Strong Passwords

When most people think of cybersecurity, they think of high-end networking equipment and a team of technology experts locking down complicated systems. It’s easy to get carried away with everyday life and assume that your cybersecurity team has your network on lock down. However, cybersecurity starts with you and is something you do every day when you type a password or check your email.

datacenter1

“cybersecurity starts with you”

Strong passwords are the easiest way to strengthen your cybersecurity, but this is where most people are the weakest. With modern technology, computing devices come in many different forms. In one day, most people use desktops, laptops, smartphones, music players, and tablets that all contain valuable account information connected with your banking or other sensitive systems. All the machines you use daily are vulnerable to misuse by unauthorized attackers, which is why you need a strong password to protect your personal information. A strong password could mean saving you and your business substantial money.

How do you create a strong password?

  1. A strong password must be something that you can remember.

    A strong password instantly becomes a vulnerable password once you write it down, so pick something you can remember. One way to do this is to take a phrase or sentence and shorten the length, picking a few words that make the sentence coherent to you. An example would be, “Please excuse my dear aunt sally”, which could be turned into “sallydearexcuseplease”. This breaks up the typical sentence structure while keeping a lengthy and easy to remember password.

  2. A strong password must be long enough to prevent attacks.

    The length requirement of your password depends on the security of your systems and the sensitivity of your information. This is a complicated topic, but it can be simplified by just keeping all our passwords long enough for most use scenarios. Our password “sallydearexcuseplease” already meets this criteria.

  3. A strong password has upper-case, symbols and numbers.

    Inserting upper and lowercase letters and symbols can help create a strong password and help you remember the password better. We’ll use the same example again but add in some extra uppercase and symbols, “SallyDearExcusePlease@”. This time we added uppercase lettering to the beginning of every word and an @ symbol at the end to lengthen and strengthen the password.

  4. A strong password isn’t about you.

    This might sound self-explanitory, but you’d be surprised how many people break this rule. “MyNameIsJohn!” is an obvious password since my name is, in fact, John. This is no different than using the street you live on, your birthday, or the names of your children. These are all easily obtained pieces of information.

Following these 4 simple rules will take you a long way towards being secure in today’s connected world. Take a moment and look at your surroundings to pick something memorable and create a phrased password like our example. Add a few symbols and follow our rules to see what you come up with. If you’d like, you can even send us the example password you created and we will let you know how well you did for the exercise. Stay safe, stay aware, and keep those passwords strong!

-John

This is for example and testing passwords. Never send anyone your real passwords!

How Passwords Are Hacked

Learning to create a strong password is essential for keeping your information secure and learning how passwords are hacked could benefit you in creating future passwords. Hollywood likes to paint a scene of a hacker in a specific way, the hacker is usually sitting in front of a wall of monitors with code streaming down the screens as they “hack” their way into a system. Although it makes for a suspenseful movie scene, real password hacks are much different. Real life hackers use sophisticated software to help them gain access to your sensitive data. Let’s cover some of the more common ways your password could be compromised.

rainbowtables1.jpg

Rainbow tables, or lookup tables, are data files containing pre hashed common passwords and are one-way hackers will try to get your sensitive information. Computer systems that require password authentication have password databases that are either stored in plain text or hashes. It goes without saying that storing passwords in plain text would be a huge security flaw, so most databases are stored in cryptographic hashes. If a hacker can get a list of hashed passwords, then weaker passwords will produce a weaker and easier to crack hash. Creating a strong password with extended length could help against rainbow table attacks, along with system administrators using strong hashing functions.

Brute force attacks are a common method of attack in which an attacker uses a software application to decode encrypted data such as passwords. This is a trail and error style method of attack which proceeds through all the possible combinations of legal characters in sequence to come up with your password. Brute force attacks will commonly use tools that will automatically guess combinations of usernames and passwords and most brute force attacks have a list of commonly used passwords that they will try first. At the core though, the most basic form of a brute force attack is an exhaustive key search which uses lowercase letters, uppercase letters, numbers and special characters. This will try every single possible password character until the correct solution is found.

Dictionary attacks are a form of brute force attack that uses words from the dictionary to try and get your password. Dictionary attacks can include every word in the dictionary, but it is more common to use words the attacker thinks are likely to be successful. These can include commonly used password lists, common names, sport teams, popular TV shows or characters, and popular pet names. If someone is suspected to be fan of a specific sports team, the attacker may use a tool to grab names of the players, coaches, and other words associated with that team and use those in a custom dictionary to help them unlock the password.

Understanding Entropy

Entropy, when dealing with passwords, is a term used to describe the strength or how difficult your password is to hack with various types of password attacks. The entropy of a password is calculated by a mathematical formula to determine its strength. Some of the factors that determine a passwords entropy are length of the password, character set used, and the unpredictability of the password. Let’s get into these with a little more depth to understand why entropy is important for passwords.

entropy_math.JPG

The length of the password is a major factor and directly correlates with the strength of the password. Most online applications in the past have required an 8-character minimum for password length and most websites proclaim to use an 8-character minimum as the standard. While this has kind of worked in the past, the standards of password security today should be higher. Given that the length of the password can help determine the entropy of the password, the standard minimum should be 12 characters or longer. You can think of creating a longer password can putting extra padlocks on the door to your information. The longer the password, the more entropy a password should have. Though as we stated above, length isn’t the only thing that determines the entropy of a password.

entropy-blocks.jpg

Using different character sets can also play into the entropy of a password. Most online applications these days are requiring at least one uppercase, one lower case and a number character to create an acceptable password. The reason isn’t just to make it harder for you to remember, it’s to increase the entropy of the password and make it harder for various password attacks to work. One-way entropy is determined in the formula is by taking the number of available characters in a character set and multiplying that by the length of the password. If you are only using lowercase letters, then the character set is 26 and if you add an uppercase letter than the character set jumps to 52. An example of this would be using “password” as your password. This is only using a character set of 26 characters because it is only using lowercase characters. If we used “Password” instead, the character set increases to 52 because we’ve added an uppercase letter into the mix. Adding special characters will increase the character set even further and strengthen the entropy of a password if done correct.

The last thing I want to cover is the unpredictability or the randomness of the password. A common thing people do when creating a password is adding in special characters in the place of letters to create their password. Let’s use our example password above and change some letters into special characters to try to increase the entropy. Now instead of using “Password” we’ll use “Pa$$word”, changing the two s’ with dollar signs to spell the word password but with special characters instead. You might think that since we’ve added an uppercase and special characters to password that it would have increased the entropy of it significantly, but you would be wrong. The reason is because this is a predictable password. Adding special characters into words is not enough these days and hackers typically have words with these special characters added into their dictionary lists already. You should be as random as possible with your word and character choices. Misspelling words on purpose and adding words that aren’t in the dictionary but mean something to you could save the information you are trying to protect and increase the entropy of your password.

 

*Disclaimer: Do not check your personal passwords in online password checkers.