by Jim Grimes, Senior CompTIA Technical Instructor
You are Not Invulnerable…
The primary method by which we keep ourselves secure in our connected world today is by use of a password. Think about how many places you use a password. Obviously, there is social media. According to eBiz, the top five sites as of September 2016 are Facebook, YouTube, Twitter, Linked-In, and Pinterest and each requires a password. Then you have retail outlets, email, school, and more. Maybe you even use the same password for everything! And maybe (probably) it is simple, like a child’s or pet’s name and a number.
You may think that someone hacking your Facebook account is not the end of the world. Keep in mind though that they can post as you. People reading it will see your name on it, not the hacker’s. So there is a possibility that your reputation could be damaged, employment opportunities lost, or ‘ill will’ formed among your peers, family, and friends. The more we live online, the more damage can be done to us digitally. Digital reputation management is such a growing concern that it has turned into a new industry. Just Google “digital reputation management” and see for yourself. Still not convinced it can happen? Read how easily and quickly Matt Honan, a journalist at wired.com got his entire digital identity turned upside down by hackers in 2012 in only an hour!
While social media accounts may not be your main concern, they may allow hackers to get into information that is more critical such as medical, banking, and credit card sites. I’m sure I don’t have to explain all the ramifications of someone getting into your bank account. And then there’s your email. The sacred thread that holds your identity and security together. Now we know that you probably are not emailing classified documents. You may not even think it’s a big deal that someone reads the jokes your uncle Tom sent you. The issue is that most websites allow you to log in or reset your password with your email address! If they can access your email they have a serious advantage of potentially being able to get into anything you access. It is not very hard for a total stranger to find your email address. After all, how many of your Facebook friends do you really know? Maybe they sent you a friend request just to get information about you!
Your First Line of Defense
Think about your standard multiple dial combination lock. You have 4 rotating numbers on the lock. It would be pretty easy to figure out the combination if there were only one dial. You would have 10 possible combinations, 0 through 9. You would have that lock open in less than a minute by simply trying all the possible combinations. When you add a second dial to the lock, the range becomes 00 through 99, 100 possible combinations. Still doable but it just takes longer. Most dial combination locks have 4 dials. That makes the range 0000 through 9999, or 10,000 combinations! Still doable, but exponentially more time-consuming.
Now let’s apply that principle to cyber security. The longer and more complex the password is the better. You can use A – Z, a – z, 0 – 9, and many special characters like !#$%&’()*+-.;:<=>?. (the special characters you are allowed to use may depend on the system in which you are entering the password). So you can have one of about 96 characters per letter in your password. This means an eight letter password would have 7.2 quadrillion (7,213,895,789,838,336) possible combinations! Sounds amazing, right?
Sounds amazing, right? Today, a high-end workstation could attempt to break your 8 character password by processing a million passwords per second. The process would be completed and your password hacked in about 83 days or less! Remember that the next time your 90 days are up and the system requires you to change your password.
How Your Password is Kept Secure
When you setup a new password or change an existing password, the server responsible for the authentication is the one that will store it. Your password goes through a cryptographic hash algorithm converting the readable password to a cryptographic hash value or digest. This is done to keep the password secure. The unique thing about this algorithm is that once it has converted the password to the digest, the process cannot be reversed, not even by the server storing it. If you enter a password like “SwrTb7$#” you would get a hash value that might look like this: f/UWnXa+2i.
If you change one character in the password, you get a completely different digest. On your next login, your password goes to the server responsible for authenticating it, and it goes through same the algorithm conversion process again. The server compares the digests to see if they are the same. If they match, you get in. If not, you get ‘access denied.’ As you can see, no one knows what your password is, not the IT people or the server doing the authentication.
This is why most sites offer the option reset your password, not retrieve it.
The Pain and Glory of Password Complexity
When it comes to passwords, people can be lazy and predictable. This is part of the reason why hackers are so successful. It is also why your IT pro or Information Security officer is constantly harping on you to use stronger passwords!. It’s why you have to include upper- and lowercase letters, numbers and special characters. People comply, even if it is grudgingly so. The more complex the password, the hard it is to break.
In 2015, the Ashley Madison website was hacked by a group called The Impact Team. After the fallout, a company called CynoSure Prime took the publicly available information that was released and examined the password digests to check the security of the passwords chosen by the users on that website. Here are the top five worst passwords:
Of the 36 million password hashes that were available, 2.6 million were cracked in a few hours by a single computer. How did they figure out so many passwords so quickly? They used a “rainbow table.” Essentially, this is a database of noncomplex passwords that have already been converted to a digest. They simply compare the captured digest to the rainbow table looking for a match. If they find a match, they know the password. In regard to the number one password on the list (12345), 120,511 people used it on the Ashley Madison site! It is also easier to crack your password if part of it is a real word, like Jenna123. I promise you that is in a rainbow table somewhere.
So What Do You Do to Increase Personal Cyber Security?
Here is what I recommend for password security.
- Never use strings of characters from your keyboard, like QWERTY.
- Never use any word you can find in a dictionary as part of your password.
- Never use the names of family, friends, or pets. This includes numbers related to them like their date of birth or age. Nor should you use their favorite song or movie. Use nothing that appears on or is available through your social media accounts.
- Never use a password security question where the answer can be found on your social media account.
- Do not use the same password on multiple sites.
- Make sure your computer or device is locked before you walk away.
- Be wary of open wi-fi and never use passwords on this type of unprotected network.
- Try not to recycle passwords.
- Make sure to periodically change your password.
- Never tell anyone your password.
- Write your password down only if you have to. Rather, write tips to help you remember the password. If you must write it, do not store it near your computer
- Educate yourself on what social engineering and phishing is.
- Consider, when possible, using multifactor authentication.
- Use a passphrase to make up a password. Make up a sentence like, “I have to come up with passwords all the time!” Then use the first letter of each word. So your password would be, Ih2cuwpatt!
- Use a website that checks the strength and complexity of your password. The site net makes it fun by relating how secure your password is by telling you how long it would take a computer to break it.
If you don’t remember the last time you changed your password, it’s time!