Almost all of the applications we use have one big thing in common: they all use a username and password combination. A common theme we see is the re-use of usernames across multiple sites and many sites don’t even consider a username as sensitive information. The password, however, is supposed to be the key to protecting your accounts.
SplashData recently published their findings for the top 25 worst Passwords of 2013. They created this list based on the password breaches that have occurred over the year. In a small twist, “123456” has taken the number one spot away from “password”. To a security professionally, both of these passwords are very bad. Is that what the common computer user thinks?
Many users think that a password should be something that only they would know. For example, the name of your dog from 40 years ago that no one else would know. Maybe they just choose a word that means something to them, that no one else understand. The problem with this way of thinking is that it is not how attackers are trying to guess passwords. We have all seen the movies where the attacker looks around the victim’s office and guesses the password based on photos on the desk. In most situations, however, an attacker is not targeting a specific individual and manually trying to guess the individual’s password. Rather, attackers use tools to automate the process and then conduct mass attacks across the Internet. These tools take in dictionaries, lists of common words or passwords, and then try each one in succession. As you can see, there isn’t anything in that process that relates to what the user might be interested in.
Another common belief is that substituting numbers or symbols for letters in words are going to make it more difficult to crack. As stated in the previous example, attackers use automation to perform this task and the tools they use are sophisticated enough to swap potential characters.
The best thing for a password is to make it longer. The longer it is, the longer it takes to attempt cracking it. I personally use pass phrases for my passwords when I can. Something that is more than a word or two words combined together, but a sentence that is at least fifteen (15) characters in length. This becomes harder to crack for automated tools because the combination of characters has increased greatly. Of course, in the event that your long password is still something simple, it could still be a problem.
One of the limiting factors that we commonly see is sites that don’t support long enough passwords. Many sites require a number a character and a special character, yet then limit the length to 8 characters. This could be because they don’t understand password security, or they are limited by some back-end systems.
A big concern that many users have is trying to remember a different password for all of their applications or web sites. This usually leads to re-using passwords across multiple sites, which is a bad practice. One option, which I personally use, is to use a password manager. That is an application that helps manage your passwords for you. There are many different options for password managers, so it is important to understand the options on each one before making a decision. Many of them allow syncing between devices, and storing all the data on their servers on the Internet. Something that each user has to decide is whether or not that info should be saved on the Internet.
In addition to passwords, I also use a password manager for managing the secret “security” questions for the forgot password screen. This too helps me put in values that can be more difficult to brute force, yet easy for me to access.
Something we are seeing on many sites is the ability for multi-factor authentication. A great example is Google’s accounts where you enter in a username and password and then have to enter in a unique code that changes every minute. The code is delivered via the Google Authenticator App that is installed on your mobile device. This additional security feature does not mean we can choose weaker passwords, but is an extra line of defense if our password does get stolen. If your application supports this feature, be sure to enable it. Everyone can start better protection today simply by updating simple passwords to a longer passphrase. If you have had a password compromised, immediately change the password to stop any attackers from accessing that account.
The general Internet user should start understanding how passwords are stolen or guessed by attackers. Once that concept is understood, we can then start thinking about how to create better passwords that will be more difficult to break.
James Jardine is a Principle Security Consultant at Secure Ideas. If you are in need of a penetration test or other security consulting services you can contact him at firstname.lastname@example.org, @jardinesoftware on Twitter or visit the Secure Ideas – Professionally Evil site for services provided.