Passwords Are On Life Support

Passwords are not dead – not yet.  But they are on life support.  They are no longer enough to truly secure anything on their own.

I just read an sobering, eye-popping article on NetMux that discussed easy ways to crack passwords that are longer than 12 characters.

What makes this so disheartening for me is that I have been telling everyone to increase their password length to twelve characters or longer because brute force password solving techniques would just take too long to be useful to the cyber-criminal.  But humans are predictable and create passwords using techniques that can be more easily guessed.  And it turns out there are tools that takes advantage of this predictability by using sophisticated dictionary and hybrid password cracking techniques, that take much less time than brute force techniques.

These techniques work best against simple hashing functions such as MD5 or SHA-1.  If your password has been salted, hashed and extended using a method such as bcrypt, then these tactics will not be nearly so effective.  But this is a decision that is made by the web service that is storing your password, not by you.

There are two things you can do to help overcome this situation.  The first is to use a password manager such as LastPass to create truly random passwords of at least 12 to maybe 20 characters.  Using a long randomly generated password will remove the element of human predictability.  The second tactic you need to employ is the use of two-factor authentication using an authenticator app or token.  That way if your password is solved, and placed for sale on the Dark Web, it will be useless without the six-digit 2FA passcode on your phone or token.

So there is hope, but only if you act.

More information:

 

0

About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com

Add a Comment


This site uses Akismet to reduce spam. Learn how your comment data is processed.