Table of Contents
Most IT security specialists define passwords as "the keys to our Digital Home": that's a pretty good metaphore, especially considering that our "digital home" is getting bigger as the time passes (and the technology advances). In the latest few decades we learned how to protect our precious devices (computers and, most recently, mobile devices) to prevent unauthorized access to them and their data... But, with the advent of the Internet and Internet of Things, that home became a huge house with an infinite amount of different rooms: from online banking to food delivery services, from cloud-based repositories to remotely accessible Virtual Private Networks, we were literaly stormed by those "keys".
At the same time, since technology runs faster than our ability to assimilate it, most internet users - as well as business companies - still use passwords in a totally insecure way today: to continue with our initial metaphore, nobody would leave the key on the door, or feel comfortable using the same key to open multiple doors, or use a weak lock & key combination, right? However, when using passwords, most of us often do just that.
In the initial part of this post we'll try to summarize the most common mistakes that people do in choosing a password; then we'll briefly review the most common ways used by hackers to stole passwords; last but not least, we'll share some suggestions and best practices to secure our passwords and improve our account's security.
Common Password Mistakes
The typical password mistakes can be split into three main categories: choosing a weak password, using the same password among different web sites, and insecurely storing passwords. In the following sections we'll deal with each one of them.
Choosing a weak Password
A weak password, as the name implies, is a password too easy to guess or to discover using automated hacking techniques (brute-force, rainbow tables, and so on). Those who thinks that this is issue is a thing of the past because nowadays the majority of IT users have been educated enough to avoid choosing trivial passwords should check the SplashData's Most Used (and Worst) Password of 2017 infographics, which could easily change their mind.
Here a list of the top 10:
- 123456 (proudly keeping the first place since 2013)
Luckily enough, such situation has been mitigated by enforcing a password security policy that is already adopted by most websites - and that is mandatory for all online services that deal with money or personal data, at least in most countries. Such policies not only require a minimum length and the presence of different character types (uppercase and lowercase letters, numbers, special characters) to make them harder to guess, but also force the users to periodically change them (often every 90 or 180 days). However, choosing a weak password is still critical for those devices where such policies are not enforced yet - such as most IoT devices.
Using the same Password
In addition to using passwords objectively too weak, users (and company officers) often also make the mistake of using the same password for different web sites or services. The so-called "password reuse" is probably the most serious mistake we can make nowadays: if a hacker manages to hack into a website's servers (this is happened for Yahoo, LinkedIn, Sony, and countless "minor" websites) and steal the users passwords, it will definitely try to use those retrieved passwords to gain access to other services. The only thing we can do to stop such common hacking practice is to ensure that each and every account that we have has its own password.
Such verification process can be automated using dedicated tools, such as Shard - a open-source command line tool that was developed to allow users to test whether a password they use for a site is used to access some of the more popular services, including Facebook. LinkedIn, Reddit, Twitter or Instagram.
Insecurely storing Passwords
The need to use strong passwords and a different password for each website or service inevitably brings another big requirement: the need to have a "secure" mechanism for storing these passwords, since human memory won't definitely be able to keep up. And this is where the most serious security problems often occur, not only for home users yet also for most companies. Who among us has never seen those dreadful MS Excel files (or text files!) containing a huge list of passwords?
And the worst thing is that those unsecure repositories are often shared among different users (family members, co-workers, and so on), meaning that they aren't protected even with the basic user authentication mechanism provided by the OS.
How passwords are hacked
The techniques used by hackers for discovering our passwords are more than one, sometimes really trivial: as we can easily see by looking at the list below, most of them leverage or exploit the bad practices that we've talked about early on.
- Social Engineering: e.g. Phishing, Password Sniffing. In practice, it is we who allow ourselves to be deceived by social engineering techniques and give passwords to those who ask for them through for example messages, emails, fake sites that disguise a well-known site.
- Guessing passwords: Using personal information such as name, date of birth or pet names. When this happens, sometimes the "hacker" happens to be kind of close to the "victim": a friend, neighbor, co-worker or someone that knows enough info to perform such guesses. However, thanks to the modern approach to social networks, everyone might easily know a lot of stuff about anyone else.
- Brute Force Attack: Automatically testing a large number of passwords until the right one is found. There are special programs to do this (a widely used one, John the Ripper, is open source, meaning that anyone can use it). Brute-force attacks are quite expensive to pull off, which requires time and computing power, but can easily achieve the result if the password is weak enough.
- Intercepting a password, for example while it is being transmitted over a network. The bad habit of communicating passwords via email is frequent: there are even sites that, as soon as we register, send us a polite welcome message containing username and password displayed "in clear". Too bad that email is not a safe tool.
- Shoulder surfing: a social engineering variant. It basically means "observing someone from behind" (i.e. "shoulder") while typing the password.
- Using a KeyLogger. Keyloggers are malware programs that record everything typed on the keyboard, then transmit this data to the hacker who installed the keylogger. There are also hardware-based keyloggers that require direct access to the victim's computer.
- Passwords stored in an insecure way, like handwritten on a piece of paper, or saved on a word file (see above).
- By compromising a database containing a large number of user passwords, then using this information to attack other systems where users have reused the same passwords ("credential stuffing").
How to secure our Password
Securing our passwords in order to avoid most - if not all - of the hacking attemps listed above is not impossible and is a goal that can be achieved by anyone. In a nushell, all we need to do is to apply two best practices:
- Write strong and unique Password
- Securely store your Passwords
Both of them are equally important and must be followed for each and every password, without exceptions.
How to write a strong Password
A strong password is characterized by the following elements: length and character types used.
- Regarding the length, it is strongly recommended to use at least 12 characters.
- As for the character types, just let the math guide you: we have 10 numeric types (0-9), 52 letter types (26 lowercase + 26 uppercase), and more or less 33 special character types easy to type because they're directly accessible from a typical keyboard (such as #, &, %, ?, ^, and so on). To summarize all that, in total we have 95 character types available: with that in mind, we can say that a good password should have at least one character coming from each one of these types, because by increasing the types of characters, the number of possible combinations grows exponentially, thus making harder (and time-consuming) to "brute-force" the resulting password.
How to store your Passwords
As we aready said early on, using a different password for each website or service means that we can't rely to our memory to remember them all: at the same time, using insecure data stores such as MS Excel files or text files is definitely not an option.
The best way to tackle (and fix) this problem is to use a Password Manager tool: a dedicated software that acts as a vault where you can securely store all your passwords, as well as your usernames and/or credential info, with the big advantage of having them in a single place. This basically means that you'll only need to remember the password required to access it, which is often very strong and can be further protected by other authentication factors (fingerprint, SMS, OTP, mobile tokens, and so on).
The most advanced Password Managers also provide a good level of integration with the Operating System and browsers, meaning that they can even “automatically” (yet securely) fill in your credentials whenever you log in to a site (or an app) using your desktop or mobile device.
That's it, at least for now: we hope that this post will help most users and companies to increase their online security by securely choosing and storing their password.