Passwords Are On Life Support

Passwords are not dead – not yet.  But they are on life support.  They are no longer enough to truly secure anything on their own.

I just read an sobering, eye-popping article on NetMux that discussed easy ways to crack passwords that are longer than 12 characters.

What makes this so disheartening for me is that I have been telling everyone to increase their password length to twelve characters or longer because brute force password solving techniques would just take too long to be useful to the cyber-criminal.  But humans are predictable and create passwords using techniques that can be more easily guessed.  And it turns out there are tools that takes advantage of this predictability by using sophisticated dictionary and hybrid password cracking techniques, that take much less time than brute force techniques.

These techniques work best against simple hashing functions such as MD5 or SHA-1.  If your password has been salted, hashed and extended using a method such as bcrypt, then these tactics will not be nearly so effective.  But this is a decision that is made by the web service that is storing your password, not by you.

There are two things you can do to help overcome this situation.  The first is to use a password manager such as LastPass to create truly random passwords of at least 12 to maybe 20 characters.  Using a long randomly generated password will remove the element of human predictability.  The second tactic you need to employ is the use of two-factor authentication using an authenticator app or token.  That way if your password is solved, and placed for sale on the Dark Web, it will be useless without the six-digit 2FA passcode on your phone or token.

So there is hope, but only if you act.

More information:

 

0

About the Author:

Cybersecurity analyst, pen-tester, trainer, and speaker. Serving small business owners in the St Paul, Minneapolis, and western Wisconsin area since 2001. Cybersecurity and hacking have been a passion of mine since I entered the computer and networking business in 2000. I hold several cybersecurity certifications including Certified Information Systems Security Professional (CISSP), Certified Advanced Security Pratitioner (CASP), and Certified Ethical Hacker (CEH). Other computer industry certifications include A+, Network+ and Microsoft Certified System Engineer (MCSE). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of security on their computers, networks, and websites. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. We also provide Cybersecurity Awareness Training for clients and their employees. I am a frequent speakers at cybersecurity conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference, the (ISC)2 World Congress, and the ISSA International Conference, and many local community organizations, Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2008.

Add a Comment


This site uses Akismet to reduce spam. Learn how your comment data is processed.