How does a password get hacked?
Cybercriminals have several password-hacking tactics at their disposal, but the easiest one is simply to buy your passwords off the dark web. There’s big money in the buying and selling of login credentials and passwords on the blackmarket, and if you’ve been using the same password for many years, chances are it’s been compromised. But if you’ve been wise enough to keep your passwords off the aggregated blackmarket lists, cybercriminals have to crack them. And if that’s the case, they’re bound to use one of the methods below. These attacks can be aimed at your actual accounts or possibly at a leaked database of hashed passwords. Brute force attack This attack tries to guess every combination in the book until it hits on yours. The attacker automates software to try as many combinations as possible in as quick a time as possible, and there has been some unfortunate headway in the evolution of that tech. In 2012, an industrious hacker unveiled a 25-GPU cluster he had programmed to crack any 8-character Windows password containing uppercase and lowercase letters, numbers, and symbols in less than six hours. It has the ability to try 350 billion guesses per second. Generally, anything under 12 characters is vulnerable to being cracked. If nothing else, we learn from brute force attacks that password length is very important. The longer, the better. Dictionary attack This attack is exactly what it sounds like — the hacker is essentially attacking you with a dictionary. Whereas a brute force attack tries every combination of symbols, numbers, and letters, a dictionary attack tries a prearranged list of words such as you’d find in a dictionary. If your password is indeed a regular word, you’ll only survive a dictionary attack if your word is wildy uncommon or if you use multiple word phrases, like LaundryZebraTowelBlue. These multiple word phrase passwords outsmart a dictionary attack, which reduces the possible number of variations to the number of words we might use to the exponential power of the number of words we’re using, as explained in the “How to Choose a Password” video by Computerphile. Phishing That most loathsome of tactics — phishing — is when cybercriminals try to trick, intimidate, or pressure you through social engineering into unwittingly doing what they want. A phishing email may tell you (falsely) that there’s something wrong with your credit card account. It will direct you to click a link, which takes you to a phony website built to resemble your credit card company. The scammers stand by with bated breath, hoping the ruse is working and that you’ll now enter your password. Once you do, they have it. Phishing scams can try to ensnare you through phone calls too. Be leery of any robocall you get claiming to be about your credit card account. Notice the recorded greeting doesn’t specify which credit card it’s calling about. It’s a sort of test to see if you hang up right away or if they’ve got you “hooked.” If you stay on the line, you will be connected to a real person who will do what they can to wheedle as much sensitive data out of you as possible, including your passwords.The anatomy of a strong password
Don’t be silly Stay away from the obvious. Never use sequential numbers or letters, and for the love of all things cyber, do not use “password” as your password. Come up with unique passwords that do not include any personal info such as your name or date of birth. If you’re being specifically targeted for a password hack, the hacker will put everything they know about you in their guess attempts. Can it be brute force attacked? Keeping in mind the nature of a brute force attack, you can take specific steps to keep the brutes at bay: - Make it long. This is the most critical factor. Choose nothing shorter than 15 characters, more if possible. - Use a mix of characters. The more you mix up letters (upper-case and lower-case), numbers, and symbols, the more potent your password is, and the harder it is for a brute force attack to crack it. - Avoid common substitutions. Password crackers are hip to the usual substitutions. Whether you use DOORBELL or D00R8377, the brute force attacker will crack it with equal ease. These days, random character placement is much more effective than common leetspeak* substitutions. (*leetspeak definition: an informal language or code used on the Internet, in which standard letters are often replaced by numerals or special characters.) - Don’t use memorable keyboard paths. Much like the advice above not to use sequential letters and numbers, do not use sequential keyboard paths either (like qwerty). These are among the first to be guessed. Can it be dictionary attacked? The key to staving off this type of attack is to ensure the password is not just a single word. Multiple words will confuse this tactic — remember, these attacks reduce the possible number of guesses to the number of words we might use to the exponential power of the number of words we are using, as explained in the popular XKCD post on this topic. How about this: Through 20 years of effort, we've successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess.The best password methods (and great password examples)
The revised passphrase method This is the multiple word phrase method with a twist — choose bizarre and uncommon words. Use proper nouns, the names of local businesses, historical figures, any words you know in another language, etc. A hacker might guess Quagmire, but he or she would find it ridiculously challenging to try to guess a good password example like this: QuagmireHancockMerciDeNada While the words should be uncommon, try to compose a phrase that gives you a mental image. This will help you remember. To crank it up another notch in complexity, you can add random characters in the middle of your words or between the words. Just avoid underscores between words and any common leetspeak* substitutions. (*leetspeak: an informal language or code used on the Internet, in which standard letters are often replaced by numerals or special characters.) The sentence method This method is also described as the "Bruce Schneier Method." The idea is to think of a random sentence and transform it into a password using a rule. For example, taking the first two letters of every word in “The Old Duke is my favorite pub in South London” would give you: ThOlDuismyfapuinSoLo To anyone else, it’s gobbledygook, but to you it makes perfect sense. Make sure the sentence you choose is as personal and unguessable as possible.Recommended ways to improve your password portfolio
All of the above methods help to strengthen your passwords but aren’t very workable, given that the average person uses dozens of them. Let’s review a few ways we recommend: use new complex passwords and a password manager, install an authenticator app on your smartphone, and purchase new hardware. Each of these can help with better and more secure authentications. Use a password manager and a random password generator A password manager keeps track of all of your passwords and does all the remembering for you, except for one thing — the master password which grants you access to your password manager. For that big kahuna, we encourage you to use every tip and trick listed above. The programs also come with generators, so you can create super-complicated, extra-long passwords that are infinitely more difficult to crack than any passwords a human might come up with. PC Magazine has a series of recommendations of password managers here. Be careful who you trust Security-conscious websites will hash its users’ passwords so that even if the data gets out, the actual passwords are encrypted. But other websites don’t bother with that step. Before starting up accounts, creating passwords, and entrusting a website with sensitive info, take a moment to assess the site. Does it have https in the address bar, ensuring a secure connection? Do you get the sense it is up on the newest security standards of the day? If not, think twice about sharing any personal data with it. Use multi-factor authentication Multi-factor authentication (MFA) adds an extra layer of protection (which becomes your first layer of protection should your account details ever get leaked). These have become the new industry standard for effective security. In our blog post here, we explain how they are used and how you can add MFA to common social accounts such as Twitter and Facebook. They require something in addition to a password, such as biometrics (fingerprint, eye scan, etc.), or a physical token. This way, as simple or complex as your password is, it’s only half of the puzzle. Note: given the 2018 Reddit hack caused by SMS-intercepts, we do not recommend using SMS as your second factor of authentication. This is a well-trod path by many hackers in the past few years.Notes
1. Password storage in Firefox If you have not enabled and assigned a “master password” to manage your passwords in Firefox, anyone with physical access to your computer and user account can view the stored passwords in plain text, simply by clicking “Options,” and then “Show Passwords.” To protect your passwords from local prying eyes, drop a check mark into the box next to “Use Master Password” at the main Options page, and choose a strong password that only you can remember. You will then be prompted to enter the master password once per session when visiting a site that uses one of your stored passwords. 2. Avoid Periodic Changes of Personal Passwords A widespread password security practice over the years has been to force users to change passwords periodically—every 90 days, or 180 days, etc. However, more recent guidance from NIST advises not to use a mandatory policy of password changes for personal passwords (note that this updated guidance does not apply to privileged credentials) One reason is that users tend to just repeat passwords they had used before. You can implement strategies to prevent password re-use, but users will still find creative ways around it. The other consequence of frequent password changes is that users are more likely to write the passwords down to keep track of them. Thus, a best practice from NIST is to ask employees for password change only in case of potential threat or compromise. 3. These 7 tips will help make your digital life more secure 3.1. Never reveal your passwords to others. You probably wouldn’t give your ATM card and PIN to a stranger and then walk away. So, why would you give away your username and password? Your login credentials protect information as valuable as the money in your bank account. Nobody needs to know them but you—not even the IT department. If someone is asking for your password, it’s a scam. 3.2. Use different passwords for different accounts. That way, if one account is compromised, at least the others won’t be at risk. 3.3. Use multi-factor authentication (MFA). Even the best passwords have limits. Multi-Factor Authentication adds another layer of protection in addition to your username and password. Generally, the additional factor is a token or a mobile phone app that you would use to confirm that you really are trying to log in. Learn more about MFA and how to turn it on for many popular websites at https://twofactorauth.org/. 3.4. Length trumps complexity. The longer a password is, the better. Use at least 16 characters whenever possible. 3.5. Make passwords that are hard to guess but easy to remember. - To make passwords easier to remember, use sentences or phrases. For example, “breadandbutteryum”. Some systems will even let you use spaces: “bread and butter yum”. - Avoid single words, or a word preceded or followed by a single number (e.g. Password1). Hackers will use dictionaries of words and commonly used passwords to guess your password. - Don’t use information in your password that others might know about you or that’s in your social media (e.g. birthdays, children’s or pet’s names, car model, etc.). If your friends can find it, so will hackers. 3.6. Complexity still counts. To increase complexity, include upper and lower case letters, numbers, and special characters. A password should use at least 3 of these choices. To make the previous example more secure: “Bread & butter YUM!” 3.7. Use a password manager. Password management tools, or password vaults, are a great way to organize your passwords. They store your passwords securely, and many provide a way to back-up your passwords and synchronize them across multiple systems. Though the University does not recommend any one solution, here are some examples of free password managers*: LastPass: https://lastpass.com/ KeePass: https://keepass.info/ Keeper: https://keepersecurity.com/ Password Safe: https://pwsafe.org/ Dashlane: https://dashlane.com/ 4. Password mistakes you should avoid - Avoid easily guessed passwords. The problem basically starts with password recycling, which is a risky practice. Substituting lower case for upper case or vice versa is also password recycling. - Don’t add personal information in your passwords. If your password includes your name, surname, birthday, address or phone number, then you must consider changing it. - Don’t use the same password across several accounts. This may be the easiest way to remember your passwords. Unfortunately, it is also the fastest way to trouble. Did you know that in 2016, Mark Zuckerberg’s Linkedin, Twitter and Pinterest accounts were hacked, as he was using the same password for multiple social media platforms? 5. 5 Password security best practices 5.1. Make sure your password is complex So is a long password the way to go? Possibly, yes. Short length passwords are easy to hack. For added security, try to create lengthier passwords. Using upper and lowercase alphanumerical characters is also one of the best practices to boost password security. To increase the complexity of your password, you can add spaces, punctuation, or misspellings to your password. Implementing all these will make your password less predictable. Don’t forget that the length of your password is a significantly important attribute. 5.2. Use a word that can’t be found in a dictionary There are multiple ways that criminals use to find passwords. A brute force attack is one of them. These attacks are the random trial-and-error sessions or repeated successive attempts of guessing password combinations. Hackers simply let the bot do the job – executing a high number of attempts per minute until they find a password. If you must use a dictionary word, try these: either combine your password with a number or add punctuation at the beginning or at the end of the word. Simply put, get creative and formulate really unique combinations. 5.3. When possible, use brackets Feel free to use curly { }, round ( ), square [ ] or even angle < > brackets. They are rarely used by people. So, this makes them a great way of boosting password security. The more you mix up letters with brackets or symbols, the harder it is for a hacker to compromise it. 5.4. Use misspelling words Bad spelling or password typos can actually make a huge difference in your overall password security. Hackers usually are searching for passwords using correct grammar and spellings in their attacks. The potential benefit of this method is the fact that it enables you to create more complicated passwords. 5.5. Change your passwords as required. Stay one step ahead of hackers by changing your passwords. But there is a problem that comes with changing your passwords regularly. We don’t actually mean changing a password every month. You may naturally wonder what is the best time to change the password. We would say it is when a website you have an account for is hacked. Additionally, if you have shared your password with somebody else, it is time to change your password. Did you know that 57% of people who have experienced a phishing attack have not changed their password management techniques? 6. Add Extra Security to your C-Suite Not everyone in your company handles sensitive information. It’s important that you use the right security measures for the position. C-suite executive positions require more password management than your intern. Naturally, executive staff handle more sensitive information and therefore need a more secure password. Multi-factor authentication can be expensive—especially if you’re using biometrics. Spend your money wisely by applying biometrics to upper management and other mission critical roles while encouraging the rest of your staff to use password management best practices. 7. It’s no secret that malicious cyber activity costs businesses and the economy dearly. In fact, data hacks and breaches cost the U.S. economy between $57 billion and $109 billion in 2016. For small business, the cost and damage of a data hack can be irreversible. A staggering 81% of company data breaches are due to poor passwords. The good news is that by taking some simple but effective precautions in relation to passwords, businesses can help protect themselves from the havoc and damage data breaches can cause. 8. 5 Common Password-Cracking Techniques Used by Hackers 8.1. Dictionary attacks These are attacks on passwords that resemble words from the dictionary. They can also be the derivatives of commonly used words where letters are replaced with numeric or alphanumeric characters. 8.2. Brute force attack These are attacks on passwords that have no meaning, that is, do not resemble any dictionary word. Examples include all the probable combinations from aaa1 to zzz10. The hacker will keep trying as many passwords and paraphrases as possible hoping to get lucky in the guessing game. 8.3. Cracking security questions As one of the commonly used techniques of two-factor authentication as a lot of people prefer using security questions – because they are easy to remember. But then, they are also easy for hackers to crack the answers as they are mostly available on social media profiles. All they need to do is a little bit of digging. 8.4. Social engineering attack Here hackers play with users’ psychology and trick them into disclosing their passwords. A common example of a social engineering attack is phishing where hackers come up with irresistible offers and manipulate users to respond to malicious links and steal their credentials. 8.5. Spidering A lot of passwords in corporate businesses are made up of words around the business itself. Savvy hackers study corporate literature and build a list of custom words to launch a brute force attack against those passwords.
Friday, January 8, 2021
Best Practices for Creating a Password
Labels:
Technology
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment