Back in the ‘good old days’, you had two things to remember. A username and password, and whoever knew them could log into your account.
This was also around the same time that threat vectors were very limited, your biggest was someone in your office, trying to gain access to your PC whilst you made a coffee. A hacker on the other side of the world never even factored into the equation.
As we all know this was a very very long time ago. Since then; we are more ‘connected’, there are more accounts, more threats, and of course – more data breaches.
There were over 4 billion data records containing login credentials stolen, and publicised, in 2016. Just sitting there, waiting for the next miscreant to test them out on popular websites to get a match.
So getting our business heads back on again, how do we defend against this?
Authentication has changed drastically, to match the ever growing threats. Yet in the wider world, we still see reports of huge organisations being caught out using archaic methods of access, and suffering data breaches.
Is longer really stronger? Well, sort of – in short.
The official advice from NIST (National Institute of Standards and Technology) is;
“Verifiers SHOULD permit subscriber-chosen memorised secrets at least 64 characters in length”
I’m all for following official advice but no one is going to remember a password of 64 characters;
To be perfectly honest, it doesn’t really matter if your password is 40 , 60 or 200 characters long, it’ll probably all be hashed down to the same number of characters in storage anyway.
Is ‘H31l0!’, any more secure than ‘Hello!’? unfortunately not. Most people use similar patterns (i.e. capital letter in the first position, a symbol in the last, and a number in the last 2).
Cyber criminals know this, so they run their dictionary attacks using the common substitutions, such as “$” for “s”, “@” for “a,” “1” for “l” and so on. Most tables of passwords which hackers use to crack passwords priorities passwords which have been obfuscated with symbols now anyway, since it’s such a common practice.
Remember password hints? Designed to jog your memory, helping you to remember that illusive password.
Adobe’s password hints database was breached in 2014, these were the top 5 publicly accessible hints if you knew a valid username;
- my name
That’s why we don’t use password hints anymore!
Another misnomer, it that password strength indicators keep you safe! Do not trust them! They apply a mathematical computation to a given password to tell you how secure it is. This is simply not applicable in the modern world. It was also revealed in 2018 that one particular password strength indicating website was actually maliciously harvesting passwords which were entered!
According to howsecureismypassword.net
The password “Password” will be cracked instantly.
The password “Password!” will be cracked in 1 week.
And if I were to jazz it up a bit with a couple of numbers, “Password!23” will take 400 years to crack.
I just so happen to have a brute force password list, it contains 42 million passwords.
“Password” is position 421 on the list
“Password!” is position 423, only beaten by “Password1”
“Password!23” is position 499.
Each of these passwords would be guessed in the first 10 seconds of an attack.
The word “secure” is used far too often, by too many companies, when in reality it’s referring to something which totally insecure.
For example take the Stuxnet virus; machines running the cooling motors in an Iranian nuclear power plant entirely disconnected from the internet, were infected with the Stuxnet malware.
The malware was designed to spin the cooling motors faster than they were able to handle, burning them out, effectively causing a nuclear meltdown because of overheating.
Surely those systems would have been considered “secure” by any reasonable assumption.
It’s a little bit like saying a car is safer than a motorbike, or aeroplane. Some are better than others, but there are many factors to be considered, and the term ‘safe’ is relative.
There are two main things which the common user today does, which puts their password safety at risk.
- Not creating unique passwords for multiple accounts.
- Not creating a strong password (uppercase, lowercase letters, numbers, special characters & a reasonable length).
So in order to reasonably protect our information with ‘complex’ passwords, that differ for each account, there really is only one viable answer. Password managers. – (and 2 factor authentication of course).
This is definitely an ‘all your eggs in one basket’ scenario, however most of these baskets are highly secure, extremely well thought out and tested more than the applications you would use the password on in the first place. Manufacturers like Apple have been one step ahead of the curve for a while now, all of their systems include apple keychains, to store passwords for multiple applications across multiple devices. However there are many on the market right now which double up and a 2FA authenticator too!
Keep a look out for the next article on Password Managers & 2FA