Jay Butler, Project Manager
Passwords have been used since ancient times, but until the digital age most people outside the military probably never needed one. People stored their most valuable possessions under lock and key along-side anything of value on paper such as cash and personal documents. In our digital age, it seems that most of an individual’s valuable property is stored electronically rather than physically; however, people today carry more passwords in their heads than they ever did keys in their pockets. Therefore, common criminals have advanced from picking locks by hand to stealing and cracking electronic passwords.
To help thwart this criminal activity, here are 10 common methods used to crack passwords followed by 10 recommendations to reduce the odds of their success.
10 common password cracking methods include:
- Guessing – attacker gathers information about the user to help them guess the password.
- Dictionary attack – systematically trying every password in the dictionary.
- Hybrid – similar to a dictionary attack, but adds a symbol or number to the end of each word.
- Brute force attack – systematically trying every combination of character.
- Rainbow table attack – a method used to “hack” the stored password file.
- Phishing – tricking the user into revealing his/her credentials typically via email.
- Social engineering – tricking the user into revealing his/her credentials typically via phone. Phishing is a form of social engineering.
- Malware – malicious software some of which can steal/crack passwords.
- Shoulder surfing – observing the user enter his/her credentials.
- Web Crawling – software that browses the web for information such as usernames/passwords.
10 recommendations everyone can use to reduce the risk of password compromise:
- Use strong (complex) passwords on all your accounts. A truly complex password contains no words. It is made up of randomly selected letters, numbers, and symbols. It should contain uppercase and lowercase letters. The symbols and numbers should be dispersed within the password, not just tacked onto the end. A strong password is excellent defense against guessing, dictionary, and hybrid attacks.
- Change your passwords regularly. Financial Institution (FI) networks force this change at least every 60 days per FFIEC guidelines. You should use this as an example and manually change all of your passwords regularly. The more sensitive the account, the more frequent you should change the password.
- Use at least 12 character passwords*. Again, the more sensitive the account, the more characters you should use. This is strong defense against brute force attacks.
- Never share your password with anyone. If someone you trust contacts you asking for the password, do not provide it under any circumstance. It may not be the person (or website) you think (social engineering/phishing).
- Never type or write your password any place other than the password field. An exception to this could be the use of a secure password storage tool, but care should be taken in the use of these tools.
- The proper use of a legitimate password storage tool can be to your advantage by helping you manage the large number of passwords most people must maintain.
- Never enter any information into a web site after clicking a link (a link in an email, from a web search, or otherwise). Always manually type out the web site address and ensure it is a secure site. A secure web site starts with https:// in the web address and includes a site certificate. Look for the lock symbol in your Internet browser address bar to identify the certificate. Click the lock to confirm the certificate name matches the web site. Here is an example (see red arrows).
- Never enter your password in public places or in open areas where your screen can be viewed by others. Prevent shoulder surfing.
- Be sure your machine has virus protection software running at all times. Your work computer will include Antivirus software, but you can help by confirming it is installed and running. Your Systems Administrator can help you determine your specific solution. Otherwise, be sure your home machine and any other machine you use has virus protection. Help prevent malware.
- Avoid entering sensitive credentials on computers you don’t normally use. Examples are kiosk machines, library machines, your friend’s machine, or even your home machine. The machine at your FI office most assuredly is more secure than any other you are likely to use. The fewer machines you use your credentials on the better.
- Do not use the same password for all your sensitive accounts. Try to use a unique password for every account, at least for the most sensitive accounts. If you find it too difficult to keep track, at least use a few different ones. That is much better than using one for everything.
*Creating a strong password that is at least 12 characters in length is the cornerstone of good password security. Because creating one can be quite challenging in practice, I am including the following section to assist in your efforts. Please DO NOT use any of these example passwords as your own. They are for illustrative purposes only.
Creating Strong Passwords in Practice
A common technique is to use a “Pass Phrase”. This involves thinking of a phrase or sentence that means something to you and using it to create a complex password. For example, “My son is 12 and my daughter is 10 (but she is better in math!).” could be used to create “Msi12amdi10(bsibim!).”. That is significantly more than 12 characters, but that only serves to make it stronger. The key is to be sure and include symbols within the password, not just tacked on to the front or end. That holds true for numbers as well. The password in this example is very strong.
Here’s a similar method that requires a little more creativity. The resulting password is not as strong as the previous example, but it would be adequate for most needs. As explained, yours passwords can vary in strength depending on the account. Think of a word that means something to you and jumble it up to create a completely random password. Spell it backwards, add numbers, replace some of the characters, and voila, you have a strong password. Liberty!2012 could become 2102!ytr3b1L.
It’s also acceptable to use a word like Liberty and disperse numbers and symbols after each letter: L3i?b^e2r5t>y0. The number could be a phone number or anything you can easily associate with something familiar. You can devise a system for adding symbols by picking a few and using them the same way within your different passwords. This example is a very strong password.
Using Pass Phrases as the Password
“Pass Phrases” can also be used literally. That is to simply use a real phrase or sentence as your password. A very strong password that is easy to remember and type can be attained using this technique. Start the same way you did in the previous example, but this time you will use the phrase or sentence literally. A good one might be “I love 2 be outdoors!” It must include the spaces and punctuation to be strong. Ideally, it would be much longer than 12 characters as well. Where spaces are not allowed (which is common outside of Microsoft Windows domains), you can use symbols in place of the spaces like this: “I%Love&2>be:Outdoors!”. A password like this one is easier to remember than something completely random while being just as strong.
Now you’re probably thinking, “Hey, doesn’t that break the cardinal rule of NOT USING WORDS in a password?” Yes, but that basic concept is applicable to a typical password such as “Iamgood!” Using advanced, longer passwords with symbols mixed in as shown in this example, “I%Love&2>be:Outdoors!”, is an excellent strong password while “Iamgood!” is NOT considered very strong at all.
In the end, passwords are inherently flawed, but the techniques I’ve outlined can significantly reduce your risk. Two factor authentication makes all this password complexity business irrelevant because it employs a uniquely generated code that changes with each login. The user typically carries an electronic token on his/her keychain and uses the randomly generated codes along with a personal pin during the logon process (rather than a conventional password). Newer technology called software tokens make it possible to retrieve the code directly from your smartphone, PC, or tablet. Until that technology or something new completely replaces the use of conventional passwords, we are unfortunately stuck with remembering a mountain of complex passwords the best we can.