All passwords are breakable and the time to break them depends on the strength of the password and the number of allowed attempts.
As we know the full negative effect of a compromised account sometimes can take months or years to recover. With the nature of the information we deal with online each day, there’s no room to be negligence about our approach to account security. Keeping users, systems, and resources secure today requires combined efforts using strong password policies and staying on top of the latest information security best practices.
Before we start looking at the strong password protection we really have to say that in our modern world just to have a super strong and long password by itself is actually not enough. Compute power is used to break human passwords and without additional computer help, human capacity for passwords will be outperformed by breaking computers. We caring in our pockets more powerful computers (cellphones) then the ones they used to go to the Moon (presumably they ever did…). Even seemingly very strong password can be cracked in “Offline Attack” in a matter of hours if they do not comply with certain criteria we will be looking at later in this blog. The best up to date practice is to have Multi-Factor Authentication and failed logins protection on information systems.
Follow these 6 simple steps to improve your password management:
STEP 1. Create one very strong password that nobody knows and you remember it.
The strong password should include the following characteristics:
• contain more than 12-15 characters total
• contain a few 4-6 complex characters (digits, special symbols, punctuation, upper cases)
• Never include only dictionary words.
• Never include patterns of characters.
Longer passwords are better than more complex. The length is very crucial.
You can come up with your own system for this: write any sentence you like, I personally like to use good quote, lyrics of the song or poetry, then take the initials of each word make some of them a capital and spice them up with a combination of numbers and special characters.
Another way to do this is to pick a phrase and substitute characters within the phrase with complex characters.
The third way might be to take a phrase, then use only first letters, substitute some letters with special characters, add numbers, add more whole words at the end to increase the length.
Using these methods, you can not only create a password that is very difficult to crack but also easy to remember. After all, what is the use of a strong password if you can’t remember it?
STEP 2. Use this strong password for the few offline and local logins (on systems and applications which don't store your password on the web).
Use it for your computer login, the master password for a password manager, backups encryption, Time Capsule access, your private server operating system, VPN, SSH keys, and other offline systems.
Keep track and remember where you used this main password. The fewer systems use this main password the better.
STEP 3. Choose a password manager
1Password, Dashlane, RoboForm, LastPass, KeePass, etc.
There are paid and free password managers. Usually, you get for you pay for. In a good password manager, you will be able to store a lot of sensitive information like logins passwords, secure notes, passport, software licenses, bank and credit card information.
We are using 1password, but you need to do your own research.
Use of the Password Manager software will not only keep safe your existing passwords and help you to generate new ones, you also don’t have to remember all of your passwords. That leaves you free to make them as insanely complicated as you wish. The only password you have to remember is a Master Password to unlock secure container where all of your passwords kept. Password managers provide the crucial service of helping you avoid password reuse, and making it easy to change a password if you're concerned that it's been compromised. Managers offer a random password generator tool in which you can control things like the length and number of special characters you want. And password managers can store lots of data, not just login credentials. They're a good place to keep things like credit card numbers and insurance information, and most can even store files like PDFs or photos. They're generally not the most convenient place to keep all your files, but it makes sense to use them for storing things like tax forms and photos of your driver's license.
Password Manager easily integrates with the most of Internet Browsers and can feel up your credentials, shipping addresses and credit cards with the push of the button (we don’t recommend “automatic autofill” because of the security risks it presents). This speeds up your workflow and keeps your mind concentrated on the tasks that really matter. There are multiple solutions on the market and you might need to do in-depth research and comparison of functionality and security of these solutions. Some of them had history of being compromised and you want to be sure your passwords are safe! Some of the Managers can be synchronized with your cell phone which is very convenient if you have to log in from different computers and can act as a two-factor authentication manager.
STEP 4. Use auto-generated passwords for all online web-based systems whenever possible
All online passwords can be created with a “Password Generator” and you don’t need to know these passwords. Depending on your chosen password manager, these auto-generated passwords can be available on your several devices and online.
Recommended auto generate password settings: More than 25 characters, 5 digits, 5 symbols
STEP 5. Configure password manager security settings and a screensaver with a password on login
All computers can be configured with a 10 min screen saver that requires a password on login from screen saver. We recommend the 10 min screen saver settings when you want to keep your password manager unlocked for a longer time ( up to 2 hours) and this will further protect your computer from unauthorized access.
STEP 6. Protect your strong password
Now that you’ve created your strongest password possible here some well-known principles of good password security:
• A password is part of your digital identity - don't share your main password with anyone
• Never disclose your other usernames and passwords to third parties.
• You should be able to remember your one main password and it is best not to write it down anywhere (except temporarily in the initial stage of memorizing).
• Use a special shared password on systems which are not configured to support individual accounts like for wireless access.
• Never store usernames and passwords on paper or in an unencrypted computer file.
• Consider updating your account password with a certain frequency (every 6 months or once a year). To have a good password is more important than to update it frequently.
• Do not use passwords that have been used in the past.
• Never provide credentials when requested through email unless it’s encrypted or when the user is forced to reset the password on the first login.
• If you have to share a password, use a site like OneTimeSecret. This site creates a link to a page with your password info (or whatever info you choose), and once the page is viewed once, it is gone forever.
• Don’t save passwords or use “remember me” on public computers
Some Interesting Facts
73% of users have the same password for multiple sites, 33% use the same password every time.
That simply means that if one of your site passwords got compromised you have a risk of losing much more confidential information from other sources as well. In this case, changing a password with just one site is not always enough.
Passwords “password”, “welcome”, and “12345″ can be cracked in less time than it takes to type them.
Every extra character in your password increases the difficulty for hackers to crack it.
Think one extra letter or number doesn’t mean much? Consider this:
• A 6-character password with only letters has 308,915,776 possible combinations.
• An 8-character password with only letters has 208,827,064,576 possible combinations.
• An 8-character password with letters (upper & lower case) and includes numbers and symbols has 6,095,689,385,410,816 possible combinations.
There is a real strength in numbers…or in this case, extra characters required by strong password policies passwords.
Multi-factor authentication adds an extra layer of security that is difficult for hackers to crack.
You probably already using it if you have Amazon, Google or Facebook accounts. So even if hackers would guess your password they still will need to crack an extra level of security.
Online and Offline Attacks
To understand why we actually need such strict password policy we need briefly to look at the difference between Online and Offline Hacking. Online Attacks occur when someone attempts to log in to a website by guessing someone else’s username and password using that site’s standard login page. Online Attacks are subject to a couple of natural limits; Attackers cannot subject a system to too many guesses because of the amount of activity their attack generates. If they will be persistent then it will attract the attention of the site’s maintainer and it could also easily be enough to overwhelm the website completely.
Because of that throttle limitation a password that’s targeted in an online attack needs to be able to withstand, according to the researchers, no more than about 1,000,000 guesses. One million guesses might sound a lot but even a quite short, randomly generated five character password like “24S4b” would likely survive. But this completely changes with the threat of an Offline Attack.
Offline Attacks occur when someone steals, buys or otherwise finds themselves in possession of a website’s password database. With the database in an environment that the attacker can control, the shackles imposed by the online environment are thrown off. Offline Attacks are limited by the speed at which attackers can make guesses and that means it’s all about horsepower.
To understand the difference between Online and Offline Attacks it’s helpful to see the numbers side-by-side.
Scenario Guesses a strong password must withstand
Online attack 1,000,000
Offline attack 100,000,000,000,000
Not only is the difference between those two numbers mindbogglingly large, there is – according to the researchers at least – no middle ground. It means that your password should be really strong and long.
Password security is just a small part of overall information security which includes:
• Network security (Network Intrusion Prevention Systems, Threat prevention, URL filtering, VPN)
• Server security (Server security hardening, Advanced host firewall, Use Two-Factor Authentication. With Two-Factor Authentication, you will receive a text message for login and password reset requests. )
• User computer security (backups, antivirus, disk encryption, browser security)
• Application security
Passwords are not going to disappear, but are being enhanced by Multi-Factor authentication for stronger authentication. A password is something you know. Your digital identity can be reinforced with something you have (phone, token, certificate keys) or someone you are (biometrics).
In general, information systems should limit the number of failed login attempts.
Please feel free to leave comments or ask questions.