PASSWORDS: The Weakest Link in Online Security

November 28, 2016

 

Here at Insinia we're often asked:

"What can I do right now to improve my security?"


This guide's going to tell you how you can use and change passwords to increase your security exponentially!

 

This post will cover passwords, how and why they're so easy to crack, and how you can create strong passwords that are almost uncrackable.

 

Firstly; what makes a strong password?

1. VARIATION
The number one cardinal sin is using the same password for everything. It doesn't take a genuis to work out that this means if a hacker finds, cracks or hacks one password then you've given them all away!

 

Always vary your passwords, using different passwords for every site and application. This may seem long, boring and difficult but, in reality, it's pretty simple and highly effective.

 

2. LENGTH
Use long passwords for more security. Almost any password of 8 characters or less can be cracked in seconds, especially if you're using a common word, phrase or password.

The difference between cracking an 8 character password and a 10 character password is huge. All of our passwords here at Insinia are 25+ characters long, are upper case, lower case, contain special characters and are completely random.

 

Of course; this doesn't guarantee security, but it does make it harder for an attacker to carry out a brute force password attack. In fact; this type of attack is almost impossible against passwords of this strength.

 

3. SALT YOUR HASH #:

In hacking terms; "salting your hash" is the utilisation of special characters within a password.

 

You can check the strength of your potential passwords at https://howsecureismypassword.net/

In Figure 1 below; you can see how long it would take to crack the password "password". The result is instant.

FIGURE 1:

PASSWORD: password
RESULT: Instantly Crackable

 

Figure 2 below shows the same password, but written as "P@55w0rd". This seemingly stronger password, which uses special characters, would be cracked in 3 days.

FIGURE 2:

PASSWORD: P@55word
RESULT: Crackable in 3 days!
 

Now, if we use a password with random words, special characters, variation and length; we achieve this result:

FIGURE 3:

PASSWORD: “demonstration4Us3rs2C”how@saltingUR#c@nmakeuMOREsecure”!
RESULT: 452 septemvigintillion years!

 

As you can see from Figure 3; passwords with random characters, special characters and upper and lower case are almost impossible to crack.

Salt your passwords by using random letter, number and special character combination - use a mix of upper case, lower case and special characters and you're well on your way to a secure password!

Check out http://strongpasswordgenerator.com for some examples of strong passwords. Here's a few with their crack times:

PASSWORD: :m/Ld!q[5#3K'rD
CRACKED IN: 4 trillion years!

PASSWORD: ~Ys/l,-|)c1{}(KP45Y>jkL*(`zxc
CRACKED IN: 24 duodecillion years!

4. PHYSICAL SECURITY
One of the golden rules... Keep your passwords physically secure!

Here at Insinia we see so many companies whose employees write their passwords down and stick them to a computer screen, under a keyboard etc. This is NOT a good thing to do.

It's pointless keeping your items in a safe if the code for the safe's on the door!

 

Hackers are not just people tapping away from a distance. Hackers, crackers, cyber criminals etc will all be more than happy to pose as a cleaner in order to gain physical access to your workspace and confidential data. You'd be surprised just how easy it is to steal data when people are leaving the keys to the kingdom right under your nose.

5. ENCRYPT YOUR PASSWORD
Another option, and one many hackers like to utilise, is password encryption.

If you come up with your own way of encrypting your password; your encryption # will only make sense to you and any hashed passwords will be unreadable to hackers.

For example; if you were to make a secret code where A=1, B=2, C=3, D=4 etc, and your real text password is ABBA, then your "hashed" (encrypted) password would be 1221. This hashed version of your password is the one you write down securely. This hashed output now only makes sense to you, as you are the only person who is aware of the way in which it's been encrypted.

 

6. TWO FACTOR AUTHENTICATION
You may not be familiar with"Two Factor Authentication" (also knows as Two Form Authentication or TFA) but chances are that you use it most days!

When you use your bank card you rely on two pieces of information:

 

          1. Physical contact with the card (you must have it with you to use it)
          2. Knowledge of the PIN code (you must have the PIN to verify ownership)

This therefore requires two pieces of information and uses TFA.

So how can you use TFA whilst using the internet?

Facebook, Google, Twitter etc all offer TFA. All you need is a mobile phone or smart device.

By pairing a physical device to your accounts; the service provider (Google, Twitter etc) will send you a text with a code when you try to login. When you enter your password you will be asked to "enter verification code". When the code comes through to your phone simply enter it in and away you go!

This means that unless a hacker knows your password and steals your phone / device that's paired to your account; they have no way of accessing your account and/or data. This method stops 99% of web based brute force attacks and is a highly effective way of keeping your accounts secure.

Lastly; the military rule for passwords is three factor authentication:

"something you know, something you have, something you are".

For example:

Something you know is a memorable password.
Something you have is a physical key.
Something you are is a fingerprint.

 

Simple steps, yet effective.

Follow us on Twitter @InsiniaSec for more info, tips and advice!

 

 

 

Please reload

Featured Posts

Apple Exploit Solution(s)

May 28, 2014

1/1
Please reload

Recent Posts
Please reload

Follow Us
Please reload

Search By Tags
Please reload

Archive
  • Facebook Basic Square
  • Twitter Basic Square
  • Google+ Basic Square