Passwords Are On Life Support

Passwords are not dead – not yet.  But they are on life support.  They are no longer enough to truly secure anything on their own.

I just read an sobering, eye-popping article on NetMux that discussed easy ways to crack passwords that are longer than 12 characters.

What makes this so disheartening for me is that I have been telling everyone to increase their password length to twelve characters or longer because brute force password solving techniques would just take too long to be useful to the cyber-criminal.  But humans are predictable and create passwords using techniques that can be more easily guessed.  And it turns out there are tools that takes advantage of this predictability by using sophisticated dictionary and hybrid password cracking techniques, that take much less time than brute force techniques.

These techniques work best against simple hashing functions such as MD5 or SHA-1.  If your password has been salted, hashed and extended using a method such as bcrypt, then these tactics will not be nearly so effective.  But this is a decision that is made by the web service that is storing your password, not by you.

There are two things you can do to help overcome this situation.  The first is to use a password manager such as LastPass to create truly random passwords of at least 12 to maybe 20 characters.  Using a long randomly generated password will remove the element of human predictability.  The second tactic you need to employ is the use of two-factor authentication using an authenticator app or token.  That way if your password is solved, and placed for sale on the Dark Web, it will be useless without the six-digit 2FA passcode on your phone or token.

So there is hope, but only if you act.

More information:

 

0

About the Author:

Cybersecurity guru to business owners in the St Paul, Minneapolis, and western Wisconsin area. Computer security and hacking have been a passion of mine since I entered the computer and networking business in 2000. In 2013 I completed a course of study and certification exam to become a Certified Ethical Hacker (CEH). In 2016 I was certified as a Certified Information Systems Security Professional (CISSP). As Senior Cybersecurity Engineer at Computer Integration Technologies, I help our clients experience high levels of computer security, network security, and web site security. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also provide Cybersecurity Awareness Training for clients and their employees. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. The views expressed on this Web site are mine alone and do not necessarily represent the views of my employer.

Add a Comment