Recently, researchers found an Equifax portal guarding access to 14,000 personal records being secured by the password “admin/admin”. The issue has since been fixed, but the example highlights the lack of importance given to password creation that continues to plague cyber security for businesses and individuals.
Most people still use passwords that are easy for cyber thieves to guess despite the devastating effects of identity theft. But the problem isn’t just about carelessness; it’s about human nature. Understanding the problem will help you create better passwords.
The Human Predictability Problem
The founder of our current day password strategy, Bill Burr, recently admitted he regrets his original recommendations. While working at the National Institute of Standards and Technology (NIST) in 2003, Burr authored a guide that laid out two fundamental rules for password creation:
- It must have a combination of alphanumeric, uppercase, lowercase, and special characters.
- It should be changed every 90 days.
Rule number 1 results in a password like “S3cur1Ty%”, which looks random, but it’s actually not that hard for cyber criminals to crack. It’s easy because humans are so predictable.
For example, most of us tend to capitalize the first letter in our passwords. We also use the same numerical substitutions for letters (ex. “3” for “E”, “1” for “i”). Those two common strategies alone make our passwords much more predictable.
The NIST has since revised Burr’s guidelines, admitting that requiring complex passwords cause users to “respond in very predictable ways to the requirements imposed by composition rules.”
Rule number two results in a similar problem. People who change their passwords regularly tend to only make minor alterations, like simply adding a “1” at the end (not exactly creating the Enigma Code there). The NIST guidelines no longer suggest changing passwords every 90 days. Instead, you should change them when it’s appropriate, like after the Equifax security breach.
How do cyber criminals steal passwords?
Hackers have many way of stealing your passwords.
Brute Force Attacks
Hackers use software that repeatedly tries many different password combinations. Since the reigning champion of worst passwords is still “123456”, brute force attacks are a reliable way to steal your information. Brute force password “cracking” software comes with names like Brutus, RainbowCrack, and Wfuzz and are free to download.
Brute force attacks are effective with shorter passwords, but struggle with longer ones. For those, hackers switch strategies.
Dictionary Attack
As the name implies, dictionary attack software searches through a prearranged list of words, trying different combinations and variations. Ironically, cyber criminals use stolen passwords to make stealing passwords easier. Cyber thieves often purchase stolen password lists on the online black market. They buy them, not for targeting individuals, but for determining the most common passwords people use. They’re searching for human predictability so they can narrow their future searches.
Even legitimate businesses buy stolen passwords in an effort to safeguard their customers’ information
Because of these password lists, the NIST recommends sites that rank a users’ password strength by comparing it “against a ‘black list’ of unacceptable passwords.” If you try and use a password on such a list, the website may reject it.
Wi-Fi Monitoring Attack
Password thieves can also steal your password when you’re connected to public Wi-Fi. Special software alerts hackers when you connect to Wi-Fi and enter your username and password. They intercept and record the transmitted data, stealing your credentials. Wi-Fi attacks and recently discovered vulnerabilities are making Wi-Fi monitoring attacks a bigger threat.
Phishing Attacks
Attackers use fake emails and websites to steal your passwords. Phishing attacks are usually emails disguised as legitimate company correspondence. The emails typically direct you to download an attachment, click a link, or sign into a website.
That email from your “bank” looks legitimate, but its real author may be a thief directing you to enter your username and password into a fake website. Although hackers are getting more sophisticated, there are still effective ways to spot phishing attacks before it’s too late.
Updated strategies for creating passwords
Creating a good password means finding a balance between memorability and randomness. Here are some new strategies based on the updated NIST guidelines.
Stop being predictable
Now that you understand how Burr’s guidelines actually resulted in more predictable passwords, you can avoid these issues by creating personalized randomness.
Personalized Substitutions
Instead of using common substitutions (ex. “4” for “A”, “$” for “S”), find your own substitutions based on individual associations. For example, if your name begins with A and you’re the third child, then substitute all your A’s with 3’s. You can also substitute all S’s with the number of S’s in the title of your favorite horror movie (ex. “Texas Chain Saw Massacre” = 4).
Capitalization
Avoid predictable patterns in letter capitalization, like upper-case letters in the first and last position. Use a personal preference or choose to capitalize a letter where it aids memorization the most.
Using personal connections makes remembering your password easier and guessing it much harder.
Length
The longer your password, the better. More characters guard against brute force attacks by increasing complexity. At minimum, you should have eight characters. The NIST recommends websites encourage users to create passwords as “lengthy as they want.” But remember: the longer the password, the harder it will be to remember.
Use Acronyms
Using acronyms built from a longer phrase is a good way to create a secure password that’s easy to remember. Here are the steps:
- Find a phrase you can remember easily. Example: “Don’t count your chickens before they hatch”
- Create an acronym by using the first letters of each word in the phrase. So, “dcycbth.”
- Add some numbers and special characters based on the substitution and capitalization strategies listed above. For example, dcYcb3Th% is a strong password that’s easy to remember.
The longer and more personalized your initial phrase the stronger the resulting password will be.
Note: “personalized” doesn’t mean personal. Never use personal information like your date of birth, hometown name, or other piece of data a thief could easily find. Therefore, an example of a bad phrase to use would be “My Birthday Is On June Fifteenth Nineteen Eighty.
Use a Passphrase
Passphrases are built from random words strung together. They help thwart dictionary attacks that look for common patterns and connections. If you used a random noun generator to produce the four words “hallway”, “routine”, “travel” and “tsunami” you could build a password with strong randomness and length: hallwayroutinetraveltsunami. Add some uncommon substitutions and special characters and you’ve created a strong, memorable password.
Note: some security analysts argue the strength of random words passphrases are less secure than we might think given the limited number of words the average college educated person knows (80,000 words).
Use Two-Step Verification
If you haven’t set up two-step verification (2SV) on your accounts, you should do it as soon as you can. Also known as two-factor authentication, 2SV provides an extra layer of protection by having you prove your identity. Many 2SV systems work by sending a text to your phone with an access code. After you enter the code, the website gives you access to your account.
Vulnerabilities exist in 2SV because of the possibility of Wi-Fi and phishing attacks, but the NIST still recommends the practice.
Google recently announced its 2SV program called Google Prompt for Android phone phones The company claims Google Prompt is an easier and more secure method of authenticating an account than traditional 2SV.
Get a Password Manager
Another problem with passwords is that around 60% of people use the same one for multiple accounts. The downsides are obvious, but with so many of our online services requiring passwords, creating unique and memorable passwords isn’t practical.
Password managers are increasing in popularity because they create secure passwords you don’t have to remember. Most work by having you create a master password. The manager will then let you create and save more passwords for each of your outside accounts. They will even randomly generate passwords for you. If you can remember your master password, you can access all of your other ones.
When creating strong passwords, it’s definitely good not to follow the crowd. Secure passwords should be as unique as you are, so follow the NIST guidelines and keep access to your accounts in your hands, not those of cyber criminals.
Panda Security specializes in the development of endpoint security products and is part of the WatchGuard portfolio of IT security solutions. Initially focused on the development of antivirus software, the company has since expanded its line of business to advanced cyber-security services with technology for preventing cyber-crime.
16 comments