Our passwords and email addresses unlock so many aspects of our online lives, but as we are happy to give out our email addresses to all and sundry, we rely on our passwords to keep the baddies out. However, given the importance of passwords to security, is your password strategy really good enough? You might be surprised, and perhaps horrified, by the contents of this article.
In this article, I explained how your email address is often your unique identifier which tells a website or app, who you are, and identifies you from all the other users. I also mentioned how vital it is that you ensure that your email addresses have not been compromised in one or more of the many data breaches that have leaked email and password combinations into the wild.
Here, we look at your passwords, that vital component of the authentication process that tells a website or app that you are who you say you are as you, hopefully, are the only person that provide a valid password for your account. Your email address is your identifier, your password is the authenticator.
So it is vital that your passwords offer you the best security possible, but as we explain, it is fair to say that the vast majority of people are using passwords that are highly vulnerable, even when they think they are being clever by using character substitutions (3 for e, for example) and incorporating a few capital letters into their password.
Before we delve into the steps that you an take to improve the strength and security of your passwords, I strongly suggest that you watch this video. If you think your passwords are cleverly crafted and uncrackable, you will probably think again after watching it.
Do not reuse passwords for different websites
As we have shown, there are vast databases of email and password combinations available for sale on the dark web that have been leaked from hacked websites. So if you use the same email and password combination on more than one site, and your email address has been compromised, then you are allowing someone to hack into all your websites that use the same password and email address with potentially catastrophic consequences.
You should always use a different password for every website or app. This does create a major problem, however as no one can remember strong passwords for every website. This is why you should use a highly secure method of storing and managing your passwords, which will be discussed in a subsequent article.
Hopefully you’ve watched this video and therefore are aware that longer passwords provide greater computational challenges and therefore take longer to crack. According to the National Institute of Standards and Technology (NIST), the minimum password length should be 8 characters, however you should really be using around 12 characters or more to increase computational cracking time and difficulty.
Password complexity is where many people fail in their attempts to create secure passwords, particularly if they are creating a new password for every website or app.
If the user is required to supply at least one number, an non alpahebtic cracter and a mix of lower and upper cases then this becomes an intellectual challenge for that user. There is a risk that they will simply resort to character substitution, which creates well known risky passwords that are easily susceptible to dictionary attacks.
For example, given these complexity contraints would allow this password to pass validation PassW0rd! It would also pass the minimum 8 character requirement, but obviously creates a highly crackable and vulnerable password.
This is where a password generator, which can also securely store the passwords for each website, plays an important role. For those with Apple IOS devices, there is a secure password generator that creates strong passwords. There are also third party apps which also generate very strong passwords for each website.
Creating strong, complex passwords is a chore, but with the power of dictionary attacks shown in the above video, it is clearly important that users use some of the excellent tools available to ensure that their passwords are as secure as possible.
Social engineering attacks
Following on from the password compexity considerations, users will often incorporate easily remembered words into their passwords. For example if someone owns a dog called Rex, there is a strong chance that they will base their passwords around their dog’s name ie creating a password, which meets length and complexity requirements like this: RexDog1!
That is fine although if that person also posts pictures on facebook of their dog, and identify it with the name Rex, then a determined hacker who is undertaking social media reconnaissance is likely to guess that the user is using their dog’s name in their passwords.
Combining open source intellingence (OSINT) with password cracking techniques is a highly effective way to hack into victims online lives. It is therefore essential that passwords do not contain easily guessable words.
Enforcing password expiration
This is an interesting consideration as you would intuitively expect that forcing users to periodically create new passwords would promote security. However, it has become apparent that users often just increment their password by one, if required to change it every month. For example a user could use Passw0rd!1 in January and then change it Passw0rd!2 in February, which is highly predictable and would be cracked in micro seconds.
The latest NIST guidelines now recommnd that passwords should never expire, however this does mean that passwords should be strong and unique and meet all the requirements that we have discussed here.