We do IT differently.

Call 844.750.4170 for more information.

Security In-Depth: Passwords
October 12, 2016

Security In-Depth: Passwords

There is a lot of advice floating around the internet about picking passwords. A quick search will yield thousands of articles about the dangerous prominence of weak passwords. Most websites have password requirements before setting up an account.

Generally, it’s become well known that it’s important to pick a strong password. There seems to be a lot of confusion surrounding what is and isn’t a strong password, though. Here, our goal is to tell you fundamentally why and how to make a strong password that you will actually remember.

How Passwords Are Exploited

Briefly, there are certain things that may be out of your control. Insecure websites and applications that you use fall into this category. Occasionally, even large organizations like LinkedIn are exploited. There are ways to limit risks, like having a strong password. You should also switch passwords frequently, and use sound judgement when submitting personal information to websites.

Here, we’ll focus primarily on ways that your hackers can retrieve your password. There are a few methods that hackers can use to steal your credentials.

Hackers Already Have Your Passwordkeyboard with lock

It’s important to note that with any of the methods outlined below, a hacker already has an encrypted version of your password, called a hash. There are a variety of ways to attain the encrypted version, like using SQL injection. We’ll cover that another time. They can’t do anything with your password until it’s unencrypted, and it’s harder to unencrypt certain passwords.

To explain a password’s encrypted version as simply as possible, imagine that every combination of characters is run through a mathematical equation, and each combination yields its own unique results. The unique result is called a hash.
To test this yourself, click here, and scroll to ‘MD5 & SHA1 Hash Generator For Text’. You’ll notice that each word you enter creates a unique code.

Good websites and applications ‘salt’ passwords. A salt is a random value added to the end of a password before it becomes a hash. This makes it more difficult to crack the password. For example, if you enter your password, let’s say ‘apple’, the application will add a random value to the end, ‘placate’. Then, if a hacker cracks your password, they will think it’s ‘appleplacate’. When they try to use that password, though, they will not gain access to your account.

Brute Force

Brute force attacks are one of the more common methods. A brute force attack will start with the simplest option, a single character like the number ‘2’, and calculate its hash. It then compares that hash with your password’s hash. It follows this exact method, entering more complex combinations each time until it reaches a hash that matches your password.

This means that if you have ‘12345’ as your password, the attack will try every combination of numbers possible until it reaches ‘12345’. Then, it will observe that the hashes match, and your password becomes compromised.

Using a typical modern computer, hackers can make almost 590,000 attempts per second. At that rate, an all numeric, 10-character password would take about 14 minutes to crack.

Dictionary or Wordlist

A dictionary attack, also called wordlist attack, uses a similar approach. Dictionary attacks try every possible combination, starting with the most common choices. The software used for these attacks can use resources like lists of the most commonly used passwords, or an actual dictionary. Since ‘password’ and ‘12345’ are some of the most commonly used passwords, these types of attacks would likely crack them almost instantly.

The two methods outlined above can also be used in conjunction with one another, through hybrid attacks.

How Strong is Your Password?

Earlier this year CNBC made a well-intentioned effort to educate users about password security. They created an online tool to test the strength of a password. The problem was that the tool stored entered passwords into a Google spreadsheet. The lesson here is, if you need to ask someone how strong your password is, you’ve already compromised it.

We recommend learning the basics of how passwords are stolen, so that you know what to avoid. Below, we’ll delve into how many attempts a hacker would have to make to crack your password, depending on its complexity.

Possible Character Combinations for Each Password Type

All numbers: 10xpassword icon
All uppercase letters or all lowercase letters: 26x
Mixing uppercase and lowercase letters: 52x
Mixing uppercase and lowercase letters, and numbers: 62x
Mixing uppercase, lowercase, numbers, and special characters: 95x

Above, X represents the number of characters in your password. If your password consists of 8 all lowercase letters, your password would take 268 attempts (or 208,827,064,576) in a brute force attack.

That might seem like a long time, but remember that the average computer can make about 590,000 attempts in one second. Supercomputers and botnets take exponentially less time, at 100,000 times faster on average.

By the numbers, it would appear that the safest password in anything that has uppercase and lowercase letters, numbers, and special characters. That’s what we’re made to believe by account password restrictions, right? That’s true, if you’re ignoring the ‘X’ part of the equation.

Length Over Complexity

Let’s look closer.

A password like ‘123aA!’ would take 956, or over 735 billion attempts, to crack.
On the same note, a password like ‘Jimtriedsippingcola’ would take 2619, or over 760 septillion attempts.

Who would have thought that a plain old sentence would be more secure than a random mixture of letters, numbers, and symbols?

Now, if your password is ‘Iamapassword’ you may still be in trouble with a dictionary attack, so try not to pick a sentence that’s too easy. Try to pick something personal, but not obvious.

If your organization is looking for a more secure way to store your users’ passwords, Sierra Experts can help. Sierra’s development team can ensure that your database is not only secure, but that stored passwords are salted and hashed. We can also help you put two-factor authentication in place, to add another layer of security. Contact us to find out more.

Sierra Experts is an IT Managed Service and Support provider, specializing in remote monitoring and remote management of computing systems, cloud/virtual systems hosting, VoIP/SIP PBX trunks and solutions, physical server hosting, software development and hardware and software reselling. For more, check out www.SierraExperts.com