CreditsLast Updated 2015-05
In this Input, participants and trainers will together review the implications of a compromised password, how they are commonly compromised, and how to create stronger passwords and develop better password habits.
Leave a note anywhere on this page - look for the Hypothes.is toolbar in the upper right-hand corner.
The definition of what makes a strong password “strong” changes constantly, as craking (or “brute-forcing”) longer and more complex passwords becomes easier and cheaper. As such, trainers need to alter their approaches accordingly, keeping in mind to mention this to participants as a means of explaining the important of regular changes to user passwords. In addition, trainers will differ on what they consider the best parameters for a strong password, which may deviate from the advice given in this Input.
It’s highly advisable to avoid using any sort of “online password generator,” since these can be sites that simply document the passwords that users generate. Similarly, be sure to recommend to participants to not enter any of their actual passwords into online sites that promise to “test the strength of your password” for similar reasons.
Because passwords can sometimes be a boring topic to cover, and can easily become a lecture-dominated session, it is important to solicit responses with questions to participants, and to take notes as discussion progresses. Encourage further discussion by sharing any talking points you consider crucial, that aren’t generated via participant input.
Social Engineering is a tactic frequently to exploit human vulnerabilities, which typically involves impersonating a user to a company to have your password reset, as seen in this example case.
- Phishing and spear-phishing are common examples of social engineering.
- Resetting a password by correctly answering the “privacy questions” for an account, using personal information available online, is another example.
- This is how a number of celebrities and other high-profile accounts have been “hacked” in recent years, but not only celebrities have information about personal “answers” available online.
Sometimes users receive notifications, from social media sites or other online services, alerting “You’ve had your account hacked” or “Someone may be attempting to access your account” - these can mean a number of things:
- Sometimes it’s completely out of a user’s control, and a service or a company has been compromised with your username, password, and (sometimes) other information falling into the wrong hands (this has happened with LinkedIn and Twitter, most notably).
- Another possibility is that the email is not actually from the site or service it claims to be, but rather is a phishing or spear-phishing attempt, where a third-party creates an email that looks exactly like one that might be sent by a website asking users to “reset” their passwords - in reality, the current password entered will be captured and then used to access your accounts.
- It can also mean that you’ve been specifically targeted, and someone with enough incentive and resources wants access to your account enough to try to break into them, or hire someone to do so.
People trying to brute-force passwords use a number of tools to attempt to access many passwords at once, or just one, as opposed to using social engineering or a phishing attempt to trick users into revealing them. There are two important tools frequently used for this purpose: - Word lists or Dictionaries, which are used to create guesses based on words commonly used in passwords, which make brute-forcing more efficient. Even worse, these lists are commonly available for free, or sold online. - Computing power, which can be harnessed in order to run as many guesses per second as possible - as computer processing power improves and the cost becomes cheaper, effective passwords need to become longer and complex in different ways.
Those that are competent at compromising passwords, such as those using a word list or dictionary attack, will first try these common tactics which, unfortunately, are frequently successful:
- Using the most common passwords, used by most people in the world, as entries on their word list.
- Customizing their word lists to whomever they are targeting, to include words in their language, relevant places, names, and dates.
- Including password guesses that substitute common numbers and symbols for particular letters, such as “0” (zero) as the letter “O”, “4” for the letter “A”, “$” for “S”, etc.
Most of the advice on passwords will have to do with the complexity of characters involved, and how to avoid a combination of words and letters that are easily guessed; however, equally crucial is the length of a password. No matter how complex a password is, if it’s short, it can be guessed in a similarly short period of time regardless of its complexity. Therefore - the longer, the better. - Length: We are still often told that a password needs to have at least 8, but 12 is a strongly suggested minimum, and 20 characters is even better. - Complexity: We are told to use a password that’s alpha-numeric, using upper and lower cases, with special characters. This is one approach for creating a 12 character password. - Change Regularly: Regularly change your passwords, particularly for your most sensitive accounts. Definitely change them if you get an authenticated (not phishing) email telling you that a particular service has had user accounts and passwords compromised. - Think pass-phrase, not password! In the appropriate context, a helpful aid could be [this comic from XKCD] (https://xkcd.com/936/) on Password Strength, to illustrate the true strength of a passphrase versus password.
Try not using words that are commonly found together. A new trend in password cracking is pulling words that frequently accompany each other, in phrases from wikipedia and other sites (in various languages), and compiling word lists from these for cracking long passphrases.
Another technique is to use a sentence, pulling the first letter from each word in a long phrase or sentence; for example, “Organizing and Leading Trainings is Hard Work, but Worth It!” becomes the pretty difficult to guess “OaLTiHW,bWI!”). Also, typos can be your friend! In a passphrase, if a password dictionary used to guess passwords is using correct spellings, a typo in a word can help reduce the chances of it being guessed.
Again, don’t use the most common passwords, and don’t reuse passwords, especially for your most important accounts - these are the first thing that an adversary will try to use or guess.
Remember that, both in this training session and increasingly in many other resources (and even in the media), users are being told that the best passwords they can create to protect themselves are also the hardest to remember. - The number of passwords that we must regularly maintain is growing quickly, and isn’t showing any sign of slowing down. - We now have so many passwords, and are adding more every day. How are we supposed to remember all of these strong and hard to remember passwords? - When participants raise the point that it quickly becomes “too many to remember!”, then take the opportunity to identify password managers (such as KeePass) as crucial aids that can help support more sustained use of strong passwords. Remind them also that the next portion of this session will cover these helpful tools.
Use this time to go over with participants some of the most commonly misunderstood advice, and popularly held “myths”, about using strong passwords and managing different user accounts online:
The personal privacy questions many accounts frequently allow or require users to setup are offered as an alternative means of verifying your identity, and as a way to unlock your account should it be compromised. The types of questions provided are, frequently, ones for which the answers could very easily be guessed; it’s surprising how many correct answers to these questions can be found through a simple Google search. A good workaround, when asked to provide answers to these personal “privacy questions” that are used to authenticate you as well as allow you to reset your password, is to consider not answering them truthfully in a way that you can remember.
Many systems - primarily online accounts for most average users, along with PIN codes - will lock out after 3+ incorrect login attempts. While this can add some protection for those trying to access your account, this isn’t full protection. If someone wants to gain access to an account badly enough, and has the resources to do so, they might be able to obtain an encrypted version of its password (called a hash), decrypt it offline (by conducting billions of of mathematical comparisons/guesses per hour, depending on the computing power they have available), and then log into this account without getting locked out using a pre-cracked password.
If an adversary has enough of an incentive and the resources to target you for your password to access your accounts, they will probably know quite a bit about you, including what language(s) you speak. When they (or someone they hire) attempts to brute-force your password, they will put words relevant to you in the word list they use to “guess” your password. This is likely to include words in your primary language and words particularly relevant to you, such as names of family members, locations (where you were born, where you’ve lived or traveled), and dates (e.g., your date of birth, when your child was born, when you were married).
Passwords are primarily tools for accessing information, from the point of view of the services you use them for, which is one of the most fundamental properties of information security. This is often confused with authentication - proving that you are indeed the same person who owns the account; because your password can be given or taken and used by someone else, this means they are a weak form of authentication but a relatively stable form of controlling access.
If you or your training participants are individuals at high-risk of being targeted by an adversary with resources, who wants to access accounts and their information, using two-factor authentication for services that offer it is highly recommended. Google, for instance, has stated that the use of two-factor authentication has drastically reduced the number of compromised accounts.
Further services, aside from Gmail and other Google tools, offering two-factor authentication include Facebook, Dropbox, and Twitter. This website, TwoFactorAuth is an excellent tool for looking up accounts and services that currently support two-factor authentication.
It is important to use extreme caution, when using two-factor authentication systems that rely on text messages. Recent research has indicated some popular sites, such as Facebook, being compromised by intercepting the verification codes contained within such text messages (which are not sent in any kind of encrypted format). Additionally, if you travel often and change your phone number when you do, it is important to note you can be locked out of your computer if you are not using an app like Google Authenticator.