Passwords, Passwords, Passwords

By: Brett S. | Cyber Threat Intelligence Analyst, NJCCIC

When engaging with our NJCCIC members, we often find ourselves sounding like broken records with how frequently we end up on the topic of passwords. The fact is, account credentials—username & password—are the primary target of many of today’s cyber threat actors. Once a user account is compromised, a hacker can snoop around your digital house, or business, without setting off any ‘alarms’, because their activity looks legitimate to security software. Whether it’s profit-motivated criminals seeking access to a database containing customer credit card numbers, or the most advanced state actors attempting to penetrate corporate networks to steal sensitive intellectual property, compromising legitimate user accounts is the path of least resistance for a malicious actor to achieve their objective.

The Universal Dilemma

All of us are struggling to remember an ever-increasing amount of usernames, passwords, PINs, and security questions - from online banking and social media accounts, to dozens of web services used for personal or professional productivity. The hustle and bustle of our day-to-day lives makes remembering unique passwords for every account a daunting task. Out of convenience, people tend to use weak passwords that are easy to recall. Moreover, when the time comes to change or create a new password, many people reuse the same weak passwords but simply add one new letter, symbol or a digit at the end. These common pitfalls of using and reusing weak passwords across multiple accounts, make it easy for malicious actors to looking to compromise your account. Hackers have various tools at their disposal to crack passwords, often referred to as a brute force attack. These malicious tools use algorithms to repeatedly guess passwords or PINs until the correct combination is found. Simply put, it is not if a weak password can be cracked, it is a matter of how much of a hacker’s time and resources it will consume. With that said, what can you do to not only strengthen your passwords, but also make them easy to remember?

The Basics

The first thing you need to understand when creating a password is that both length and complexity are equally important. With each additional character you add, it exponentially increases the possible combinations a hacker’s tool needs to compute in order to identify the targeted password. A truly strong password is considered to be 12 to 14 characters long with a combination of 3 minimum capital and lower case letters, numbers, and special characters (!@#$%^&*). Additionally, the letters you use within the password should not create a word that can be found in the dictionary. The justification behind this is to counteract the algorithms written into the password cracking tool. These hacking tools take into account the millions of user passwords exposed in the last several years’ worth of data breaches, which provides libraries of the most common dictionary words, numbers, and symbols used in passwords. For instance, the fallout from the Ashley Madison breach demonstrated how weak passwords are still widely used (120,000 users used “123456” as their password!) and, thus, how easy it is for hackers.

Practical Practices

Now that you have an idea of how your password should be formatted, the next part is creating one you will actually remember. You might be asking yourself, how am I ever going to remember a unique 12-character password if it can’t be a word or something like p@$$w0rd? A simple way to remember your password is to make a sentence or saying that only makes sense to you. An example of this would be: “Grew up at 6 with 3 friends Justin, Drew, and !an and we FI$hed”. This would create the password Gua6w3fJD!awF$. This type of password is clearly not in the dictionary, and does not make sense to anyone other than the creator. Using mnemonic devices also works when you need to create a password hint such as “Favorite thing to do with friends when you were little.”

If you still need help coming up with a full sentence to generate your password, consider using the first letter from each word in the title or a verse from your favorite song. For example, combine “Born in the USA” with the statement “is a very patriotic song!” and you can form the strong password of B!tU$@iAvPs!.

With simple memory tricks like these, remembering strong passwords can be easier and less stressful. By making a password long, complex, and unique, you will protect your sensitive information from those who want to steal it. To take security precautions even further, we highly recommended implementing two factor authentication (2FA) on all applications that offer it, such as email services, cloud storage applications, and social media accounts. The combination of strong passwords and two-factor authentication immediately lowers your cyber risk and can mitigate many of today’s cyber threats.

Don’t Put All Your Eggs in One Basket

Lastly, we are often asked about password managers and other techniques for consolidating passwords – other than a sticky note on your computer monitor or a spreadsheet on your desktop. There are several software applications available that offer the option to encrypt and store all your passwords in one place, accessible only via a master password. We feel this is accepting unnecessary risk – in the event the encryption is cracked or a malicious actor cracks your master password, now all of your accounts are compromised. You are better off using the techniques outlined above to create unique, strong passwords for all of your accounts.