of common passwords and words from dictionaries and literature. Even at almost fifty characters, including symbols, you can’t use the call of Cthulhu as your password. We’re at a point where even the use of common substitutions — such as L1K3 TH15 — are part of most common word lists.
The rise of password breaches
In addition to all of this, even a strong password isn’t a guarantee. The odds of a password getting leaked, due to a data breach or research initiative, are on the rise. With the sheer number of password breaches that continue to occur, hundreds of millions of potentially active passwords are floating around in cyberspace.
Both bad guys and good guys look at password dumps to research the most common passwords and patterns. This data reveals many common tricks that people use to make passwords memorable and strong at the same time.
Clever methods of making your own passwords become transparent with enough data:
- Pattern-based passwords (qwerty678^&*)
- A capital at the beginning and a number and symbol at the end (Password1!)
- Common substitutions (P@ssw0rd)
- Words associated with the user or website (Username@2014)
Once discovered, someone can design a program to exploit these methods via methods known as brute force attacks, and in turn, that program can expand the word lists that are used.
A variety of social tactics can also be used to reveal passwords. By spoofing an email address, attackers can lure users with phishing emails that seem legitimate. Similarly, malware on a computer may attempt to scare users into revealing information.
In targeted attacks, hackers will use any personally identifying information they can find (such as your birthday, or your dog’s name) to enhance their attack.
For website protection against these kinds of attacks, we recommend using a web application firewall, like CloudProxy. This stops malicious users from breaking into your site.
It’s difficult to imagine a future-proof password. Making passwords unique, complex, and longer is a start, all of which are easily accomplished with a decent password manager. Perhaps we’ll see new authentication methods.
One thing is certain, as computers evolve in terms of processing speed and storage capacity, requirements on password entropy will need to evolve with it.
What we do know is that password breaches are gaining popularity, and the standard password is not going away. Like anything to do with security, you want to know the risks and put a policy in place that keeps you one step ahead of potential threats. When it comes to your personal accounts and site visitors, protection against brute force and dictionary attacks is an important step to take.