Have you been pwned? Creating strong passwords: why it’s vital and how to do it.

Infosec researcher Troy Hunt has revealed last week that 773 million email addresses have been shared in a “a popular hacker forum” – along with a very large number of plain text passwords.
This seems to be a collection of data breaches over the course of many years, but doesn’t change the fact, that the passwords might be still in usage. So it’s the right time to change your password.

Why it’s vital?

Passwords continue to be a fundamental element in the process of authorizing access to a user.

Be the account a simple online forum account about a particular interest, or one that allows you to access and manage your personal finances or tax records, passwords play an intrinsic part.

Learning how to create a strong password and thinking carefully about how to manage them is key to better security. Understanding and following best practice password management means your accounts are intrinsically harder to crack.

I like to think about password management like this:

An opportunist burglar cases a  cul-de-sac of similar homes in a quiet neighborhood looking for the easiest point of access to achieve his or her goal. If robbery is the goal, then we’re looking for a quiet house with easy access (open windows or unlocked doors, for example) and no visible obstacles (spotlights, alarms, dogs, surveillance cameras, etc).  No burglar wants to be in the situation where their behavior arouses suspicion.

So, to detract the opportunist burglar, you needn’t be Fort Knox, you need only be an unattractive victim, or at least less attractive than your neighbors.

It’s the same for passwords. Employing these following practices perhaps doesn’t guarantee that you won’t be targeted, but it will significantly lower your risk level.

And it is of course vital that companies, as well as home users, employ proper password management to safeguard against unauthorized access to accounts, files and data.

 

How to create unique, hard-to-crack passwords

Hard-to-crack passwords are passwords that could withstand a dictionary style attack, where attackers attempt to crack your password by throwing at it all known passwords in their treasure trove. For example, if attackers have stolen the encrypted or hashed files from a company. They can work offline hammering away to reveal your password without any time constraint.

Make decrypting your password not worth the effort.

Here’s how.

Unique, long complex passwords that have characters, numbers, differently-capped letters are currently the most difficult passwords to crack.

Each password must be unique. Imagine one system using your generic passwords gets compromised and your password is accessed, they can try your public usernames and that password across a plethora of popular web accounts such as social media and retail sites in order to gain access to your private account.

Humans are notoriously bad at creating and remembering unique and complex passwords without a pattern. Using a trusted password manager to help you generate complex and difficult-to-crack passwords is worthwhile. Algorithms are much better at creating long pattern-less passwords, which avoid common password traps like common words and phrases like movie titles or lyrics, popular number sequences.

You need a combination of long and random.

For example, consider these phrases as potential passwords:

It was seven o’clock of a very warm evening

1twas7oclockofav3ryw4rm3v3n1ng

Both are the first words in Rudyard Kipling’s The Jungle Book. While both are long, neither are resilient because the first is created of English words, while the  obfuscation techniques used in the second example are well known and easily deciphered programmatically.

Compare the above to a suggestion from a random generator

QBeZu#&6JtDz%zXT75^LOnNGS0

Passwords like this one are indeed impossible to remember without help. Trusted password managers can also encrypt and store your impossible-to-remember passwords securely, which means you don’t even need to remember what your password is. Some offer cloud-based solutions, while others let you store locally.

Tip: you can also check current passwords against a 500 million strong store of stolen and compromised passwords: https://haveibeenpwned.com/Passwords Needless to say, if it is among those listed, it’s it most definitely time to update it.

Employ multi-factor authentication wherever possible

Multi-factor authentication, also known as two-factor authentication (2FA), is the practice of employing an additional hurdle in the system of authorizing access to your account.

Multi-factor authentication can come in many guises, from emailing you a PIN number, to sending you to another device to authorize the access request to your account. Some of these implementations are safer than others (SMS pin codes has been criticized as many people allow their messages to be displayed on their locked device).

Many website that require login information will offer multi-factor authentication to reduce instances of unauthorized access. It is a win-win for both the customer and the service provider. The user details are more secure, and the service provider reduces risk of compromise.

Wherever possible, employ multi-factor authentication. If the service does not provide multi-authentication to your account, consider complaining to the provider or simply deleting the account.

In fact, cyber security best practice suggests you should delete all accounts that you no longer use.

Watch out for social engineering tricks like phishing

Most users are aware of the risks of phishing. These are emails or social posts that try to befuddle the user into divulging private account information. Software like GFI Security Mail Essentials https://www.gfi.com/products-and-solutions/email-and-messaging-solutions/gfi-mailessentials will radically reduce the number of attacks that enter your mail streams, but sometimes new techniques or attempts bypass even the most stringent of filters and get access to a user, either via email or phone or in person.   

These might be done by encouraging you to click on a bogus link to a page that looks exactly like your bank or Instagram page. Or, they might try and intimidate you on the phone, saying that your computer is infected with malware and that they need your password to remote administer the problem.

Read this GFI Security blog post to learn more about the different types of phishes out there, and what you can do about it.

Recognize a phishing attack, then stop it dead in its tracks https://techtalk.gfi.com/recognize-a-phishing-attack/

Companies are wise to offer cyber security training to employees to arm them to better defend against phishing and other social engineering-style attacks. Part of this training must include password tips.

But remember that it should be the company’s responsibility to enforce the password policy. After all, they are the ones that will face the media frenzy should their services or accounts by compromised. By blocking users from even using weak or previously-used passwords on the system, you can you better protect the health of the network.