Password Security

There are many ways that someone can gain access to your information on your computer.  Computer security is a broad term used to describe counter-measures against unauthorized access to your data.  These counter-measures include the physical security of a computer, password protection, data encryption, file permissions, internet security, firewalls, and more.

Password security is one of the most basic protections against your important information and is usually one of the least secure.  The primary weakness with most passwords is that they are very easy to crack.  Many of the other security measures in place are only as good as the password that protects them.  For example, many encryption schemes rely on the password as the “key” to unlock the encryption.  File permissions on your computer restrict access to files to any users that are not you, however if someone has your password, they can pretend to be you on your computer and bypass that security measure.

You may have heard the term “weak” and “strong” when used to describe the security level of a password.  Some websites have a graphical meter or rating when you create an account that tells you how strong your password is.  Hopefully by the end of this tutorial you will be able to create easy to remember strong passwords that are very hard to crack.

muffin0215 (no, I don’t mean passwords like that)

^.^muffin##0215^.^ (I mean like that)

Password Cracking Methods

To understand what makes a password weak or strong, we must first understand some methods that attackers use to crack passwords:

Social Engineering

The first and easiest way to gain access to a password, is to ask for it.  This method, called social engineering, may sound incredibly stupid but imagine a scenario where you work at a medium to large sized company and you get a phone call that goes something like this:

(ATTACKER)”Hello, my name is John Doe from Acme Technical Support firm, am I speaking with Jane Smith?”

(VICTIM)”Yes”

(ATTACKER)”How are you doing today Jane?”

(VICTIM)”Good.  How about you?”

(ATTACKER)”I’m doing great. I am calling to let you know that we are running some routine maintenance and updates on the company server and are migrating everyone’s username and password to a new database.  You are required to update your password at this time, but it won’t be effective until the new database is in place next week. We will need your current username and password to verify your account and a new password that you would like to change to.  You will keep the same username.  First, I will need your current username and password…”

(VICTIM)”OK, it’s jane.smith … gregory0923, all lowercase”

(ATTACKER)”OK I found your account, and what would you like to change your password to?  You can’t use the same password.”

(VICTIM)”Umm, let me think… how about muffin0215″

(ATTACKER)”Could you spell that out so that I put it in right?”

(VICTIM)”Sure…all lowercase…m-u-f-f-i-n-0-2-1-5″

(ATTACKER)”Alright.  Your new password has been entered into the new database.  You can continue to use your old password for now and once we roll-out the new database next week, we will notify everyone to use their new passwords.  Please make a note so that you do not forget until you are used to using your new password.”

(VICTIM)”OK”

(ATTACKER)”Alright Jane, have a great day!”

(VICTIM)”Thanks, you too.”

The victim in this scenario has revealed more than just her password.  Many people use a child’s or pet’s name and birthday as their passwords.  In this scenario, the victim has not only revealed that she typically uses this type of password scheme, she has also revealed another potential password that includes a pet name and birthday.  These names and birthdays can later be used for further security breaches by an attacker.

Some attackers use a method of social engineering called “phishing”.  Phishing generally involves setting up a website that looks EXACTLY like a site you may normally log in to, such as Facebook, Yahoo, PayPal, etc.  The attacker may send you an email or an interesting link via an instant message or Facebook message that directs you to their phishing page.  If you log into the fake page, the attacker captures your username and password that you typed in and can then use your password.

Guessing

Another common approach to cracking a password involves guessing.  Guessing passwords is usually not very successful unless some social engineering was previously used.  Learning information about a victim’s password habits and previous passwords makes guessing much easier.

Computer Aided Cracking

A third approach to password cracking involves using a computer to keep attempting passwords until either the password is found, or the attacker gives up and moves on.  Three common forms of computer aided password cracking involve using a “dictionary attack”, “brute force attack”, and a “combined attack”.

Dictionary Attack

A dictionary attack takes a very long list of words or phrases and then tries various combinations until the password is found.  The “dictionary” in a dictionary attack does not necessarily mean an actual printed dictionary of real words.  It just refers to a list of words or phrases that are used for the password cracking.  Some dictionary attacks are clever enough to use the most common words first in the attack or substitute numbers for letters which is another common password scheme.

Brute Force Attack

A brute force attack will crack every password 100% of the time.  A brute force attack takes a set of letters and numbers and sequentially tries them one at a time until successful.  Even with the speeds of today’s computers and internet,  this method is the least preferred because it can take a very long time to crack a single password and the chance for discovery escalates quickly.  Imagine you find an ATM card laying on the ground (akin to having someone’s username) and want to try to withdraw money from the account.  You could stand there at an ATM to try every PIN from 0000 to 9999 until you get the right one, which you will eventually.  However the risk of discovery escalates because the bank usually has ATM cameras and probably locks the card after so many failed attempts.

Combined Attack

A combined attack uses both dictionary and brute force methods to attempt to crack a password by mixing a list of words with individual numbers and letters.  A combined attack would more quickly find our example password of “muffin0215” than a brute force attack because of the word and numbers.

Securing Your Password

So now that we know some of the ways that attackers can gain access to our passwords, we need to be smart enough to not reveal our passwords when speaking or typing when a person or website asks us to reveal a password.  The interesting problem we come across is that passwords need to be easy enough to remember for a human, but hard enough that a computer cannot easily crack it.

Social Engineering Prevention

The best way to prevent social engineering attacks when someone asks for you to reveal passwords is to politely take their name and phone number then contact them back.  Contact your supervisor or a legitimate IT contact and verify the situation. Even if your actual IT support is dumb enough to ask for your password verbally over the phone, you should emphasize to them the importance you put on the security of your computer and the company.  Remember, there is nothing wrong with taking the time to do the right thing, even if it upsets your IT or supervisor’s work flow.

The best way to prevent phishing is to verify the web address before you login. If you come across a website that asks you to login with your username and password, take a second to make sure it is the website you are trying to login to.  You can tell by looking at the website’s address.  The part of the address that matters is just before the forward slash.  Even if the address is very long, look for the first forward slash / after the http(s):// then check to make sure the website domain is what you really want to log into just next to it.

[GOOD] http://www.website.com/index.html

[GOOD] https://secure.website.com/index.html

[GOOD] http://this.is.actually.website.com/index.html

[WARNING] http://www.website.com.this.is.fake.com/index.html

[WARNING] http://secure.website.com.gimme.money.com/index.html

Password Tools

There are many tools at our disposal that can make keeping secure passwords easier.  My favorite tool is called “LastPass” which is a web browser plugin that can be installed and remembers passwords for you, it can even type them in for you when you need to login to a website.  The benefit of having a program remember the passwords for you is that you can have many different passwords that can only be cracked by brute force all saved in one place.  LastPass guards your passwords with a single password which you must create and remember.

So even with password tools, we still need to have a way to come up with secure strong passwords that can only be broken by a very time consuming brute force attack.  There are many techniques you can use, feel free to research and find a technique that works for you.  I will share a variant of my favorite technique.

Flag and Spacer

Lets say you really want your password to be muffin0215 but this password is obviously not very secure.  Let’s create what I call a flag for the beginning and end, you can come up with whatever flag you want for your password, but make sure it has non standard characters in it.  For this example, we have created a squinty face looking flag ^.^  Now we need to create a word spacer.  In this example, I used a double sharp symbol as a spacer ##.  So our password now looks like squinty face, muffin, double sharp, 0215, squinty face.

^.^muffin##0215^.^

You can use your flag and spacer for every strong password you make.  Use it enough and you will be able to enter it into password fields automatically without having to actually think about your flags and spacer.  You can also have one word or several word variants with the same flag and spacer:

^.^muffin^.^

^.^muffin##puppy##0215^.^

With a very complex password, you only need to remember 3 things, your flag, spacer, and actual password.

You can combine your strong password technique with another that makes passwords unique.  This technique involves using a different word for each login.  For example, your passwords could be:

Windows: ^.^muffin##win^.^

Facebook: ^.^muffin##fb^.^

Email: ^.^muffin##email^.^

Twitter: ^.^muffin##twit^.^

Remember…

There are many secure password techniques out there, feel free to research, experiment and find one that suits you.  Just remember when coming up with a password, try and think about which methods of attack your password is vulnerable to.

Many websites do not allow you to use special characters in your password even though they have a “strong password” requirement.  I would suggest you use a strong password with a tool such as LastPass to store generated passwords.  Make sure you use a different password for EVERY login.  If one website gets compromised and an attacker steals your password, the attacker would not be able to easily access all of your accounts.

Here are some websites you can use to check your password strength:

Microsoft Password Checker

Password Meter

How Secure Is My Password

Thank you for reading this article and hopefully your future internet and computer ventures will remain secure.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.