October is Cybersecurity Awareness Month (CAM). All month long we’ll be presenting tips and tricks, as well as advice on a number of security topics, with the aim of helping inform and educate the public.
We’ll start with some bad news some of you might not know, passwords are a problem and it’s hard to make a good one. This leaves many people vulnerable and exposed. So then, what is it exactly that makes a good password?
If there is a rule you should remember when it comes to good passwords, longer is better.
The advice I tend to share with people is to make your passwords so long you can’t remember them.
Sounds backwards, right? Make passwords you can’t remember?
It is, but the point of that rule is twofold; first, it’s to get you thinking about password length and its importance, and second, it’s to get you to think about password managers. Because if you can’t remember passwords due to their length and complexity, why not get a program to remember them for you?
Password length and complexity
The reason you want long passwords is to prevent guessing and cracking.
Cracking is exactly what it sounds like. After compromising a website where your password is stored, a criminal will attempt to crack the hash representing your password using a set of words (dictionaries) and rules (educated guesses).
The same mindset applies to direct password guessing. If your password is AprilMarry95, and you were married to April in 1995 — details that are public record — your password could be easily guessed or cracked.
Here is an example using real data.
It took less than three minutes per group to crack all the six (6), seven (7), eight (8), nine (9), and ten (10) character passwords among the 100,000 most common passwords. That is more than 80,000 passwords, and they were cracked in less time than it took to write to this point in the blog.
Given most websites require passwords with a minimum length of eight (8) characters, consisting of upper and lowercase letters, numbers and symbols, you’d think cracking or guessing passwords would be difficult.
But it’s not, thanks to password reuse (also called password recycling), and passwords created with common words, phrases and patterns.
The only thing that will protect your accounts on other websites is your use of unique, long passwords without common words or phrases. This way, a compromised password on one website doesn’t lead to all your accounts being compromised.
On that note, if your password contains any of the following words, you need to change it as soon as possible. These are root words found among the 100,000 most common passwords, they’re an example of easily guessed words used to create passwords.
- love
- qwerty
- football
- monkey
- dragon
- dad
- warrior
- court
- summer
- fall
- password
- angel
- alex
- chris
- red
- mom
- rocket
- road
- winter
- spring
Keep in mind, the list presented here is a small sample. The full list is hundreds of items long and includes names, states, cities, sports, automotive terms, religious terms, military terms, explicit terms, family terms, emotional terms, band names and even colors.
Essentially, if you can find the word in a dictionary, it likely isn’t going to make a good password.
Try as we might, humans can’t do true random. And the problem is, when we attempt to do random, we tend to stick to those common words and phrases. We’ll even throw in a ‘!’ or ‘@’ along with a number or two for good measure.
While !RubyRed2024 might look like a good password, it isn’t.
True, it has 12 characters, uses upper and lowercase letters, numbers, and even symbols, but here are two reasons why you should never use such a password. First, both Ruby and Red are common words. Second, adding an exclamation mark (!) to the start of a password and the current year to the end of the password are both common patterns and easily guessed.
Using a basic mask pattern of -1 ?u?l !?1?1?1?1?1?1?12024 can crack !RubyRed2024 in 12 seconds under SHA1 hashing, or just over two minutes under SHA3 256 hashing.
What that pattern means, and why two different hashing options were tested — remember, hashing is how passwords are stored on a website — isn’t really important.
However, if the password this pattern is used against was truly random, it wouldn’t crack anything. In fact, attempting to guess a 12-character truly random password can take 54 days or so on SHA1, even longer on SHA3.
But if that password were hashed with bcrypt (lots of websites use this), it could take millions of years to crack (164 to be exact).
Enter password managers
The point of all of this password discussion is to drive home two facts.
One, humans cannot do true random. Because of that, if your password has already been leaked or it can be easily guessed, then no amount of hashing will protect it, or the accounts associated with it.
Two, the longer a password is, the more unique it is, then the safer and more secure it is, so long as it isn’t reused across multiple websites.
You can only really get true random, as well as long and unique passwords for each website you access with a password manager.
So then, what password manager should you be using? That’s the best part, you can use whatever one you’d like.
While they’re not all the same, their core functionality is.
Wired Magazine has a solid review of password managers, including a breakdown of pricing and functionality. PC Mag also has a comprehensive breakdown of several password managers. Both are worth spending some time reading.
The key function you’re wanting out of a password manager is the ability to create passwords that are at least twenty (20) characters long, with all the typical mix of letters, numbers and symbols, as well as the ability to create a unique password for each website.
If the website doesn’t support really long passwords, you can still use the password manager to create truly random passwords, so it isn’t a total setback.
At the end of the day, a password manager means no more password recycling, and no more easily guessed words or phrases. Passwords are truly random.
Now, there’s another layer of protection alongside your password manager, which is multi-factor authentication (MFA). We will explore MFA in another blog soon. For now, if your password manager offers to enable this option of defense (most do), you should take advantage and enable it.
Finally, we have passkeys.
You might’ve heard about them. If there is time this month, we’ll dive deeper into that topic. Long story short, passkeys are the replacement for passwords. Yet, implementing them (software development), and managing them (ecosystem lock-in), can be a bit tricky — something the security and development industries are working on. It’s certain that passkeys will become a common feature in the not-so-distant future as things develop.
In fact, some major websites are already joining up.
Stay Safe!
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Security on social!
Cisco Security Social Channels
Instagram
Facebook
Twitter
LinkedIn
Muy perfecto explicacion. Me recibi en Seguridad Informatica. Y sigo leyendo sobre cuestiones de contraseñas, y todo lo relacionado con la defensa de hard y soft. Felicitaciones!. Cada articulo que leo, aprendo mas y mas,
What do you think of the new NIST password recommendations?
https://blog.netwrix.com/nist-password-guidelines
Thanks, Steve this was very helpful.