By Irena Kageorgis
Program Director, Information Systems Security & Information Technology Management, American Public University
October is [link url=”https://amuedge.com/national-cybersecurity-awareness-month-kicks-off/” title=”National Cyber Security Awareness Month (NCSAM)”]. As part of this annual campaign, we encourage you to participate in the [link url=”https://www.dhs.gov/sites/default/files/publications/NCSAM%202016%20One%20Pager.pdf” title=”NCSAM 2016 Themes”] every week during October. As part of this campaign, the National Cyber Security Alliance also posts password formulation guidelines through StaySafeOnline.org to help you secure your online accounts.
Today, one of the most common ways cybercriminals infiltrate a system is through unauthorized entry to software or systems. Once an adversary has a user’s password in a password-protected application, that adversary creates the appearance of an authorized user and gains access to protected assets stored on the application’s systems.
Relying on password protection is not the safest way of securing our assets. Since the 1980s, we have followed [link url=”https://pages.nist.gov/800-63-3/sp800-63a.html” title=”the guidelines for creating secure passwords”] provided by the United States National Institute for Standards and Technology (NIST). But despite the use of NIST’s guidelines and complex password formulation, hackers can still crack passwords with typical methods.
Problems with Current Passwords
The more complex we make a password, the harder it is for a hacker to break it. However, complex passwords are not easy to remember or to recall.
With our need to create different passwords for email, social media, online banking and other accounts that we use daily, remembering all of these complex passwords is almost impossible. We also have to store all of those passwords and keep them safe from an adversary, which is another complication.
Available Tools for Managing and Recovering Passwords
Fortunately, [link url=”http://www.pcmag.com/article2/0,2817,2407168,00.asp” title=”password manager”] tools are available. These password tools include Dashlane, Keeper, LastPass, Sticky Password, Password Boss and LogMeOnce, which safely store complex passwords and sometimes even generate them. These tools use multi-factor authentication to verify the user’s identity for accessing, storing, tracking and managing passwords in a cloud storage vault typically hosted on the Web.
There are also password recovery tools that exist to help users recover lost or forgotten passwords, usually in minutes. Examples include [link url=”http://pcsupport.about.com/od/toolsofthetrade/tp/passrecovery.htm” title=”Windows Password Recovery”], Ophcrack, Offline NT Password & Registry Editor, Kon-Boot, Trinity Rescue Kit and John the Ripper, which recover passwords to Windows or other operating systems.
How Hackers Crack Passwords
Popular online [link url=”http://resources.infosecinstitute.com/10-popular-password-cracking-tools/” title=”password cracking tools”] such as Brutus, RainbowCrack, Wfuzz, THC-Hydra and Medusa use brute force, dictionary, hash or algorithm attacks to find a user’s password. Successful cracking of someone else’s account may take anywhere from seconds to months, depending on the password’s complexity and the efficiency of the password cracking tool.
Tips for Making Your Passwords Stronger
Creating [link url=”https://www.dhs.gov/sites/default/files/publications/Best%20Practices%20for%20Creating%20a%20Password.pdf” title=”a better password that is hard to crack”] is increasingly critical for safeguarding our assets. Here are some guidelines for creating a more secure password:
1. Use at least 10 characters. You can also [link url=”https://staysafeonline.org/stay-safe-online/protect-your-personal-information/passwords-and-securing-your-accounts” title=”use a whole phrase or a sentence with spaces as a password”].
2. Combine uppercase and lowercase letters, the numbers zero through nine and special characters to create your password.
3. Never use the same password in more than one place.
4. Avoid the following when you’re constructing a password:
- Words found in a dictionary.
- A derivative of your name, company, address or any other contact information.
- Personal names, numbers or places. These include your pets, children, parents, siblings, Social Security or driver license numbers, phone numbers or places you’ve visited.
- Sequential number sequences or sequential letters on a keyboard or keypad (such as 1234 or QWERTY).
- Repeated characters and/or numbers (such as xxxx or 77777).
5. Be sure to [link url=”http://www.sciencedirect.com/science/article/pii/B9781597490412500126″ title=”avoid the top 500 worst passwords of all time”].
6. Keep your passwords a secret. Never share your passwords with anyone else.
7. Join the [link url=”https://www.lockdownyourlogin.com/” title=”Lock Down UR Login”] campaign and pass its message to your friends and family members.
8. Check [link url=”https://nakedsecurity.sophos.com/2015/03/02/why-you-cant-trust-password-strength-meters/” title=”your password’s strength”] (do not use actual passwords) by using a tool such as [link url=”http://www.passwordmeter.com/” title=”Password Meter”].
With enough time, attempts, and resources, even the most complex password can be cracked. However, if we reduce the vulnerabilities associated with user-formulated passwords, we are better prepared to safeguard ourselves and our assets from cybercrime.