Today we tackle the biggest quagmire known to mankind since its inception. No, I’m not talking about why Jimmy cracked corn, nor why we don’t care (we’re still investigating that one), I’m referring to p24Sw)rd$ (passwords).
Passwords have quickly become the bane of our existence, with many spending sleepless nights (there is no actual data to support this claim) wondering:
- Are their passwords secure enough?
- Are they too common?
- Complexity vs length – Which is more important?
- Letters, numbers, special characters – Which should we use? How do we combine them?
- And the most asked question of all, after creating a complex, lengthy password filled with the perfect combination of letters, numbers, and special characters, how do I remember my passwords?
The following is a synopsis of why passwords are important, how they are compromised, and how to secure them.
Passwords are the most common method used to protect data and personal information. Properly formulated passwords can help protect us from a plethora of threats. Passwords should never be shared (especially in a corporate environment) and should be stored safely.
The 2022 Verizon Data Breach Investigations Report states that some 80% of successful cyber-attacks worldwide are because of weak, insecure, easy to guess passwords.
- Passwords are considered weak when they:
- Use default words, e.g., password
- Use double words, e.g., passwordpassword
- Use common phrases, e.g., iloveyou (the 43rd most common password worldwide).
- Use PII (Personally Identifiable Information) e.g., 09171980 (birthdate which can be easily found online).
- Use simple obfuscation e.g., Gr3@+
- Use numerical or keyboard sequences e.g., 123456 or qwerty
NordPass lists the 10 most popular passwords (worldwide) as:
- password (4,929,113 accounts)
- 123456 (1,523,537 accounts)
- 123456789 (413,056 accounts)
- guest (376, 417 accounts)
- qwerty (309,679 accounts)
- 12345678 (284,946 accounts)
- 111111 (229,047 accounts)
- 12345 (188,602 accounts)
- col123456 (140,505 accounts)
- 123123 (127,762 accounts)
The top 10 passwords take an average of 3.9 seconds to be cracked, with eight of those taking only 1 second each to be cracked.
How Are Passwords Compromised
How do threat actors hack passwords? The most common methods are:
- Credential Stuffing – Hackers steal user credentials from websites with weak security and then use certain tools to test these credentials against other sites to see if the user is reusing credentials.
- Phishing, Vishing – Hackers try to trick users into divulging their passwords using emails, texts, phone calls.
- Password Spraying – Almost the same as Credentials Stuffing, but in this case the hackers mostly use tools to attempt to log into your account using passwords listed on the top 100 passwords list.
- Key Logger Attack – Malware gets installed on your devices to track keystrokes and record your passwords as you type them.
- Local Discovery – Finding them on sticky notes or notepads at your desk.
- Shoulder surfing – Hackers look for vulnerable users in public places and watch as they type their passwords, enter their PINs, etc.
- Social Engineering – mostly involves tricking people into handing over their passwords but may also involve gaining direct access to your accounts using other methods.
- Network Interception – Intercepting them as they are transmitted over a network.
- Brute Force – Done via automation where Hackers use tools such as Aircrack-ng, DaveGrohl, John The Ripper that in turn uses either dictionary or pass-the-hash attacks to hack passwords.
- Dictionary Attacks – the hackers use the hacking tool to try every known dictionary word as your password. This takes just a few seconds.
- Pass-the-Hash – Hackers acquire the hash of plaintext passwords and use their hacking tools to try to pass it through for authentication and access to other systems without decrypting the hash.
- SIM Hacking – Hackers activate your cellphone number onto a card that they possess.
With all the threats out there, there are still some effect ways to protect your passwords from being compromised, such as:
- Create complex passwords – Use a mixture of letters, numbers, and symbols for your passwords as shown in the following example:
- Create a sentence or phrase e.g., jimmy crack corn
- Remove the spaces or replace them with underscores or dashes jimmycrackcorn or jimmy_crack-corn
- Change some letter cases using capitalization e.g., jImmY_crAck-Corn
- Replace some of the letters with numbers and special characters e.g., j!mmY_crAck-C0rn79
- This creates a complex yet memorable (for you) password.
- Use a minimum of 12 characters for passwords.
- Change your passwords regularly (every four months is recommended).
- Do not share your passwords.
- Do not reuse passwords.
- Do not store passwords on sticky notes, or notepads in your work area.
- Use Multi-Factor Authentication (MFA) when available. Examples of MFA are:
- Password and text/phone call verification combination.
- Password and app combination.
- Fingerprint and text/phone call verification combination.
- Check if your email address has been compromised using reputable sites that provide this service.
- If your email address is listed change the password immediately and research other authentication methods for logging into your email account(s).
- Use a reputable Endpoint Protection/Antivirus such as Crowdstrike to protect your devices from malware such as keyloggers.
- Use a VPN (Virtual Private Network) especially when using public Wi-Fi (which I never recommend doing unless you have absolutely no other option).
- Use a reputable, effective password manager, e.g., 1Password, LastPass, Dashlane, BitWarden, etc. Password Managers also have the option to create long complex passwords for you. Most will also perform various tests on the security of your passwords. Using a Password Manager means that you can easily have different complex passwords for each login while only having to remember one password (the one for the Password Manager). Most also offer MFA for added security and I would recommend changing the password for your Manager at least three times per year.
With all this being said, there is hope for those who would prefer alternate methods of verification and authentication. Passwords may soon become a thing of the past as more developers and applications are seeking easier, more secure methods for verification.
Associations such as the FIDO (Fast Identity Online) Alliance have long been developing and promoting alternatives to passwords since 2013. Their stated mission is authentication standards to help reduce the world’s over-reliance on passwords, with their mantra Simpler, Stronger Authentication. Solving the World’s Password Problem.
FIDO supports a full range of authentication technologies, including biometrics such as fingerprint and iris scanners, voice and facial recognition, as well as existing solutions and communication standards such as Trusted Platform Modules (TPM), USB security tokens, embedded Secure Elements (eSE), Smart Cards, and Near Field Communication (NFC). We can see this manifested in examples such as Windows Hello, versions of Alexa and Siri, Iris scanners on our phones, etc.
Will companies such as FIDO make authentication more secure by not using passwords, or will these methods prove easier to compromise? Only time will tell…
Here at WTG, we take security very seriously and are always happy to share our vast knowledge with our customers. If you would like to learn how WTG can better equip your environment to combat security threats, please contact your WTG Account Executive today!