One of the most foundational, yet commonly overlooked aspects of digital security is passwords. Passwords, as we know them, were introduced in 1961 by MIT as the most basic form of authentication. The cyber security world has since developed numerous forms of user authentication: Something You Know (Password), Something You Have (Keycard), Something You Are (Fingerprint). Any combination of these methods can be used to authenticate an identity. The use of multiple methods is commonly known as MFA (Multi-Factor Authentication) but we will discuss this in another article.
So how do you make a strong password? Before you can understand what truly makes a password secure, you must understand how passwords are “hacked.” Most people think that the act of hacking a password requires “rocket-science” level mathematical algorithms and intricate knowledge of the inner-workings of computer systems. Spoiler alert, it is not really that difficult.
Whenever you log in to your email, access a shared file, or perform any authenticated action, your credentials are transmitted either over the air (WiFi) or over the wire (Ethernet). Let’s assume these credentials are encrypted (as is most common these days). Perhaps you were using free WiFi at a coffee shop, or the person sitting in your company lobby is sniffing the network, or perhaps you logged into a shared computer. Any of these scenarios end with a hacker holding a copy of your encrypted password. But wait! My password is encrypted…does not that mean it is safe? Because encryption algorithms are publicly available, an attacker can encrypt password “guesses” using the same algorithm and then find a match!
There are essentially 3 basic attack methods when it comes to breaking passwords: Dictionary Attacks, Rainbow Tables, and Bruteforce Attacks.
- Dictionary Attack: This is arguably the most common attack method, so how does it work? Once an attacker has a copy of your encrypted password, they begin looking for a match by encrypting guesses. Where do these guesses come from? They are not computer generated, instead, large dictionaries of words, phrases, old passwords, names, even song titles can be used as a word list for guessing your password! The program encrypts each word or combination of words, checks it against your encrypted password, and repeats until a match is found.
- Rainbow Tables: A rainbow table is very similar to a dictionary-based attack. Instead of encrypting each guess, the rainbow table contains already encrypted words, phrases, old passwords, etc. This significantly reduces the processing power required, therefore speeding up the process. Because the password guesses are already encrypted, they cannot be manipulated or combined. This requires extremely large files in order to be a successful attack.
- Bruteforce: This attack method speaks for itself. If a dictionary attack or rainbow table has not worked, hackers will fall back to a brute force attempt. This operates under the same guessing principle as the dictionary attack, but every single possible combination is attempted. These attacks can take days or even years depending on the password length.
So how can you craft a password that is not only easy to remember, but effective at stopping these types of attacks?
- Length over complexity: Password cracking applications do not really care about complexity if a password is 8 characters or less. My consumer level laptop can guess every 8-character ASCII password in just a day. 8-character passwords are a thing of the past, we recommend at least 12 characters. What about special character substitutions? Substituting @ for a, 3 for e, $ for s, etc. does not add nearly as much security as you may think. Password cracking programs are smart and will automatically test these substitutions with dictionary attacks. Remember, use a longer, easier to remember password over a shorter, difficult to remember, *complex* password. (YouWillnvrGuessThis$ecret > C0mp!3x1tY)
- Misspell or combine words: This is one of the most effective yet often overlooked strategies. Dictionary and rainbow tables are almost completely defeated by simply misspelling your passwords! Take off your thinking cap and get creative! ILuvMieJawb is much more secure than TY7^*je^o!. Another strategy is to take an easily remembered phrase such as “I promise to have a secure password, that I change regularly” and use the first letter of each word to create a password: IpTha$p,t1cR.
- Change your password regularly: An unfortunate reality of our networked world is that your password is probably available somewhere, in encrypted form or cleartext. This is a simple fact we must live with, while it may take months to break your well-crafted password, it will be broken eventually. To counteract this, be sure to change your password regularly. Standard best practice is to change your password every 90 days.
Hopefully you have learned a few new things about cracking and creating secure passwords. It is your responsibility to own it, secure it, and protect it!