Russ Harvey Consulting - Computer and Internet Services

Passwords: Your Electronic Signature

Strategies for generating and using effective passwords

Long & Strong | Brute Force Attacks | Unique
Compromised Passwords | Remembering Passwords
What About Passkeys?

The login screen requesting username and password.
To protect ourselves from cybercriminals, it is essential to use a combination of characters when creating a password, use different ones for each account, use a long password, change it regularly and use two-factor authentication.
Checkpoint

Passwords Secure Your Online Accounts

Increasingly, our lives are lived online: banking, shopping, donating, e-filing taxes, corresponding, posting on Facebook, etc.

According to Mozilla, the average person has 130 online accounts.

That's a lot of unique accounts — each requiring a unique password that is strong enough to resist hacking.

Passwords Protect Authority

Think of passwords as an electronic signature or “Power of Attorney.”

Anyone in possession of your passwords can make purchases, access your bank accounts, access or delete files backed up or stored online, change settings, even post libelous comments about others on your social media accounts.

Your passwords need to be protected diligently.

Unfortunately, consumers seem to ignore such advice:

However, trying to balance security and convenience may contribute to unsafe shortcuts: about half of consumers (45%) only change passwords for providers when prompted by the platform, when hacked, or not at all. The same percentage (44%) often reuse the same password on most of their accounts, showing that consumers still require education on smart password creation or password management tools.
MasterCard: Securing the digital economy March 2023

Creating Effective Passwords

Several factors are involved in securing our online accounts with effective passwords.

Use a password manager in combination with multifactor authentication (MFA/2FA) to improve security.

These factors make it easier for you to keep your online accounts safe and quickly respond if a data breach reveals your account details.

Poor Password Choices Common

Unfortunately, most people view passwords as something imposed upon them rather than something that improves their security.

  • 44% of respondents use the same or similar passwords despite knowing this could increase their personal security risks.
  • 53% of respondents haven't changed their password in the last 12 months even after hearing about a breach in the news.
  • 41% of respondents think their accounts aren't valuable enough to be worth a hacker's time.
  • LastPass

The fact that social media and advertisers expend so much effort to track your browsing history should tell you that information is extremely valuable to them.

NordPass and partners found that the most common passwords are incredibly easy to guess — and it could take less than a second or two for attackers to break into accounts using these credentials. Only 44% of those recorded were considered “unique.” — ZDNET

Poor security hygiene is a strong contributor to why so many people continue to have their accounts hacked or suffer from ransomware and other malware infections.

23andMe Deflects Responsibility for Breach

One possible outcome of reusing passwords or failing to change them once that password is compromised in any of your accounts is the dismissal of any claims for a data breach involving those accounts.

23andMe's lawyers sent a letter to victims of the breach claiming that the incident was a result of users' failure to safeguard their own account credentials:

23andMe believes that unauthorized actors managed to access certain user accounts in instances where users recycled their own login credentials — that is, users used the same usernames and passwords used on 23andMe.com as on other websites that had been subject to prior security breaches, and users negligently recycled and failed to update their passwords following these past security incidents, which are unrelated to 23andMe. Therefore, the incident was not a result of 23andMe's alleged failure to maintain reasonable security measures under the CPRA.

Return to top

Make Passwords Long and Strong

Over two-thirds of users create simple passwords that can be hacked quickly — in less than one second, in many cases.
— Ipswitch

Generate passwords that are both long and strong to make them more difficult to guess and not easily discoverable.

Technology has now made 8-character passwords (including complex passwords with letters, numbers and symbols) insecure and the password-cracking ability of hackers improves each year.

These days, given the state of cloud computing and GPU password hash cracking, any password of 8 characters or less is perilously close to no password at all.
Jeff Atwood (2017)

Bruce Schneier's Choosing secure passwords (2014) will give you a good idea of how passwords get hacked and reveals a great deal about hacker dictionaries (they contain lists of passwords that you'd think were great).

Longer Passwords More Secure

Passwords should be at least 12–15 characters long (I'd recommend longer where the site will allow it).

Given the considerable number of leaked passwords now available on the dark web, anything less than a generated 11 character password is asking for trouble.

 

Of course, most of us don't know whether or not our data is on the dark web. The odds are that at least some of your passwords (and usernames and email addresses) are in a database of hacked accounts.

 

That's why reusing passwords is so risky; hackers can easily use the same login combination on other websites.
LastPass blog

Strong Passwords Harder to Hack

Password strength refers to an assessment of how difficult it would be to break a password using current (or sometimes anticipated) technologies.

You should preferably use complex random characters if the site supports that. Use a random combination of letters and numbers interspersed with other characters where possible.

Newer, more powerful computers are being developed all the time and this raises the bar for what is considered a secure password. Hacking by “bad actors” financed by countries have the resources to obtain and use such equipment regardless of expense.

Password Strength Meters

Many sites will indicate an approximation of the strength of your password.

Don't use third-party sites to check the strength of your password. Even if these sites aren't attempting to hack your accounts the mere fact that you've revealed a password to any site other than the one you use it to sign-in potentially makes it vulnerable.

Wikipedia's password strength entry includes examples of weak passwords such as the default passwords supplied by vendors (e.g., “admin”) and passwords that are more vulnerable to a “dictionary” attack.

Password Restrictions

Many sites have restrictions placed on both the size of allowed passwords and their complexity (including the use of anything but alpha-numeric characters).

The allowed legal characters can vary by site. Most will allow all letters and numbers, but some symbols (like /, \, < or >) may not be allowed.

I find it annoying that many of these sites only tell you their restrictions AFTER you've attempted to enter a new password, particularly the special characters that are not allowed.

Server Choices Affect Security

Even if you're using a decent password, the level of security used by the sites storing our information and how the password information is transmitted can make you vulnerable.

Most data breaches have occurred because of an employee either using a weak password that allowed access to the system or were themselves the perpetrator.

Return to top

Passwords Vulnerable to Brute Force Attacks

Brute force attacks refer to the process of testing one potential password after another until the password is discovered.

When a hacker breaks into a company, they usually look for and download the entire password database.

 

In short, not all encryption algorithms are built equally, and even worse, many companies don't protect their passwords correctly.

 

Some hashing methods are old and weak, and as a result can be broken by hackers. More commonly though, hackers take the stolen hashes, and begin to extract the passwords with a few methods.
Hive Systems

How Hackers Steal and Use Your Passwords discusses how hackers extract passwords from stolen password hashes.

This chart is a visualization of password vulnerability to brute force attacks in 2024:

Time it takes a hacker to brute force your password in 2024.
Credit: Hive Systems

Notice how much longer the estimated time for cracking a password was in 2020:

Time it took a hacker to brute force your password in 2020 (for comparison).
Credit: Hive Systems

Be sure that all your passwords are in the green area of the newest chart.

Using numbers, upper/lower letters and symbols in a password makes it harder to hack than a less complex password of the same length. Longer passwords are less vulnerable to brute force attacks.

That assumes the use of random characters and lots of other factors can considerably shorten the indicated timelines:

“Dictionary” Attacks

Since some combinations are more likely, the hacker will build a “dictionary” of potential passwords. This dictionary contains foreign words, places and patterns of characters that form commonly-used world-wide passwords.

Data breaches have revealed personal information but also common passwords which are added to hacker dictionaries.

Return to top

Don't Reuse Passwords

Would you feel safe if every apartment in your building used the same key to lock their suite's front door?

Reusing passwords or repeating phrases within your passwords is just as risky. Once hackers catch on, all your accounts are vulnerable.

Users tend to use a single password at many different web sites.

 

By now there are several reported cases where attackers breaks into a low security site to retrieve thousands of user name/password pairs and directly try them one by one at a high security e-commerce site such as eBay.

 

As expected, this attack is remarkably effective.
Stanford Security Lab
The reality is that the majority, 91%, recognize that using the same or similar passwords for multiple logins is a security risk, yet 58% do it anyway. These people mostly or always use the same password or variation of the same password.

 

Does this sound like something you do? If so, cut that bad habit now!
LastPass blog

Generate Unique Passwords for Every Site

Without the aid of password management software, people tend to reuse passwords or generate similar passwords with an extra number or other modifier. This is not security-smart.

Passwords are immensely valuable, whether they are for email, e-commerce sites, or even “just” a social media platform. Criminals aren't after your Spotify passwords because they want to see who your favorite artists are.

 

They are banking on the high likelihood that the same password will unlock your email, retail Website, or even your work network.
Check Point blog

By generating a unique password for every site, each site obtains only your name, email and whatever other information you provided directly to that particular site. The fallout is limited to that one site.

Hundreds of online accounts can be compromised in a data breach on any given day. Reusing passwords could put your most sensitive accounts at risk. Compromised accounts are vulnerable from anywhere in the world.

Make Them Random

Unfortunately, people are creatures of habit and tend to follow the same sort of process in creating passwords such as familiar names (girlfriends, sports teams, etc.) and predictable patterns.

Respondents also retain a fondness for “keepsake passwords” including personally significant details as a family or pet name, a birthday or other important date, or a current or previous address, with 48% reporting that practice the last time they created or updated a password.
PCMag

Patterns Make Passwords More Vulnerable

Passwords with simple phrases or common combinations are easily guessed.

If you can say your password (even with variations like “password with a zero”) it can be compromised in as little as one second using a dictionary attack.

We tend to start with a capital and leave the numbers and special characters at the end. This makes their discovery easier.

Avoid simple substitutions like @ for a, 3 for e and (zero) for o (e.g., N3wP@ssw0rd1922!).

In one 2010 case study, the top three compromised passwords were 123456, password and 12345678.
— Duo Security

Keyboard Sequences NOT Secure

Keyboard sequences like qwerty, or zxcvbnm or patterns like “Z” on the number pad appear to be complex passwords. 123456 is used by 17% of users.

This practice is known to hackers, yet is still common according to the information culled from recent exploits.

Single Sign-on Flawed

If you've signed up for access to third-party sites using your Facebook or Google account rather than creating a new user name and password, you'll want to revoke that access.

Single sign-on (SSO) uses your Google, Facebook or Apple ID to log into third-party sites.

Single sign-on uses your Google, Facebook or Apple ID to log into third-party sites.

SSO may be convenient, but creates a single point of failure.

But for all its convenience, consumer SSO has some real drawbacks, too.

 

It creates a single point of failure if something goes wrong. If your password or access token gets stolen from an account you use for SSO, all the other sites you used it to log in with could be exposed.

 

And not only do you have to trust the companies that offer SSO to protect your privacy and security, you also have to trust all the third-party websites offering these options to implement them correctly.
Wired

While sites using SSO may not be provided with your Facebook or Google password, they can access information that allows them to improve their profile of you.

That website obtains unlimited access to your social media profile — your interests, friends, occupation, religion, political views hobbies, etc.

Logging in to a website using a service such as Facebook or Google allows the website to make a request for data about you.

 

Linking two or more sites allows companies to collect more data, building an increasingly rounded profile about you.

 

Allowing one account to have access to others means that if the least secure account is hacked, the rest could also be compromised.
Natasha Stokes

Facebook and Google both collect vast amounts of data on users then resell it to others, threatening your privacy and control nearly all Internet advertising revenue.

Allows for BITB Attacks

A new “fake browser” phishing attack called “browser in the browser” can take advantage of JavaScript, SSO and a fake login window to obtain the user's password. The fake window can fool all but the most astute observer with some understanding of how JavaScript and the login should look.

Return to top

Change Compromised Passwords

It is a good idea to change your passwords regularly but is critical after you become aware that one has been compromised in a security breach.

Frequent password change policies sound good, but they only work if you employ a password manager. Otherwise people tend to use weak passwords because they are easy to remember.

Sharing Passwords Risky

A surprising number of people share passwords without changing them afterwards.

The results of the LastPass Sharing Survey. Click to see the full infographic.
Credit: LastPass.

When you share a password, especially if it is done insecurely, you create a vulnerability that could cost you your privacy or empty your bank account.

Sharing Streaming Passwords

Many people share their streaming passwords with friends, family and others.

You may justify this with cost savings, but sharing your streaming passwords is putting your privacy and personal data at risk.

Sharing Passwords Between Work and Home

What about using the same passwords at home and at work?

This reduces the protection of both your personal and your business accounts.

What's frightening is that 47% of survey respondents admit there is no difference in passwords created for work and personal accounts.

 

Which means that one re-used password has the power to compromise an entire organization's network. A company's network security is only as strong as their weakest link — the employees.

 

Poor security habits can leave that door wide open for hackers.
LastPass blog

Return to top

Remembering Passwords

Remembering complex passwords can be extremely difficult.

Even a password manager requires you to memorize your master password to protect your vault.

Memory Helpers

Remembering passwords can be made easier by using “memory helpers.”

Having a sentence that makes sense to you, but is not easily discovered could be one solution.

"Jason plays the Grand Piano on the 2nd & 4th Fridays in December" can help you remember JptGPot2&4FiD.

Longer passwords are now necessary.

Avoid Common Quotes or Slogans

Avoid phrases that are easily guessed, like frequently-quoted Bible verses or company slogans.

There is a limit to how many of these clever phrases you can create and remember.

I recommend a password manager to generate a long and strong password to protect your online accounts.

The a password manager's password must be even stronger because it protects all your other accounts.

Be Careful With Lists

Be conscious of how you keep records of your passwords and don't use vulnerable locations which can easily be compromised.

Return to top

Generating Passwords

Most humans tend to use recognizable patterns when creating passwords.

You want to create passwords that are long and strong that are unique for every site or application.

I recommend using a password manager to generate your passwords since they are then stored in a secure manner and usually available for use on multiple computers and devices (depending upon the one you choose).

Password Generators

Password generators are the electronic versions of the one-time coding pads you may have read about in the history books.

Random-generated passwords provide better security because users are unable to select passwords that are easily compromised.

Be sure of the integrity of the site or app before depending upon the passwords it generates.

Return to top

What About Passkeys?

Passkeys are a pair of cryptography keys (one public; one private) that are generated by your device.

Passkeys are a much better solution for the websites that support them. Most such sites require you to set up a traditional password-based account first, then providing an advanced option to set up a passkey in settings.

Passkeys have plenty of benefits; for example, they cannot be guessed or shared. Passkeys are resistant to phishing attempts because they're unique to the sites they're created for, so they won't work on fraudulent lookalike sites. Most importantly, in the age of near-constant data breaches, your passkeys cannot be stolen by hacking into a company's server or database, making the data extracted in such breaches less valuable to criminals.
PCMag

Passkey Support Added to Windows 11

Microsoft added passkey support to Windows 11 in the September 2023 Moment 4 update. After you've set up passkeys for some sites, you can view them here:

Start ⇒ Settings ⇒ Accounts ⇒ Passkeys

Related Resources

On this site:

Found this resource useful?
Buy Me A Coffee

 

Return to top
RussHarvey.bc.ca/resources/passwords.html
Updated: May 2, 2024