CyberManDan

Security Advice & Blog

Passwords have become part of everyday life, whether it be the passcode for your phone, the password to log into your computer, and the many websites we may log into every day. Have you ever wondered how good your password actually is? Is it secure? Is it likely to be hacked?

Hackers don’t hack, they simply log in. Believe it or not, it’s true. You may have heard terms like spraying or brute force, where many passwords are tried hoping one will be successful. Think of it as turning up to your door with millions of keys, trying them all in the lock to see which one (if any) works.

If we use this door key analogy, then let’s consider a couple of questions…
– How can you be certain that the key to your door is unique?
– How many locks are on your door? 

Humans are predictable, and criminals use this weakness to take advantage of us. Have a little think, how many different devices and websites do you log in to? Computer, mobile phone, Email, Amazon, eBay, Facebook, Twitter, Bank, YouTube, Netflix, BBC… to name just a few. How many passwords do you use? I would guess that you use potentially three different passwords, with maybe some slight combinations of those 3 (if you’re inventive). No doubt, whenever you are forced to change your password, you’ll revert to one of your other two, or you will vary your current password slightly. How many times have you created a password eg. computer1, and when needed to change it you’ve gone to computer2, then computer3 etc.

Reusing passwords is a bad idea, for the simple reason that, if someone were to guess/find-out your password for Amazon, they will try the same password on other websites.

The password you use for email is arguably the most important – why? – because for any website you create an account for, you sign up using your email address, and this is your safety net should you forget your password. You will get emailed a ‘forgotten password’ link, giving you the chance to change your password without knowing the original. So imagine if someone were to find your email password, they have potential to reset every other password you have – no matter how different/secure they may be.

So, onto the main question…. how secure is your passwordChances are, not very.

If your job involves using a computer, it is likely that your company has set a password policy, which most commonly includes 8 characters or more, complexity (uppercase, lowercase, numbers, symbols), can’t re-use an old password, must change your password every 30 days. Sounds familiar? You trust your IT team, right? They should know what they’re doing, yeah? 20 years ago, maybe so, not anymore. Let’s go back to our password of computer1. Now you have to use uppercase and symbols… so, you now use Computer1! – it’s easy to make the first letter uppercase, as we’re used to doing that in the English language, and it’s much easier to add the symbol at the end than in the middle of the word, of course, because you’re used to typing the word computer but not comp!uterAdditionally, most likely, our passwords are going to be a word that exists in the English dictionary, which makes it one of only 170,000 words.

Passwords have evolved over the years, and in an attempt to make our passwords more complex, we’ve started doing clever things like changing letters for numbers. So now, our password is C0mput3r! – Great password – NOT!

When criminals try to guess passwords, they use a dictionary. Now their dictionary is slightly different to the one for the English language. It would have started with the 170,000 words that exist, but this dictionary has evolved like our passwords have evolved. Their dictionaries will now contain every variation of the word computer eg. computer, c0mputer, c0mput3r, computer1, c0mputer1, c0mput3r1, c0mputer1!, c0mput3r1!, C0mput3r1! etc. etc. (you get the idea). Plus, everytime a correct password is discovered, it is added to this dictionary. If it’s been used once, it may be used again.

So how do we make sure our key (password) is unique for our door and does not match anything in the criminals dictionary?
We know there are 170,000 words in the English dictionary. Let’s think of potentially using two words together? It now gives us 28,900,000,000 possibilities. That’s a much bigger dictionary. What if we use 3 words, or 4 words? We’re now starting to a lot for the criminals dictionary.

There’s a popular example that can be found on the internet, called ‘Correct Horse Battery Staple’.
The logic behind this is that it’s using 4 words that you could remember, and the words are not related, so unlikely to be found together. (Do not use this as your password, it is 100% in the criminals password dictionary). You can get more complex with this though, and start introducing symbols/numbers in the middle of words eg Corr$ectHo_rseb8atTerysT”ap1e  <– That is an awesome password!

Similarly, people are now recommending using a passphrase instead of a password, eg 1LikeToDrinkBeerInPubs!
What we have here is 7 words, uppercase and lowercase, numbers and symbols, but something you could easily remember.

There’s a term called Password Entropy, which is a measure of the complexity of the password. The more factors of entropy that exist, the more complex your password. Let’s take an alternative (but basic) approach…

Let’s assume a password is 4 characters long.
– They may/may not be a word in the dictionary
– You may/may not use the same character multiple times
– 26 characters in the alphabet
– 10 single digits
– 34 (easily accessible) symbols on the keyboard

If you use all lowercase letters, you have 456,976 combinations (26= 26 x 26 x 26 x 26).
If we were to include uppercase letters, you now have 7,311,616 (524).
If we include all the digits and symbols, it now gives us 84,934,656 different combinations.
You see how quickly it’s become significantly harder to guess your 4 character password.
So if your password was 10 characters long, there would be 66,483,263,599,150,104,576 combinations.
You see where I’m going with this…..

Going back to the criminals dictionaries.. they are not going to contain every possible combination of letters/numbers/symbols, because us humans do not work like that. Will you be able to remember a password that could potentially be this:  87p!#MUeO#

 

This brings me on nicely to Password Managers – my highly recommended SOLUTION to your password problems.
There are lots of companies/products/solutions out there, and you’ll find positives and negatives to every one. However, the one positive that cannot be ignored is… it’s better than you and I at creating and remembering passwords. They’re also very convenient in that they can be added as an extension to most browsers, and auto-fill your passwords for you.
You need to remember one (just 1) master password.

 

Let’s circle back a little bit, remember our door analogy? We asked some questions, and lets now answer them with our new found knowledge…
– How can you be certain that the key to your door is unique?
You will never be certain, but it you’re choosing something that’s 1 in 1 sextillion, you’ve got a good chance no-one else has it.
– How many locks are on your door?
The more unique passwords you’re asked for, the higher the security. However, we will explore MFA (Multi-factor authentication) in another article.

 

Summary

Use a password manager if you can.
Apply a particular approach to creating your password:
– 4 random words
– A passphrase
– Add complexities if you can

Check if your password is in a password dictionary?
(Totally safe to use, I promise)

How long would it take to brute force your password?
(Totally safe to use, I promise)