Information Security: Password Protection

Protecting Passwords

Why?
Cracking
Creation
Dangerous Practices
Password Managers

More info. on Passwords

Why Protect Your Passwords?
In modern times, it seems as though the Internet of Things is more rapidly beginning to dictate our lives. This means that the more secure you keep your information, the less likely you are to be negatively affected by this change. This is where things like password managers become extremely useful. In the world of the highly powerful and sometimes highly dangerous World Wide Web, you may be skeptical of the efficacy of such applications. Why would I trust anyone with all of my passwords when I can secure them myself? The problem is, we already do this with each web based application we use on a daily basis. Typing a password into Google is the same as saying "You can have access to my personal information as long as you keep it safe." In fact, in February 2016, over 1 million Gmail accounts were targeted by government backed hackers looking to steal your personal information. Being skeptical of password thieves may seem like a safe bet, but sometimes we don't even know where those thieves may appear. The other problem with human crafted passwords is that we are naturally lazy. We prefer ease of entry over security and safety. All of these factors make it very easy for attackers to claim access to our accounts which may not seem like a problem until you realize how much information you really have in the Internet of Things.

Password Cracking
Some of the most powerful Graphical Processing Units can allow hackers to test about 100 billion password combinations in a single second. Imagine if you were the type to create a password that was simply "password" to secure your banking information. Unfortunately, you would be an easy target for hackers. Similarly, if you were the type to create a more clever password such as "s3cur3" you too would have your password easily cracked. Assuming an attacker has access to some database which they often times have obtained through various advanced hacking methods, the only thing they would have to do to decrypt all of the passwords in that database (including yours) would be to sit and wait for the computer to do all of the work. Within hours, all of the information linked to your Gmail account could be available to some anonymous individual who would then proceed to test your password on your Amazon account, bank account, and even your Facebook account. As mentioned previously, we are very lazy and tend to use the same passwords for multiple accounts, which makes cracking passwords for multiple accounts fairly easy.

Assuming your password is in fact "s3cur3," even though you have cleverly substituted the letter 'e' with the number '3' your password is only six characters long. Within seconds, every combination of six letter words and numbers would be found and tested on your account. Even worse, the word "secure" is probably in a hacker's list of words to check first. Not only that, everyone substitutes their letters for numbers as some point so that is most likely a common thing to check as well. In other words, even if your password was longer and complex like "p4$$w0rd" although someone might not guess by waiting for days until their brute force attack finds your password, it would be easy just to add your specific password into their list of passwords with the proper manipulations.

If you, like me, are trembling at the fact that you are not safe on the internet, then follow some of the guidelines below to help secure your information online.

Password Creation
So let's say you create a new account and are afraid to create a password for fear that it will be cracked immediately. You would be mostly correct if your idea of password creation is to take the name of your favorite car and substitute letters for numbers. Password cracking relies on low entropy (randomness) and commonality. This means if everyone has your password or if your password is short enough to brute force then you are unsafe. Fortunately, there are a few principles that you should follow however, when creating good passwords.

  1. Password length is key - When creating a password, the longer your password is, the less likely you are to be cracked. Generally, a password longer than nine characters is good enough to discourage most brute force attacks. However, your password should never be a common dictionary word if you do intend on keeping your personal information personal.

  2. Unlikely symbols are annoying - You can easily avoid a lot of grief when creating a password if you just insert an unlikely symbol in the middle of your password. This would cause a lot of grief to whoever is trying to hack you though. If you insist on creating the password "password" it would be a lot safer if it was just "Pas$w_oRd." Something like this would be less likely to appear in an attacker's dictionary or in the normal rules of password alteration. Until computers become more powerful, this would be sufficient for safety, but might be hard to remember.

  3. Combining words - Single word passwords might not be the safest especially considering the advanced dictionaries that exist currently. However, if you want to be able to remember a password without worrying about symbols or the easy of cracking pronounceable passwords you might consider combining three or four uncommon dictionary words. Something like "dictionaryneverattackscreate" would have similar password entropy to one that has a few symbols and case variation. This is because most dictionaries would not combine random words together unless they were common combinations.

  4. Avoid creating profane passwords - Profanity is surprisingly prevalent in password cracking dictionaries, so it is not particularly clever to use profane vocabulary when creating a password unless your intent is to get hacked.

  5. All of the above - You should use all of these methods for a single password in order to create the safest password for each account.

Dangerous Practices
Now that you know how to create a proper password, it is time to learn how to keep it safe. Keeping it safe really means following this list of things that you should NEVER do with your passwords.

  1. NEVER store passwords in a Browser - This may seem counterintuitive since the almighty Google (which is very safe and unhackable) asks you to store your passwords in its Chrome browser all the time. Even Mozilla Firefox is guilty of this egregious request. This is one of the worst ways to "remember" your passwords since a simple USB drive could be used to own all of your passwords in under five minutes. Browsers are extremely susceptible to exploits regarding saved passwords and all it would take is a single click for a guest on your computer to view all of these passwords instantly. This is amplified by that fact that these "store passwords" features also allow for any use to log into your accounts automatically without knowing the passwords. In short, do not store passwords in places with no password protection.

  2. DO NOT use repeated passwords - Avoid using the same passwords for multiple accounts at all costs. The chances that someone will figure out your password based on their previous successes on other websites are higher the more you reuse passwords. Password cracking also works by decrypting unique encryption hashes in some cases so the more your particular password hash is floating around on the Internet, the more likely it is that someone can expose your unencrypted password to the world.

  3. Trust the site before you type - Phishing scams are the easiest way to gain access to someone's information. If you receive an email saying "log in to Facebook to claim your reward" you should be skeptical of the sender. Although it may seem like you have successfully logged into your account, you may have just been redirected to the correct site after giving the hacker all of your credentials. Even your friends can send you malicious content against their will and you could fall victim to a third party's phishing scam. Make sure all links are legitimate, that the browser shows that the website is secure and even check to see if it is an "https://" website. If not, you may be giving away free credentials to a world of thieves.

  4. Stay on secure wi-fi - Similar to phishing scams, someone could intercept your credentials over unsecure wi-fi. Sometimes websites like Google will let you know that the connection is insecure if there is a "Man in the Middle" trying to steal information but often times this is not the case. If you must log into a website on a network that is not secure, the least that you can do is check the legitimacy of the url. Make sure you are not logging into "haha.hackedyou.rus" instead of "https://google.com" when you are typing in your credentials.

  5. Avoid suspicious downloads - If the attacker can't get to your browser, your friends, or your wi-fi network, chances are that they have some cool software for you to download in order to get access to your info. Avoiding torrents with hidden agendas is always good practice. Sometimes things like keyloggers or RATs (Remote Access Tool) can sneak onto your system this way. It's best to avoid suspicious software entirely.

Password Managers
The most effective way to protect your credentials is to simply use a password manager. We give web applications access to our credentials almost every day and we trust that they will do no harm. Unfortunately, a hacked website is a hacked website, and sometimes that site might (unethically) be storing passwords themselves instead of through a database. This makes it easier for an attacker to gain access to your information if they gain access to that site. The best way to avoid all of this is to use a password manager. Password managers are good for a few reasons.

  1. They don't store passwords - Most managers have a database that remembers user credentials meaning that they are usually super well encrypted, hard to find, and not readily exposable.

  2. They create passwords for you - You can spend hours creating a really good password that will eventually have to be changed within a few months, or you could use a password manager. Most managers create passwords with a lot of entropy that are probably impossible to remember but as long as you remember your master password, you won't need to remember the rest.

  3. They log in automatically - This has a few benefits. First is that you don't have to remember your passwords when your browser is equipped with a password manager because it will log in for you. Second is that when you inevitably come across a phishing scam, your password manager will not log in for you, meaning you will be safe. Third, if you actually did choose to download that suspicious software with a keylogger attached, you won't have to give the hacker your keystrokes because you'll already be logged in. Finally, unlike browser password storage, this requires you to log in with your (hopefully uncrackable) master password. As long as you follow the steps for great password creation and change passwords frequently, you should be fine.

  4. They let you know your password strength - Sometimes it's hard to tell what a really good password looks like but most password managers will let you know. Just type in a password and watch the analysis work. It will also tell you exactly how many times you've used your password if you connect all of your accounts to it.

  5. Passwords are randomly generated - If for some reason you hear a report about your favorite password manager being hacked, you can rest assured that you only have to change your master password and randomly generate the others. There is no deep personal connection with a password consisting of a random string of characters and symbols.

Some relevant password managers include Dashlane, LastPass, Avast and many more. Feel free to try them to see how they work for you, or just create strong, unique, memorable, and hard to guess passwords, like a line of lyrics to a favorite song. 

This information is provided by the ITS Information Security Group - Report all questionable online activity or issues to security@binghamton.edu.