I am not trying to say something sensationalist to get you to read the article, I am stating a fact. You may argue that you have the most secure password known to mankind, and nobody will ever be able to guess it, and you are probably correct. The problem is that computers are designed to do extremely repetitive calculations incredibly quickly. In 1 minute, you may be able to attempt 30 passwords, maybe even 45 if you are trying simple pin numbers, but in that same time a computer could be trying 9.2 Trillion different passwords varying complexity and style.
How are passwords being attacked?
Online: There are a few ways to attack an online service and gain access as a specific user, but most of them involve sending repeated login attempts as quickly as possible until the attacker gains access. A vast majority of login services have counter measures to prevent this attack including account lockouts, making this a very slow attack, and extremely easy to detect.
Offline: Every other day the news highlights a data-breach of some sort, for the smallest companies to some of the biggest in the world (Equifax 2017). One of the primary targets with these breaches is to download password database; which will be either cracked by the attacker or sold as-is. With the passwords no longer constrained by the login server’s security measures they can be compromised exponentially faster. A variety of techniques will be used generate potential passwords, and then compare them against the pilfered list. This process is fast, and very scalable. As businesses use the cloud to enhance their offerings, criminals are utilizing the massive processing power available to generate passwords in the billions per second (Black Hills Information Security)
What happens to the cracked passwords?
There are a lot of potential destinations for a cracked password. Many of them end up in free online password dumps (We Live Security), some are sold and correlated with other pieces of information about you on the Dark Web, and sometimes, your email address and password will be tried against thousands of websites, looking for a successful login with the goal of compromising social media and email accounts to be utilized by bots or other bad actors. (Tripwire)
What can I do to stay safe?
That is a great question, here are some of the most successful ways to improve your security:
- NEVER RE-USE A PASSWORD
- Like I mentioned above, after a password is successfully cracked, someone is going to try to access other websites with those credentials. Imagine how much time it would take you to reset passwords for each of your online accounts, or even worse, how do you get access again, when you can no longer open your email.
- It is unreasonable to think anyone can keep a hundred or so unique passwords in their brain; however, you can offload this headache to a password manager as a central repository for all of your passwords.
- Many of these password management tools allow synchronization between your computer, and mobile device, allowing you to access your passwords anywhere. You will need to ensure you use a strong password for the solution you choose, and implement multi-factor authentication where possible.
- Pro Tip: make sure you backup the database regularly, and you keep a copy of the master password where you (or your spouse) can get to it in an emergency.
- DO NOT USE PERSONAL INFORMATION AS A PASSWORD
- One of the first attacks used against a password database is a Dictionary Attack. Basically, the computer guesses every word in the dictionary, and all of those variations people are fond of, like changing an E to a 3, or adding numbers at the beginning or end. In a targeted attack or where additional information about you is known, a custom dictionary will be created from sites like Facebook, LinkedIn, Twitter, YouTube. These attacks are very successful, primarily because remembering a lot of passwords was hard, and people have an easier time remembering things that are important to them.
- LONG COMPLEX PASSWORDS ARE BEST
- Password security is measured in bits of entropy; defining this concept can be a little heavy with the math, but the idea is pretty simple: There are 95 printable characters on an English keyboard, and for every character you add to a password it multiplies the difficulty to guess by 95. The longer you make the password the harder it is going to be to crack (A thirteen character password offers 51,334,208,327,950,511,474,609,375 possibilities).
- If your password is not truly random, guessing it can become simpler and faster.
- If you are using a password manager, the length and complexity are very easy to manage. Consider looking for a password manager that can create these random passwords for you to simplify even more.
- Some passwords you will need to memorize for important items like your email, banking and your password manager. A good strategy is to implement a pass-phrase. This phrase usually 4 to 6 random words, usually with spaces in between and it does not need to make sense. You can then develop a mental image, or a mnemonic to make memorizing these critical passwords easier. (XKCD)
- USE MULTI-FACTOR AUTHENTICATION WHERE POSSIBLE
- This sounds like a really complex and scary subject but it is actually very simple and you use it almost every day
- Multi-Factor (MFA) authentication means using more than one factor to verify your identity. The generally agreed upon factors are:
- Something you know – Like a Password or PIN
- Something you have – Like a SmartCard or Token device
- Something you are – Often called biometrics, these are things like your fingerprint
- Somewhere you are – Like only logging in from your home computer
- Utilizing more than 1 factor almost completely mitigates the damage of a lost password.
- NEVER RE-USE A PASSWORD
- Yes, I said this before, but people keep doing it (Gizmodo).
Why are we not using computers to solve this?
Actually we are. There are a lot of technologies in place that are reducing the likelihood of a password being cracked like: salt, key stretching, and creating bigger password hashes like SHA-2. In addition adding MFA to your favourite apps, and services automatically analyzing logins for unusual behaviour means that many attacks fail before they even start.
Wow this is really interesting, where can I learn more?
- NIST Special Publication 800-63 (Digital Identity Guidelines)
- Wikipedia: Password Strength
- Wikipedia: Password Cracking