Passwords are a common topic amongst the information security industry. Different entities have various ways of defining and creating a secure password for themselves and their organizations. Many in the security industry will claim that passwords have failed us, and in a way they have. One of the stronger methods of protecting your accounts is Two-Factor Authentication, so if it is offered, use it. In this guide we will walk you through how to create strong passwords and see if a password manager is right for you.
A strong password is 16 characters or more, utilizing random characters and numbers. Current computer architecture does not possess the processing power to exceed a password with more than 16 characters. However, as computer architecture becomes more advanced, so too will the password cracking process. We will discuss how passwords are securely stored later in this post.
Re-using a password across multiple accounts is a no-no. If one of those companies is breached and their password databases are dumped, hackers can use them to try and get into your other accounts. If you are a part of multiple breaches, which everyone is, they can start comparing your passwords and even guessing other ones.
So how do you create a secure password? Advice from the world’s most famous hacker Kevin Mitnick has become a long-appreciated approach to password security. Use passphrases, not passwords. The more randomness and uniqueness you can include, the better. Here are some examples:
Corn-Electron-Cave-Remote
Cans-Goats-Peas-Eleven01
11Twelve-Nature#Birds
This method can be extended to fit your needs, and only requires that you remember 3-5 words and perhaps some extra characters as we showed. These passwords are harder to crack due to their length and are easier to remember than a simple password. However, they are not free from being cracked. We will explain more later in the article.
Of course, you have to make sure you remember your password. We here at Dexter Security recommend using a password manager to safely store passwords across your accounts. Furthermore, password managers can create unique passwords for each of your accounts that are very strong, and you can control how long they are. It is important to note that your browser is not a secure password manager, and that most password managers can import and then delete browser passwords for your convenience. Keeping passwords in your browser is a major security risk, and a lot of malware is designed to steal the file containing them.
It is important to note that password managers are far from a cure-all security method. The problem with password managers is that if your computer gets hacked, then you risk all of your passwords being stolen. The fallout from this can be mitigated by writing down your most important passwords and not keeping them in your password manager. You can also enable recovery codes as a last stand to gaining access back into your most important accounts.
Dexter Security recommends keeping your most important passwords written in a physical password notebook. A backup copy is also recommended in the event that one is lost. These may be considered extreme measures, but backups are a requirement in the security sphere. If you’re feeling really paranoid, lock them up in one of our (or any) fireproof safes, along with your recovery codes.
The next topic of conversation is keyloggers. A keylogger is malware that logs all of your keystroke injections, aka everything you type, then sends it off for the hacker to see. A lot of anti-virus deploys methods to counter this type of malware, so it is important to have decent anti-virus software on your machines. However, we are beginning to see a shift from Legacy Anti-Virus to what we call Next Generation Anti-Virus. As hackers and their methods evolve, so does the security sphere. What this means is that current anti-virus has the potential to miss malware on your computer. A basic rule of thumb is to consider where you have been on the internet, what links you have clicked, and whether or not you trust the computer you’re on before putting in your password.
How Are Passwords Stored?
Let’s pretend that Netflix gets hacked and their password databases are dumped on the dark web. A hacker can find your email in the database and an encrypted* version of your password. Hackers have methods of breaking this encryption and then using the discovered password to access other accounts.
When you create a password, either locally on a computer or website, it goes through a process known as hashing, which is not considered encryption* because it cannot be decrypted. Essentially, the computer takes your password and runs it through an irreversible mathematical algorithm which produces a string of random numbers. This is done to prevent hackers from blatantly seeing your clear-text password in the event of a breach or other attack. When you log in, the password you input is run through this same algorithm and hashed again. If both of these hashes match, then you are granted access.
The Future of Passwords
16 character passwords will eventually become breakable, so realistically you want to add as many characters as you can. Quantum Computing, or the upcoming future of computers, is the science of storing data on a molecular level. This will change encryption and decryption as we know it, and we have no idea what will come of this. There is the potential for both a drastic increase or decrease in securit, but quantum computing will most likely break encryption for a period of time.
You can prepare for this rather simply, if not humorously. When you hear about it in the news, which you very most likely will, turn off your router and take a walk outside until it’s proclaimed “fixed”. Make sure your most important passwords are 25-32 or more characters long, and know that this is once again not a cure-all. Cybersecurity is full of double-edged swords and uncertainty, but if you’ve followed the steps in this post, you are already ahead of the game.
This marks the end of the article, but we have included a more technical analysis of how passwords are cracked below.
How is a password cracked?
Let’s say your password is iLoveMyDog3. This password has 11 characters. Now imagine a computer program that started with the letter “a”, then “b”, then “c”, and so forth. Imagine that each of these letters gets hashed, then compared with the hash they are trying to break.
a -> b -> c
Now imagine this computer cycles through all letters of the alphabet, both lowercase and uppercase, numbers, and special characters. After that, it starts over, but this time it adds these same characters to the right of the first. It is now looking for a 2 character password.
aa > ab > ac … z0 > z1 > z2
Depending on the computer, this process can be incredibly fast or brutally slow. Within 8-10 minutes most computers are usually utilizing more than 5 characters.
abc56 > abc57 > abc58 … zzz997 > zzz998 > zzz999
This program will continue this process up to 15 characters. Since we are using an 11 character password, it will look something like this before matching the hashes discussed earlier.
iLoveMyDog1 - > iLoveMyDog2 -> iLoveMyDog3
Now the password hash produced by the program matches the hash of your password, and the hacker knows what your password is.
If you feel like there is more to add to this article, contact us.