“Safe passwords don’t have to be memory twisters. They just have to be hard for computers to work out, and phrases make great passwords.” -Steven J. Vaughan-Nichols
Why Do We Need Strong Passwords?
“I have nothing to hide in my school email! If hackers want it they can have it.”
Before coming to university, I worked as an IT aide in my high-school. I would be insanely rich if I got a dime every time I heard that phrase from a fellow student. When it comes to email breaches, that is the most common reaction. People always assume that they don’t have anything to keep safe in their emails. Here is a good basic idea to keep in mind; just because you personally can’t think of ways that someone would maliciously use the most basic of your information, doesn’t mean that someone else can’t. Hackers are creative. The average user, not so much.
That might seem harsh, but it’s reality. Your email contains a lot of juicy info that people on the black market want. Anything from photos, contracts, invoices, tax forms, reset password for other accounts, and password/credit card PINs. Not to mention our emails are connected to all other digital accounts, from online banking to social networks, cloud services, and online shops (which save your credit card details). And if it’s a school provided email then it is most likely connected to your account that you pay tuition from.
Now, not all the time are hackers after your money. No, they want every detail they can get on your. It doesn’t matter if you run a company or your just an average Joe. If you have an identity and email address, you are valuable.
“Oh no! I didn’t realize. How then do I protect my email?”
Good question, that no user has ever asked but I will still answer. The first, and most important, step is to create a strong password.
Length + Complexity
A strong password contains length and complexity. All passwords will eventually be cracked by brute force, its a matter of how long it will take. Length is priority number one. The IT Office of Carnegie Mellon University suggest that faculty and students create passwords that are “at least 8 characters in length” (CMU).
That is a terrible rule of thumb. Using my Dell G7 and a GPU password cracker, I could crack a 8 character hash, a hash uses a one way mathematical function that outputs an encrypted password, in about a couple minutes (see Thycotic’s article for more details). That’s assuming I don’t use hashes.org, which is a site that has all publicly cracked hashes listed and organized by year. The basic rule of thumb is; the longer your password is, the longer it will take to crack. I suggest 14 characters at minimum and 24 ideally.
So, the easiest way to create a long password is to use sentences. Sentences are long and easy to remember. If your school email doesn’t allow spaces, find another character to use instead like hyphens, underscores, a number, etc.
Sentences get you the length, but you also need to add some complexity to secure your passwords from dictionary attacks. Dictionary attacks are exactly as they sound, they compile a file with all the words found in a dictionary and start grouping words together to brute force your password (Rouse). That’s why you need to add complexity. Create a sentence and replace letters with number or symbols. For example: “I will never and can never be hacked.” has length but “I w1ll n3v3r @nd c@n n3v3r b3 h@ck3d.” has complexity.
No Personal Info
Don’t include your name, birthday, or any other personal details. That includes any pet names or kid’s birth dates. If it can be found on your Facebook or Twitter profile than don’t include it in your password. The same if its a default password, if it can be found on a manual or online, don’t use it.
Make it Unique
NEVER EVER REUSE PASSWORDS FOR MULTIPLE ACCOUNTS!!!!!!
I know it’s tempting to reuse passwords, we each have countless, but resit it. Reusing passwords leaves you vulnerable to stuffing attacks, which is when one account gets taken over and that compromised password is tried on the users other accounts (OWASP).
The company Akamai recorded “30 billion credential stuffing attacks in 2018.” This is very scary, because if your Pinterest password gets compromised then your online banking or email password could be in danger if you reuse. If need be use a password manager to help you organize your passwords.
Use Two-Factor
Two-Factor authentication requires a user to enter a second form of identification like a code from a smartphone to a bio-metric pattern. This adds an extra layer of protection. Services like Facebook, Gmail, and online banking offer this as an option. So, take the few extra seconds to use two-factor and secure your account.
Change Regularly
The longer your password stays around the more likely its been cracked. Usually Universities require changing every 6 months. This should be the bare minimum. Changing your password regularly ensures your password doesn’t go out of date.
If a company announces that it has been hacked and credentials stolen, immediately change your password. Even if it appears that your account hasn’t been affected, still change. It can take years for investigators to determine how bad and deep the breach runs.
Conclusion
If there is anything you take from this post, remember these steps.
- Base your password on sentences
- Add complexity by replacing letters with numbers or special symbols
- Don’t use personal information in you password
- Don’t reuse passwords
- Use two-factor
- And change your passwords regularly
Works Cited
“Calculating Password Complexity.” Thycotic Support, Thycotic, https://thycotic.force.com/support/s/article/Calculating-Password-Complexity.
Carnegie Mellon University. “Guidelines for Password Management – Information Security Office – Computing Services – Carnegie Mellon University.” Guidelines for Password Management – Information Security Office – Computing Services – Carnegie Mellon University, Carnegie Mellon University, 14 Sept. 2017, https://www.cmu.edu/iso/governance/guidelines/password-management.html.
“Credential Stuffing.” OWASP, OWASP, 19 Nov. 2018, https://www.owasp.org/index.php/Credential_stuffing.
Keats, Shane Morales, et al. “Credential Stuffing: Attacks and Economies.” 19 Apr. 2018.
Rouse, Margaret, and John Ostrowick. “What Is Dictionary Attack? – Definition from WhatIs.com.” SearchSecurity, Oct. 2005, https://searchsecurity.techtarget.com/definition/dictionary-attack.Vaughan-Nichols, Steven J. “After Alleged ICloud Breach, Here’s How to Secure Your Personal Cloud.” ZDNet, ZDNet, 1 Sept. 2014, https://www.zdnet.com/article/after-alleged-icloud-breach-heres-how-to-secure-your-personal-cloud/.
Confessions of a Techie 