Passwords are not dead – not yet. But they are on life support. They are no longer enough to truly secure anything on their own.
I just read an sobering, eye-popping article on NetMux that discussed easy ways to crack passwords that are longer than 12 characters.
What makes this so disheartening for me is that I have been telling everyone to increase their password length to twelve characters or longer because brute force password solving techniques would just take too long to be useful to the cyber-criminal. But humans are predictable and create passwords using techniques that can be more easily guessed. And it turns out there are tools that takes advantage of this predictability by using sophisticated dictionary and hybrid password cracking techniques, that take much less time than brute force techniques.
These techniques work best against simple hashing functions such as MD5 or SHA-1. If your password has been salted, hashed and extended using a method such as bcrypt, then these tactics will not be nearly so effective. But this is a decision that is made by the web service that is storing your password, not by you.
There are two things you can do to help overcome this situation. The first is to use a password manager such as LastPass to create truly random passwords of at least 12 to maybe 20 characters. Using a long randomly generated password will remove the element of human predictability. The second tactic you need to employ is the use of two-factor authentication using an authenticator app or token. That way if your password is solved, and placed for sale on the Dark Web, it will be useless without the six-digit 2FA passcode on your phone or token.
So there is hope, but only if you act.
- Cracking 12 Character & Above Passwords, Combo & Hybrid Password Attacks
- This is a fairly technical read, but if you are using passwords alone to secure anything, this will cure you of that fantasy.