A thing or two about passwords

A thing or two about passwords
Remacle Jean-Claude
7 minutes
2022-09-14
what is
nice to know
security

A password here, a password there, almost everywhere you need a password these days.

The practice has learnt us, it's not ideal if you use the same password for all your accounts on all those different websites.
And that you should always use a strong password.

The stronger the password the more secure your data is.

What most people think is that, the harder the password is, the harder it is to remember it.

But did you know that you can create very strong password that are also easy to remember?

No, I'm not kidding, you can create a strong password that even will thwart brute force and dictionary attacks.

How does a password get hacked?

Before we can create an easy to remember but strong password, we first need to know a bit about how cybercriminals can hack your passwords.

Cybercriminals have several tactics for password hacking:

  • buy your password on the dark web
  • brute force attacks
  • dictionary attacks
  • phishing

Buy a password on the dark web

The easiest way for a cybercriminal to get your password is to just buy it on the dark web.

People can earn a lot of money with selling and buying login credentials and passwords on the dark web.

And the chance is very high that even your current password is all ready for sale, especially if you are using the same password for many years.

Best way to defend against this is to change your passwords on regular basis.

Brute force attacks

A brute force attack tries to guess your password by trying every combination of symbols, numbers, and letters until it found your password.

The automated software try as many combination as possible in a very quick time.

Just to give you an example of speed, a 25-GPU cluster has the ability to try 350 billion guesses per second. So, any 8 character long password can be cracked under the 6 hours.

If we learn something about brute force attacks, then it is that the length of the password is very important.

The longer, the better.

Dictionary attacks

Dictionary attack, the name already say it. It's an attack with a dictionary.

The cybercriminal tries to crack your password with a prearranged list of words. Just like in a dictionary.

What can we learn from this method of password cracking?
Never use a regular word that you can find in a dictionary.

If you want to use regular words then its best that you use multiple word phrases passwords.
For example: "TheLionIsKingOfTheJungle".

A multiple word phrase password outsmart the most dictionary attack.

Phishing

Phishing is a "social" attack where the cybercriminals try to trick you, intimidate or pressure you to unwittingly doing what they want.

The most common phishing tactic are fake mails.

You get for example a (fake) mail of your credit card company telling you that there is something wrong with your account and that you need to login. You click on the link in the mail and you go to a (fake) website that has the looks and feel like the real website and as soon as you login, they have your credentials.

Another most common phishing tactic are fake phone calls.

This way they will try to get as many info, including your password, by asking you some questions.

Example:
They call you that you have won a large sum of money at they need some bank details (credit card number, cvc/cvv code, pin code) so that they can give you the money.

And last but not least phishing tactic, just a simple conversation, at the office, in a bar or even just on the street.

Example:
New co-worker (fake), starts a conversation with you, and slowly on they ask for some more personal details.
This tactic is mostly spread over multiple conversations. Depends on what type of information they are phishing for.

So what is the best way to defend yourself against this attack?

  • Always check the url of the website to see if it's the trusted url of that company when you click on a link in a mail.
  • Never give login credentials over the phone
  • Never give critical information during a conversation

Simple told, don't fall for it.

Building a strong password

Ok, now we know how passwords can be hacked/cracked.

Now, all we have to do is asking ourself following questions when we're choosing a new password:

  • is this a unique password
  • can it be cracked with a brute force attack
  • can it be cracked with a dictionary attack

Make every password as unique as possible

Best thing to start with, is to stay away as far as possible from the most obvious passwords and sequential numbers or letters.

And for the love of all strong passwords, never use "password" as a password :)

Instead, try to come up with a unique password that doesn't include any personal info like your name or date of birth. This because if you are targeted personally by a cybercriminal, he will dig up first every personal info to throw it in the mix for cracking your password.

Can my password be cracked with a brute force attack

Follow the following steps to stay one step ahead of cybercriminals who use brute force attacks for cracking your password:

  • Make it long
    This is the most critical factor for choosing a strong password. Never choose a password shorter than 10 characters. The more characters, the stronger it will be.
  • Throw it in the mix
    Choose letters (upper- and lower-case), numbers and symbols. How more your password is mixed, the stronger it is.
  • Avoid common substitutions
    Don't use common substitutions like a "0" for a "O" or a "3" for a "E".
  • Never use memorable keyboard paths
    Just like the advice about never use sequential letters and numbers, the same about sequential keyboard paths. Most common is "azerty" or "qwerty" or "12345".

Can my password be cracked with a dictionary attack

The key for keeping your password strong against a dictionary attack is very simple.

Stay away from single words that can be found in a dictionary.

So, a multiple words password will definitely make it much harder for a cybercriminal.

What are the best methods for creating a strong password

Use one or more of the following tips to create a strong and yet easy to remember password.

Sentence method

The idea of the sentence method, also called the "Bruce Schneier method", is very simple.

  • Think of a random sentence that you can remember, maybe a favourite quote from a movie or a saying.
  • Transform it into a password by taking the first two letters of every word in your sentence.

Example:
"Never tell me the odds" will become "NeTeMeThOd".

Multiple word phrase method with a twist

This method is as simple as 1, 2, 3.

  • Think of multiple unrelated words or names in the same or different languages
  • Make a funny sentence with those words that is easy to remember
  • Then crank it up with replacing some letters by symbols or numbers

Example:
"spider love water" can become "L0v3Wat3rSp!d3r".

Keyboard shift method

Another simple way is to shift your keyboard.

Example (on an azerty keyboard) with 1 key shift:
"funWithWords" can become "gi?XoyjXptfd".

Dialect method

Cybercriminals rely on dictionaries to crack passwords. So instead of using words that you can find in a dictionary, use words in your own dialect.

Pattern method

Do you rather have a password where you don't have to think about? Then a pattern is the good solution.

Just like on a smartphone, you can choose a pattern as your password.

Example on an azerty keyword:

"!zdvhuytre!" a triangle

Conclusion

And now the last piece of good advice, change your password(s) on a regular base.

Ok, I hope your days of trying to remember al those difficult password are over now.

Now it's your turn.
Use all this info and tips to come up with a strong yet easy to remember password.