We know your password!

I started doing penetration testing 14 years ago; during that period, one common way of compromising a company was because of weak passwords.

What is intriguing is that 14 years later, this is still a significant factor in why we again compromise companies. 

Bad passwords

Why is it a bad password, you ask yourself, and what is it we still find people doing when choosing one.

  • Share password between several accounts. 
  • Weak passwords
    • Based on common words
    • A sequence of numbers "12345678"
    • Based on the company name, year and "!" <Acme2019!>
    • Based on the time of year and year. <Spring2019>
    • Name of someone close to you such as children, wife, dog, cat etc.
  • Default credentials on products.

Ok, so now that you listed my password in your example, what makes up a good password? Company policy says eight characters which need to meet password complexity of upper case, lower case, number and a special character. 

Good passwords

Humans are lazy by nature, hence choosing a password like "Acme2019!" entirely makes sense, since it meets all requirements of a password policy. But for an attacker, it is both well known, easy to guess and easy to crack. So the key point here is to choose passwords which are hard to crack but easy to remember and not the other way around.

So, what makes a password hard to crack? 

Always length and the usage of all parts from the key space.

  • a-z
  • A-Z
  • 0-9
  • Symbol 14: !@#$%^&*()-_+=
  • Symbol 18: ~`[]{}|\:;"'<>,.?/ 
  • Space

Character set length: 95

How should I construct my password then? Use length, something easy to remember and use characters from all the above-listed key spaces.

Example: 

  • Steven_Segal_1s_Hard_to_kill! 
    • (29 characters- Upper, lower, number, special character)
  • MyDaugther1sCute- 
    • (17 characters - Upper, lower, number, special character)
  • M0makesGreatFood@home? 
    • (22 characters - Upper, lower, number, special character)

Ok, I think you get the point, make them longer and something you remember.

What about all these services you are registering to on the Internet. Well, something we already learned is that people tend to reuse the same username "email address" and password for all their services online. 

Which means if any of these services gets breached, all of your online accounts are at risk.

Why not already check if your credentials exist in one of all breaches with leaked credentials:  https://haveibeenpwned.com/

Hence, start using a password manager where you store all your credentials for different services protected with one long and secure password. Then you generate long, random and unique passwords for each service you register to.

Example of password managers, but not limited to. 

  • 1Password
  • Bitwarden
  • Enpass
  • Keepass
  • Dashlane

To further improve the security, always make sure to enable multi-factor authentication (MFA) on services which allows it. Easily managed with, for example, Google authenticators mobile application. So, to summarise this blog post ensure you are:

  • Choosing a long, but easily remembered, password with characters from all key-spaces.
  • Use a password manager to store credentials for online services. 
  • Enable MFA on all services possible.

 

If you need help with your IT-Security don't hesitate to contact me. By illuminating possible issues, you can act and build security, to protect against threats.

READ MORE

 

Alla blogginlägg