Passwords Are On Life Support

Passwords are not dead – not yet.  But they are on life support.  They are no longer enough to truly secure anything on their own.

I just read an sobering, eye-popping article on NetMux that discussed easy ways to crack passwords that are longer than 12 characters.

What makes this so disheartening for me is that I have been telling everyone to increase their password length to twelve characters or longer because brute force password solving techniques would just take too long to be useful to the cyber-criminal.  But humans are predictable and create passwords using techniques that can be more easily guessed.  And it turns out there are tools that takes advantage of this predictability by using sophisticated dictionary and hybrid password cracking techniques, that take much less time than brute force techniques.

These techniques work best against simple hashing functions such as MD5 or SHA-1.  If your password has been salted, hashed and extended using a method such as bcrypt, then these tactics will not be nearly so effective.  But this is a decision that is made by the web service that is storing your password, not by you.

There are two things you can do to help overcome this situation.  The first is to use a password manager such as LastPass to create truly random passwords of at least 12 to maybe 20 characters.  Using a long randomly generated password will remove the element of human predictability.  The second tactic you need to employ is the use of two-factor authentication using an authenticator app or token.  That way if your password is solved, and placed for sale on the Dark Web, it will be useless without the six-digit 2FA passcode on your phone or token.

So there is hope, but only if you act.

More information:

 

0

About the Author:

Cybersecurity analyst, pen-tester, trainer, and speaker. Owner of the WyzCo Group Inc. In addition to consulting on security products and services, Bob also conducts security audits, compliance audits, vulnerability assessments and penetration tests. Bob also teaches Cybersecurity Awareness Training classes. Bob works as an instruction for CompTIA’s non-profit IT-Ready Program in the Twin Cities. IT-Ready is a tuition free 8-week program designed to teach students of all ages the fundamentals of IT support to prepare them for an entry level position in Information Technology Support. Graduates of the classes take the exams to become CompTIA A+ certified. Bob is a frequent speaker at conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. Bob has been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com

Add a Comment


This site uses Akismet to reduce spam. Learn how your comment data is processed.