Our passwords and email addresses unlock so many aspects of our online lives, but as we are happy to give out our email addresses to all and sundry, we rely on our passwords to keep the baddies out.
Given the importance of passwords to prevent cyber attacks, is your password strategy really good enough? You might be surprised, and perhaps horrified, by the contents of this article.
Table of Contents
Key Points
- The article stresses the importance of email addresses and passwords as the gatekeepers of online security, warning that many people use easily crackable passwords despite thinking they are secure.
- It cautions against reusing passwords across multiple websites, as databases of leaked email and password combinations can lead to widespread unauthorised access.
- The article discusses the National Institute of Standards and Technology (NIST) guidelines on password length and complexity, advocating for longer and more complex passwords to deter attacks.
- It identifies social engineering attacks as a significant risk, where personal information such as pet names can make passwords easier to guess.
- Lastly, the article challenges the conventional wisdom of enforcing password expiration, citing updated NIST guidelines that recommend strong, unique passwords that don’t need to be changed frequently.
In this article, I explained how your email address is often your unique identifier which tells a website or app, who you are, and identifies you from all the other users. I also mentioned how vital it is that you ensure that your email addresses have not been compromised in one or more of the many data breaches that have leaked email and password combinations into the wild.
Here, we look at your passwords, that vital component of the authentication process that tells a website or app that you are who you say you are as you, hopefully, are the only person that provide a valid password for your account. Your email address is your identifier, your password is the authenticator.
So it is vital that your passwords offer you the best security possible, but as we explain, it is fair to say that the vast majority of people are using passwords that are highly vulnerable, even when they think they are being clever by using character substitutions (3 for e, for example) and incorporating a few capital letters into their password.
Do Not Reuse Passwords for Different Websites
As we have shown, there are vast databases of email and password combinations available for sale on the dark web that have been leaked from hacked websites. So if you use the same email and password combination on more than one site, and your email address has been compromised, then you are allowing someone to hack into all your websites that use the same password and email address with potentially catastrophic consequences.
You should always use a different password for every website or app. This does create a major problem, however, as no one can remember strong passwords for every website. This is why you should use a highly secure method of storing and managing your passwords, which will be discussed in a subsequent article.
Password Length
Hopefully you’ve watched this video and therefore are aware that longer passwords provide greater computational challenges and therefore take longer to crack. According to the National Institute of Standards and Technology (NIST), the minimum password length should be 8 characters, however you should really be using around 12 characters or more to increase computational cracking time and difficulty.
Password Complexity
Password complexity is where many people fail in their attempts to create secure passwords, particularly if they are creating a new password for every website or app.
If the user is required to supply at least one number, an non alpahebtic cracter and a mix of lower and upper cases then this becomes an intellectual challenge for that user. There is a risk that they will simply resort to character substitution, which creates well known risky passwords that are easily susceptible to dictionary attacks.
For example, given these complexity contraints would allow this password to pass validation PassW0rd! It would also pass the minimum 8 character requirement, but obviously creates a highly crackable and vulnerable password.
This is where a password generator, which can also securely store the passwords for each website, plays an important role. For those with Apple IOS devices, there is a secure password generator that creates strong passwords. There are also third party apps which also generate very strong passwords for each website.
Creating strong, complex passwords is a chore, but with the power of dictionary attacks shown in the above video, it is clearly important that users use some of the excellent tools available to ensure that their passwords are as secure as possible.
Social Engineering Attacks
What is a Social Engineering Attack
A social engineering cyber attack is a manipulative tactic that exploits human psychology rather than technical vulnerabilities. In this type of attack, the perpetrator tricks individuals into divulging sensitive information, such as passwords or financial details, by posing as a trustworthy entity.
Common methods include phishing emails that mimic official communications, phone calls pretending to be from customer support, or even in-person impersonation. By exploiting trust or emotional triggers, social engineering attacks aim to bypass traditional security measures, making them particularly dangerous and effective.
How Weak Passwords Can Result in Social Engineering Attacks
Following on from the password compexity considerations, users will often incorporate easily remembered words into their passwords. For example if someone owns a dog called Rex, there is a strong chance that they will base their passwords around their dog’s name ie creating a password, which meets length and complexity requirements like this: RexDog1!
That is fine although if that person also posts pictures on facebook of their dog, and identify it with the name Rex, then a determined hacker who is undertaking social media reconnaissance is likely to guess that the user is using their dog’s name in their passwords.
Combining open source intellingence (OSINT) with password cracking techniques is a highly effective way to hack into victims online lives. It is therefore essential that passwords do not contain easily guessable words.
Enforcing Password Expiration
This is an interesting consideration as you would intuitively expect that forcing users to periodically create new passwords would promote security. However, it has become apparent that users often just increment their password by one, if required to change it every month. For example a user could use Passw0rd!1 in January and then change it Passw0rd!2 in February, which is highly predictable and would be cracked in micro seconds.
The latest NIST guidelines now recommnd that passwords should never expire, however this does mean that passwords should be strong and unique and meet all the requirements that we have discussed here.