Passwords are still the number one method of protecting a user authentication process. It is the key to the kingdom, or at least the key that will together with the username grant you access to systems and information.
Passwords has a long history from way before computers. Military sentries used passwords as a way of only giving access to those worthy. If you knew the word, you could pass. Once enough people knew the password or if enough time had passed the password would change.
A good password is something that is easy for you to remember but difficult for others (humans or computers) to guess. Creating a really difficult and complex password will often lead to us either forget our password or write them down somewhere. Unless that somewhere is a safe password crypt (password manager) it is not a good idea. While is should be easy for you to remember keeping it difficult for others to guess means that:
- - It should not be a word found in any dictionary as these passwords are easily cracked by computers.
- This includes passwords such as password with or without combinations with capital letters and numbers such as PassWord123.
- - Should not be a keyboard pattern such as qwerty, 12345, abcdef etc.
- - Don’t use the name of family members, pets, celebrities, fantasy characters etc. These names can either be used for guessing or put into a list for password cracking.
- - Don’t use passwords that you have used on other sites or services. If you use the same password many places the risk increases that your password has become compromised. During one of the many password leakages your password may already have been compromised. Reusing this password on multiple sites creates a big risk. In order to find our if your password has been compromised you can visit https://haveibeenpwned.com/
So, with all these ways to not create a password, how do you create a good password? People are a lot better at remember sentences that gives meaning than meaningless codes. You can use this to your advantage when creating passwords. For example, the sentence “I would like to visit Disney Land in Florida in 2020” could be the password: IwltvDLifi2020. That is a 14 character password that would be really difficult to guess or crack.
How to get Hold of a Password
So, if passwords are created securely and according to defined password policies, how come hackers are still able to get hold of them. Let’s explore some options.
Password guessing is as the method implies guessing the password. Given enough chances a simple password can be guessed. Having some insight into the person or organization helps a great deal. A person who loves Italian cars might be more likely to use the password Ferrari1 than other users. Having a good lockout policy on failed attempts will limit the effectiveness of this attack vector.
There are billions of passwords leaked on the Internet. Lists can be purchased on the deep web based on user location. Hackers that have a list of leaked passwords have a much greater chance of success for password guessing or putting together a list of possible passwords for cracking. Reusing your password on several sites increases the risk of being hacked. Someone might already through a leak somewhere have your password or at least your password hash. The question is do they only have the password to that site, or do they have the password to all your user logins?.
For password spraying the hackers are not necessarily targeting one specific account but any account in the target organization. Password spraying uses a technique where a simple password like for example Password1 is attempted on all the user accounts in the organization. With a thousand plus user accounts it’s an effective attack vector because there are always some users that use common passwords. In some organizations the IT department often uses standard passwords when resetting a user’s password. Passwords like Winter2020 are quite common but only meant as a temporary password. The risk increases when the employee does not change this password.
Password cracking (brute force)
Password cracking is where the hacker has gotten hold of the password hash and cracks the password. A password hash is in contrary to encryption a one way scrambling of the password which is not supposed to be able to produce the cleartext again. When a user writes their password, the password is hashed, and the hash is then compared to the registered hash for authentication. If a hacker has managed to get hold of the list of hashes, he then has the possibility to try endlessly (brute force).
This is where powerful computers and password lists (dictionary lists) come into play. The computer will take a password from the password list, hash it and compare the hash with the hash from the hash list.
If there is a match the hacker has cracked the password, otherwise the next password on the list will be attempted. A good strong password hash will take longer time to hash meaning that the computer will need more time and resources hashing and comparing each password.
With an old simple password hash algorithm, a modern computer with a powerful graphics card can run through thousands of if not millions of passwords in minutes. If you have a long complex password it will probably not be on the password list used and you will be safe, but if you have a simpler password the complexity of the hashing algorithm might be the only thing that saves you. As computers get more and more powerful, old weak hash algorithms will be cracked faster and faster.
Factor and multifactor authentication
If passwords are vulnerable to either being to be complicated to remember, too easy to crack or guess or we end up giving them away if someone asks for them, what can we do to increase security. In comes 2-factor or multifactor authentication. With 2-factor or multifactor authentication you combine something you know with something you have. It is no longer enough with the username and password you also have to have something. This something can be a USB stick, a key, a secret token, a token from your mobile or an SMS, an access card etc. You can also use or combine with biometrics such as fingerprint, eye iris, voice or writing patterns identified with AI technology.
To truly make it multifactor you can also combine with physical location. That means if you try to log in from China just minutes after you logged in from Ecuador the authentication will fail. Multifactor authentication greatly increases the security related to cloud solutions. Cloud solutions are normally set up so that you can log on from anywhere in the world. This means that with only the username and password people from all over the world can attempt to get access to your account. With Multifactor authentication they also need your cellphone.
NB: There are password sites online where you can enter your password to see how secure it is. You should NEVER enter any of your real password into one of these sites.