As we know the full negative effect of a compromised account sometimes can take months or years to recover. With the nature of the information we deal with online each day, there’s no room to be negligence about our approach to account security. Keeping users, systems, and resources secure today requires a combined efforts using strong password policies and staying on top of the latest information security best practices.
Before we start looking at the strong password protection we really have to say that in our modern world just to have a super strong and long password (length is really important and critical) by itself is actually not enough. We caring in our pockets more powerful computers (cellphones) then the ones they used to go to the Moon (presumably they ever did…). Even seemingly very strong password can be cracked in “Offline Attack” in a matter of hours if they do not comply with certain criteria we will be looking at later in this blog. The best up to date practice is to have Two-Factor Authentication or, for even more critical and secure protection, Multi-Factor Authentication in combination with the strong password.
Some Interesting Facts
73% of users have the same password for multiple sites, 33% use the same password every time.
That simply means that if one of your site passwords got compromised you have a risk of losing much more confidential information from other sources as well. In this case, changing a password with just one site is not always enough.
Passwords “password”, “welcome”, and “12345″ can be cracked in less time than it takes to type them.
Every extra character in your password increases the difficulty for hackers to crack it.
Think one extra letter or number doesn’t mean much? Consider this:
• A 6-character password with only letters has 308,915,776 possible combinations.
• An 8-character password with only letters has 208,827,064,576 possible combinations.
• An 8-character password with letters (upper & lower case) and includes numbers and symbols has 6,095,689,385,410,816 possible combinations.
There is a real strength in numbers…or in this case, extra characters required by strong password policies passwords.
Multi-factor authentication adds an extra layer of security that is difficult for hackers to crack.
You probably already using it if you have Amazon, Google or Facebook accounts. So even if hackers would guess your password they still will need to crack an extra level of security.
Strong Password Requirements
The SANS Institute recommends that strong password policy include the following characteristics:
• Contain a mix of uppercase and lowercase letters, punctuation, numbers, and symbols.
• Contain at least 15 characters.
• Be unique from other accounts owned by the user.
• Never include dictionary words.
• Never include patterns of characters.
• Go even further in your password policy by encouraging the use of passphrases, which use phrases along with the strong password guidelines to add even further difficulty to passwords being compromised.
How can you create a solid password?
You can come up with your own system for this: write any sentence you like, I personally like to use lyrics of the song or poetry, then take the initials of each word make some of them a capital and spice them up with a combination of numbers and special characters. Using this method, you can not only create a password that is very difficult to crack but also easy to remember. After all, what is the use of a strong password if you can’t remember it?
Now that you’ve created your strongest password possible here some well-known principles of good password security:
• Never disclose usernames and passwords to third parties.
• Never store usernames and passwords on paper or in an unencrypted computer file.
• Update your account password at least every 6 months.
• Do not use passwords that have been used in the past.
• Never provide credentials when requested through email unless it’s encrypted.
• Run regular virus scans on your computer.
• Use Two-Factor Authentication. With Two-Factor Authentication, you will receive a text message for login and password reset requests.
• If you have to share a password, use a site like OneTimeSecret. This site creates a link to a page with your password info (or whatever info you choose), and once the page is viewed once, it is gone forever.
• Don’t save passwords or use “remember me” on public computers
Online and Offline Attacs
To understand why we actually need such strict password policy we need briefly to look at the difference between Online and Offline Hacking. Online Attacks occur when someone attempts to log in to a website by guessing someone else’s username and password using that site’s standard login page. Online Attacks are subject to a couple of natural limits; Attackers cannot subject a system to too many guesses because of the amount of activity their attack generates. If they will be persistent then it will attract the attention of the site’s maintainer and it could also easily be enough to overwhelm the website completely.
Because of that throttle limitation a password that’s targeted in an online attack needs to be able to withstand, according to the researchers, no more than about 1,000,000 guesses. One million guesses might sound a lot but even a quite short, randomly generated five character password like “24S4b” would likely survive. But this completely changes with the threat of an Offline Attack.
Offline Attacks occur when someone steals, buys or otherwise finds themselves in possession of a website’s password database. With the database in an environment that the attacker can control, the shackles imposed by the online environment are thrown off. Offline Attacks are limited by the speed at which attackers can make guesses and that means it’s all about horsepower.
To understand the difference between Online and Offline Attacks it’s helpful to see the numbers side-by-side.
Scenario Guesses a strong password must withstand
Online attack 1,000,000
Offline attack 100,000,000,000,000
Not only is the difference between those two numbers mindbogglingly large, there is – according to the researchers at least – no middle ground. It means that your password should be really strong and long.
Use of the Password Manager software will not only keep safe your existing passwords and help you to generate new ones, you also don’t have to remember all of your passwords. That leaves you free to make them as insanely complicated as you wish. The only password you have to remember is a Master Password to unlock secure container where all of your passwords kept. Password managers provide the crucial service of helping you avoid password reuse, and making it easy to change a password if you're concerned that it's been compromised. Managers offer a random password generator tool in which you can control things like the length and number of special characters you want. And password managers can store lots of data, not just login credentials. They're a good place to keep things like credit card numbers and insurance information, and most can even store files like PDFs or photos. They're generally not the most convenient place to keep all your files, but it makes sense to use them for storing things like tax forms and photos of your driver's license.
Password Manager easily integrates with the most of Internet Browsers and can feel up your credentials, shipping addresses and credit cards with the push of the button (we don’t recommend “automatic autofill” because of the security risks it presents). This speeds up your workflow and keeps your mind concentrated on the tasks that really matter. There are multiple solutions on the market and you might need to do in-depth research and comparison of functionality and security of these solutions. Some of them had history of being compromised and you want to be sure your passwords are safe! Some of the Managers can be synchronized with your cell phone which is very convenient if you have to log in from different computers and can act as a two-factor authentication manager.
Please feel free to leave comments or ask questions.
All the Best, Nikolay Shpurik