The Weakest Link in the Password Hash

Your password is strong – but is everyone else’s?

We spend considerable time trying to make sure our passwords are strong. But we also need to spend time educating our user base on why password strength is important.

It is not uncommon for a hacker to establish his foothold in an environment by first compromising a weak or insecurely stored password. Once a base level of authenticated access is established, it becomes a matter of time before privilege escalation is achieved.

So, while your password might be a strong 16 character, alphanumeric with symbols stronghold, your administrative assistant might still be using s0ftc@t1 (which, by the way, would crumble under a modest brute-force attack in less than 48 hours) as hers. If we can get that weak password we can extrapolate from there and gain access to other accounts.

Important lessons to teach:
  • Use of symbols to recreate letters (i.e.: @ for a, ! for i, etc) is not that useful. Rule based brute-force attacks use dictionaries and account for common character substitution techniques.
  • Longer is better – an 8 character password is trivial for a skilled hacker regardless of it’s complexity. Currently, adding a single character and increasing the length to 9 characters, extends the time it takes to crack the password to a couple of months.
  • Use random letters and numbers.
  • Capital letters should be used along with non-capitals, but refrain from making the first character the capitalized letter (we expect that and hack for it).
Consider multiple roots

One trick is to use a 10 character base such as:yyT73p@55c

Now remember that (see next section for tips).

Now make it unique. By adding a “-” or a “+” or “_” and then a system identifier such as:

yyT73p@55c-dr0p (say, for Dropbox)
yyT73p@55c+f@cE (for Facebook)
yyT73p@55c_BoA (for Bank of America)

Now you have a super strong random root, followed by a symbol with a dictionary word including caps and symbols if you wish.

Using this formulaic approach it’s possible to take a 10 character root and create a different password by creating an easy to remember tag. Now your passwords are 14+ characters long and easy to remember.

Consider rhyme and pattern

One trick I use for remembering that root is putting it in a rhythm and rhyme pattern that makes sense to me. This was a trick taught to me by a security engineer years ago and it’s worked. In the case of : yyT73p@55c every third letter (and 4th at  the end) rhymes, and I have a pace to it.

Different root for types of systems

Now. If you want to supercharge the geek (and help save your butt from mass hack password releases) consider having a small handful of root passwords. Perhaps one you use for social, one for finance, and one for work.

Using that approach still only requires you to remember 3 base passwords, but, in doing so, you’ve strengthened your password repertoire considerably.

Change the root

Regardless of the strength of our passwords it’s still best practice to change them frequently. Using the root system all you need to do is periodically change the root and you’ve reset any exposure to compromise you may have had.

BONUS ROUND.

If you really care about security for a specific site (say, your bank), use a unique username. It doesn’t have to be crazy. If you tend to use “sally15” as your main username try using your last name “sanders15” for the bank. Use the same password root as above – but now you’ve got a unique username and a unique password that is associated with that one service.

The Struggle is Real

Getting your employees to use strong passwords is an uphill battle, but it’s a critical one. Remember – we are looking for the weakest link. Once we get a toe in the door it’s usually all we need before we spread like cancer in your system.

By utilizing a simple system, such as the one suggested here, you can increase the chances of your employees maintaining difficult passwords and strengthening their online security.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

More posts