Resources for the global digital safety training community.
CreditsLast Updated 2015-05
In this Input, participants and trainers will together review the implications of a compromised password, how they are commonly compromised, and how to create stronger passwords and develop better password habits.
The definition of what makes a strong password “strong” changes constantly, as craking (or “brute-forcing”) longer and more complex passwords becomes easier and cheaper. As such, trainers need to alter their approaches accordingly, keeping in mind to mention this to participants as a means of explaining the important of regular changes to user passwords. In addition, trainers will differ on what they consider the best parameters for a strong password, which may deviate from the advice given in this Input.
It’s highly advisable to avoid using any sort of “online password generator,” since these can be sites that simply document the passwords that users generate. Similarly, be sure to recommend to participants to not enter any of their actual passwords into online sites that promise to “test the strength of your password” for similar reasons.
Because passwords can sometimes be a boring topic to cover, and can easily become a lecture-dominated session, it is important to solicit responses with questions to participants, and to take notes as discussion progresses. Encourage further discussion by sharing any talking points you consider crucial, that aren’t generated via participant input.
Social Engineering is a tactic frequently to exploit human vulnerabilities, which typically involves impersonating a user to a company to have your password reset, as seen in this example case.
Sometimes users receive notifications, from social media sites or other online services, alerting “You’ve had your account hacked” or “Someone may be attempting to access your account” - these can mean a number of things:
People trying to brute-force passwords use a number of tools to attempt to access many passwords at once, or just one, as opposed to using social engineering or a phishing attempt to trick users into revealing them. There are two important tools frequently used for this purpose:
Those that are competent at compromising passwords, such as those using a word list or dictionary attack, will first try these common tactics which, unfortunately, are frequently successful:
Most of the advice on passwords will have to do with the complexity of characters involved, and how to avoid a combination of words and letters that are easily guessed; however, equally crucial is the length of a password. No matter how complex a password is, if it’s short, it can be guessed in a similarly short period of time regardless of its complexity. Therefore - the longer, the better.
Try not using words that are commonly found together. A new trend in password cracking is pulling words that frequently accompany each other, in phrases from wikipedia and other sites (in various languages), and compiling word lists from these for cracking long passphrases.
Another technique is to use a sentence, pulling the first letter from each word in a long phrase or sentence; for example, “Organizing and Leading Trainings is Hard Work, but Worth It!” becomes the pretty difficult to guess “OaLTiHW,bWI!”). Also, typos can be your friend! In a passphrase, if a password dictionary used to guess passwords is using correct spellings, a typo in a word can help reduce the chances of it being guessed.
Again, don’t use the most common passwords, and don’t reuse passwords, especially for your most important accounts - these are the first thing that an adversary will try to use or guess.
Remember that, both in this training session and increasingly in many other resources (and even in the media), users are being told that the best passwords they can create to protect themselves are also the hardest to remember.
Use this time to go over with participants some of the most commonly misunderstood advice, and popularly held “myths”, about using strong passwords and managing different user accounts online:
The personal privacy questions many accounts frequently allow or require users to setup are offered as an alternative means of verifying your identity, and as a way to unlock your account should it be compromised. The types of questions provided are, frequently, ones for which the answers could very easily be guessed; it’s surprising how many correct answers to these questions can be found through a simple Google search. A good workaround, when asked to provide answers to these personal “privacy questions” that are used to authenticate you as well as allow you to reset your password, is to consider not answering them truthfully in a way that you can remember.
Many systems - primarily online accounts for most average users, along with PIN codes - will lock out after 3+ incorrect login attempts. While this can add some protection for those trying to access your account, this isn’t full protection. If someone wants to gain access to an account badly enough, and has the resources to do so, they might be able to obtain an encrypted version of its password (called a hash), decrypt it offline (by conducting billions of of mathematical comparisons/guesses per hour, depending on the computing power they have available), and then log into this account without getting locked out using a pre-cracked password.
If an adversary has enough of an incentive and the resources to target you for your password to access your accounts, they will probably know quite a bit about you, including what language(s) you speak. When they (or someone they hire) attempts to brute-force your password, they will put words relevant to you in the word list they use to “guess” your password. This is likely to include words in your primary language and words particularly relevant to you, such as names of family members, locations (where you were born, where you’ve lived or traveled), and dates (e.g., your date of birth, when your child was born, when you were married).
Passwords are primarily tools for accessing information, from the point of view of the services you use them for, which is one of the most fundamental properties of information security. This is often confused with authentication - proving that you are indeed the same person who owns the account; because your password can be given or taken and used by someone else, this means they are a weak form of authentication but a relatively stable form of controlling access.
If you or your training participants are individuals at high-risk of being targeted by an adversary with resources, who wants to access accounts and their information, using two-factor authentication for services that offer it is highly recommended. Google, for instance, has stated that the use of two-factor authentication has drastically reduced the number of compromised accounts.
Further services, aside from Gmail and other Google tools, offering two-factor authentication include Facebook, Dropbox, and Twitter. This website, TwoFactorAuth is an excellent tool for looking up accounts and services that currently support two-factor authentication.
It is important to use extreme caution, when using two-factor authentication systems that rely on text messages. Recent research has indicated some popular sites, such as Facebook, being compromised by intercepting the verification codes contained within such text messages (which are not sent in any kind of encrypted format). Additionally, if you travel often and change your phone number when you do, it is important to note you can be locked out of your computer if you are not using an app like Google Authenticator.