If you pay any attention to your IT team, your security team or talking heads discussing the latest breach, you’ve more than likely heard that you need make sure you are using “strong passwords”. But what exactly does that mean and why does it matter?
What’s the big deal with using weak passwords?
1. To answer that question, let’s consider two recent scenarios with password guessing:One of our clients at FRSecure conducts password cracking exercises periodically on his network. Basically what this means is we run a program (with his authorization) and our program tries to figure out what people’s passwords are. (This is one method an attacker might take when trying to gain access to your network.) Moments after we started the scan, his monitoring system alerted him to the activity, which is awesome. A big part of information security is detecting when something is going wrong. What isn’t as awesome is that even though my client was at his desk when the attack started and could have been able to respond within a matter of minutes (shut down the password cracking tool), our tool successfully cracked 10 active account passwords within the first 10 SECONDS! These passwords were surprisingly similar to the top 5 most common passwords listed below and very easy for the password cracker to guess. It’s important to realize that it only takes one set of user credentials to get into a network.
2. Most of you have heard stories of a friend or co-worker having their account hacked. I have a friend who used to pride herself on her ability to guess her love interests’ passwords and gain access into their email accounts. The trick? Most people use information related to them to create their passwords. Even some of the most powerful world leaders do this. (link to: http://pando.com/2015/03/20/exclusive-interview-jailed-hacker-guccifer-boasts-i-used-to-read-hillarys-memos-for-six-seven-hours-and-then-do-the-gardening/) Attackers know this too. So, while this method of guessing passwords requires a bit more up-front effort than the password cracking tool, if an attacker knows who his target is, he will often be very successful. (we often refer to this as social engineering link to: https://frsecure.com/services/social-engineering/)
The take-away? We need stronger passwords.
Even as of 2014, the top 5 most common passwords were:
They ARE easy to remember, but not at all what could be considered secure.
And what IS a strong password?
Most resources that require you to create a password will put some parameters around how it should be built to try to make it stronger. These are things like number of characters (should be a minimum of 8) and the use of numbers and special characters (123!@#). The problem is that under that criteria alone, Spring2015! is a perfect password.
Except it isn’t.
Password crackers and smart attackers know to test common password builds and crackers will even run entire lists of words found in a dictionary to try to guess passwords, so you have to consider this.
A strong password is one that, in addition to the criteria listed, is not easily guessed. A strong password does not contain information about you or the ones close to you (i.e. your son’s name and year of birth – information that is likely readily available on Facebook). A strong password is one that doesn’t use words found in a dictionary (yes, that’s right). BUT – a strong password also has to be one you can remember or easily manage.
We’ve talked before about the value of password managers (link to: https://frsecure.com/blog/how-to-remember-passwords-without-using-sticky-notes/) and I strongly encourage everyone to use these, but even with a password manager you have to have one really strong password to manage the rest.
My recommendation for creating strong passwords is two-fold:
1. Use Passphrases: a passphrase is a sequence of words that you turn into your password. You essentially take the first letter of each word and jumble it together to create a non-word password. I’m a fan of book passages and song lyrics because they give me a chance to memorize things I enjoy. An example:
But you can see that Icbdtsotmit, while now easy to remember yet not a dictionary word, does not meet the full requirements of a strong password, which leads to:
2. Use transposition and substitution: this is basically take the letters and replacing them with numbers and characters. To continue my example:
and be turned into…
(I made these changes: the word “shape” = ^; “time” = $ (because time is money); capitalized “B” from Barely and “M” from Moment (because they are emphasized in the song); replaced the “o” with the number 0; replaced the “I” with the number 1 – and voila! Super strong password)
Have fun with this and develop your own common substitutions. Think of this as brain exercises – and maybe give your IT team a High Five next time you see them for thinking of your well-being instead of the stink-eye for making you have to change your password again.
Strong passwords are within your reach. It is in your best interest to use them both personally and professionally.