We are all aware that 1234, 0000, "iloveyou" and "password" are horrible passwords. Yet, many of us still are either ignorant or can't be bothered to put proper password security practices in place.

Why Are Passwords Important?

Without fear mongering for too long, the consequences of having one of your accounts compromised can be tremendous. A list of possible consequences include but are not limited to:

  • Identity theft
  • Monetary theft
  • Loosing your job
  • Impacted relationships
  • Publication of personal data
  • Having all your accounts deleted, and your mobile devices remotely wiped

Now that we understand why account protection is important, lets discuss what we can do to protect our accounts and devices from unauthorized access.

Tips on Creating a Secure Passphrase

The best way to understand how to make a secure password, is knowing the ways a computer may break a password. There are two primary ways a computer can break a password:

  • Brute Force Attack
  • Dictionary Attack

Brute Force Attacks

A Brute Force Attack (herein refereed to as BFA) simply goes through every single possibility until it finds the password that unlocks the device. This is the reason why pin's are so insecure, as the computer only needs to guess 10 numbers per additional character in the pin, as opposed to the entire key space of upper and lowercase letters, numbers and symbols. This method of attack is considered effective primarily on random, short passwords such as h5%93"; (3 minutes to crack). Ironically, not only are short, complex passwords easily defeated, but they are difficult for humans to remember.

The best way to defend yourself against an attack of this nature is to create long passwords, herein known as passphrases. Passphrases are long passwords, made of multiple words. By adding upper and lower case letters and special symbols, you increase the amount of possibilities the computer must check. By checking the HowSecureisMyPassword.net, we see that the passphrase: "i eat chinese food" would take 454 billion years to crack. Not only is this easier to remember, but its almost 80 quadrillion times harder for a computer to guess! Further, if we add a uppercase letter to "food," it would take a computer 2 quadrillion years to break the code, 4400 times harder to guess than without the capital letter. Add a ":)" to the end of the code, and it would take 388 quintillion years to break the code; 194 thousand times longer than not having the smiley face at all. So to summaries, use a long passphrase that works for you and is easy to remember. Use numbers, upper and lowercase letters and symbols. However, I will caution replacing an S with a $ or a e with a 3, as password cracking software

It should be noted that the website provided is to be used as a guide only, and computational power is always advancing. For instance, government supercomputers can be over 10 thousand times faster at password cracking than standard consumer desktops. Further, quantum computers can be even more powerful. Although, chances are if a government has enough resources to brute force you with a super/quantum computer, they'll be able to hack you through other means. Don't be satisfied until you reach a password that would take millions of years for an average desktop computer to crack. Furthermore, don't let websites give you a false sense of security when it says your password you have entered is strong because you have more than 8 characters, a capital and a number. These are guidelines only, and websites like howsecureismypassword.net are far more reliable. To put it in metaphorical terms, a weak password is a weak lock to your online identity. A kick to the door is all it takes to break a weak password.

Dictionary Attacks

A dictionary attack further complicates things a bit. Dictionary attacks try to replicate human thinking, by trying to guess passwords that are common in password dictionaries or contain information like your name or birth date etc. For instance, A horrible password for me would be Daniel van Driel (insert birth date here). Sure, it would take 768 sextillion years to brute force, but it can be easily guessed if the attacker knows anything even remotely identifying. Using the door lock analogy again, you wouldn't install a lock to your door, if literally anyone who knows your name and birth date can unlock it. Unfortunately, it seems all to common that people do this.

Usually, password cracking software will first try a dictionary attack. Usually, this entails first running through a database of common passwords. Then, it may attempt to try many commonly used words in conjunction with each other (i.e. "never say never," or "chicken ice crackers"). A more sophisticated password attack would allow the hacker to input user identifying words such as their name and birth date to be used in the dictionary attack. If the dictionary attack fails, the program will proceed to brute force methods.

Remember, you can use the best encryption in the world, but if the key used to decrypt the data can be unlocked by a weak password, you are effectively defeating the purpose of encryption, increasing your data security. Strong encryption and passphrases are essential in order to properly keep your data safe.

Things Not to Do with Your Passwords

  • Do not store your passwords on your computer unless encrypted in a password manager
  • Do not send your passwords to others. If you must, use a secure app such as "Signal", a VPN and voice call instead of sending in plain text.
  • Do not write down your passwords in your home after you memorize them. Store your passwords in an encrypted USB drive. Although, you will still need a strong passphrase to encrypt the drive with that you must remember.
  • Do not use an easy keyboard combination like qwerty, abcd, wasd, qaz. These are well known and are commonly used in dictionary attacks on passwords.
  • Do not use self identifying information like birthdays or names etc in your password.
  • Never reuse passwords.
  • Create passwords without scanning for spyware beforehand and on a secure Wi-Fi network.
  • Be careful with answers security questions. If you loose your phone, you'll need the answers to login. However, don't make it easy for anyone who knows anything about you to guess the answers.

Tips on Password Management

The majority of people have one password and one only. A single keylogging piece of malevolent software (malware) is all it takes for your password to be sent to an attacker and used to unlock all your accounts and devices. Therefore, no matter how secure your password is, one password on all accounts can never be considered safe.

There are two ways to secure yourself against keylogging malware.

Two Factor Authentication

The first, is Multi Factor Authentication (MFA) or Two Step Authentication (2FA). MFA is a form of authentication that requires 2 "factors" that you must provide to the service in order to unlock the account. Here is a list of examples of "factors" that services might accept:

  • Passphrase
  • Facial Recognition
  • Fingerprint
  • Code sent to your email/phone
  • Code generated in MFA apps on your phone such as Google Authenticator/Authy
  • Physical USB "Key"
  • Physical credit/debit card

The most common form of 2FA is a passphrase combined with a pin randomly generated on (or sent to) your phone. The logic being, your phone is assumed to always be on you. Though, any two of these factors can be used in conjunction given if the service allows for it.

The way MFA/2FA protects you against keyloggers and/or brute force passphrase attacks is even if an attacker has acquired your password, they will still need your phone to unlock the account. Go to TwoFactorAuth.org and check which services you use offer two factor authentication and implement 2FA on whatever accounts you feel could be damaging if compromised.

2FA can be set to only require the second factor of authentication on new devices. Therefore, still protecting from external attackers whilst being more convenient. The one place this falls down is when malware tries to brute force attack your passcode from your own device. Since this is rare (although feasible through malware), many turn this setting on. As with everything security, it's a trade off between convenience and protection, and 2FA with "remember this device" setting turned on is still infinitely better than no 2FA at all.

One final tip on 2FA, if your second factor is to receive a code in the form of a message, disable the option to see message contents on your lock screen! Otherwise, an attacker won't even need to unlock your phone to have access to the code to access your online account.

Password Managers

The second way to protect yourself against keyloggers and possibly brute force attacks is by using a password manager. Password managers work by creating a database housing all your passwords. Most password managers create random passwords for you, like "6Sa!90032y8wryv" (created at StrongPasswordGenerator.com). Passwords like this are incredibly difficult to be broken by computers and luckily for us, do not need to be remembered. The password manager locks our passwords away behind a single master password, and usually auto fills in the randomly generated usernames and passwords for specific apps/websites. For this reason, the master password must be extremely strong and 2FA is an absolute must. This leaves us with two passwords to remember, a password to your device, and a password to your online websites and apps (managed by the password manager). Using passphrases that work for you, and combined with the fact many phones allow for fingerprint unlock now, this shouldn't be painful to remember nor difficult in everyday practical use. Now that we have different, strong passphrases for all accounts and 2FA enabled, it should be almost impossible to have your accounts compromised.

You might be asking, why don't I just use my browsers remember password function? Firstly, many of these passwords are not encrypted unless you encrypt your entire disk. Additionally,  an attacker may be able to brute force your login password to your device and have access to everything, without needing to subvert a second passphrase and 2FA. Password managers are more convenient, offering finger print ad face unlock amongst other options. If you have ever tried to copy and paste a password out of a browser, you'll know how tedious it is. Android also allows for screen overlays, which automatically appear when the password manager detects a app or webpage with a recognized password field. Simply tap which password from the already narrowed down list to autofill.

Password managers come in two flavors, cloud and offline. This matter is based on convenience. Cloud based password managers sync passwords between all your devices. However, as they are stored and encrypted on external servers, it does add another point of failure to the system. I personally use and recommend Lastpass. Lastpass is a cloud based solution that allows for finger print unlock, 2FA, syncing across devices and has a great record on transparency and security. Plus, they are cheap, and offer Yubikey as a second factor of authentication. A Yubikey is a physical USB key that you plug into your device or hold to your phone's NFC sensor (if your phone supports NFC). Another service I use is Truekey by Intel. Truekey expands on 2FA options. For instance, I use it to combine face and finger print unlock, making authentication arguably easier than a single factor authentication method such as a traditional password! Sadly, Truekey does not offer Yubikey, traditional text messages to your phone or a regenerating code (like as is used in Google Authenticator/Authy) as a means of a second factor, which is why I prefer Lastpass. Instead, Truekey uses another device on you to verify it is you that is logging in. Or, a verification code sent through email. Further, at the time of publication, Truekey doesn't play nicely with multi person teams, as only one face can be assigned to a Truekey account at a time. Based on your device and factor preferences though, take your pick. Any password manager that has a good safety and transparency record whilst having the features you want is definitely worthwhile. Other password managers include (but are not limited to):

Cloud Based

  • Dashlane
  • 1Password

Offline

  • Keepass
  • RoboForm
  • Password Safe

 

Conclusion

Passwords are flawed, and by themselves cannot be considered secure. Multi Factor Authentication is one of the best ways to secure your online accounts. Password managers also help implement good password practices whilst being extremely easy to use. These layers of security are well worth the preliminary setup. As, after setup, 2FA and password managers require very little attention and in some cases, can actually speed up your login process. I hope this was informative and if you have any questions, be sure to ask them in the comments section bellow.

This guide was a part of my Ultimate Information Security & Privacy Guide. Be sure to check out any related content:

Comment