News and Articles


"Much of what I did I now regret," -Bill Burr

For more than 16 years now, everyone from small business owners, major corporations, and governments have been following a “formula” to create there passwords. It is also likely that you have been following this formula too.

In 2003 Bill Burr was a technology manager for the US National Institute of Standards and Technology. He created a guideline for creating secure passwords. Bill recommended minimum of eight character passwords that should consist of a mix of upper and lower case letters with numbers and characters.

Now Bill says he not only regrets his recommendations, but he believes has that his guidelines have led people to create weak passwords that have actually made it easier for hackers to crack.

Hackers use a method called “brute force attacks” to crack passwords, essentially they harness powerful processors to guess the passwords over and over until they are defeated.

This illustration shows the math of how long it takes for computers to hack your password, it also reveals the biggest tip we have for creating proper passwords.

Create simple, but long random phrases.

...By doing so it will become immensely harder for hackers to use the brute-force attack method.

Additionally another way to strengthen your passwords is by using 2-factor authentication. Many web-services like Google, banks, and shopping sites offer a way to use your password followed by a private key sent to you via SMS text, Facebook, Google, or LinkedIn.

The burden of creating and managing dozens of different passwords

A closer examination of major breaches reveals a common theme: In every "major headline" breach, the attack vector has been the common password. The reason is simple: The password is by far the weakest link in cybersecurity today.

Indeed, passwords themselves are often the most valuable treasure for attackers, given how many people reuse passwords between accounts. An article last month in Ars Technica drove this point home, detailing how the recent breach of a White House contractor was facilitated by him reusing the same password on his Gmail account that was revealed in the Adobe breach of 2013. Against this backdrop, it's become increasingly apparent that the guidance we give people to change their password after every breach isn't doing anything to actually thwart attackers.

Instead, we need to acknowledge the failure of passwords and make it a national priority to come up with something better – leveraging the next generation of authentication technologies to authenticate identities in a way that is both stronger than passwords and also easier for people to use. "A closer examination of major breaches reveals a common theme: In every “major headline” breach, the attack vector has been the common password. The reason is simple: The password is by far the weakest link in cybersecurity today." It's important that any alternative simplifies authentication. Companies and agencies don't expect their employees to configure firewalls or actively manage encryption on their laptops; security controls have become increasingly automated over the last few years. But amidst these improvements, there's one item that continues to get pushed down to customers and end-users: The burden of creating and managing dozens of different passwords to access all of their accounts.

Study after study has shown that this is not a particular enjoyable activity for most Americans, nor is it one that they are particularly good at. Passwords such as "123456" and "Password1" are commonly used across sites; one study showed that most Americans would rather perform unpleasant household chores than deal with the burden of creating and then remembering a complex password. And even when so-called "strong" passwords are required, they are still vulnerable to phishing attacks, key-loggers and other compromises.

Source: https://www.cnbc.com/2016/10/06/passwords-are-the-weakest-link-in-cybersecurity-today-michael-chertoff-commentary.html

 

Choosing a secure and memorable password

The easier a password is for the owner to remember generally means it will be easier for an attacker to guess. However, passwords which are difficult to remember may also reduce the security of a system because (a) users might need to write down or electronically store the password, (b) users will need frequent password resets and (c) users are more likely to re-use the same password. Similarly, the more stringent requirements for password strength, e.g. "have a mix of uppercase and lowercase letters and digits" or "change it monthly", the greater the degree to which users will subvert the system. Others argue longer passwords provide more security (e.g., entropy) than shorter passwords with a wide variety of characters.

In The Memorability and Security of Passwords, Jeff Yan et al. examine the effect of advice given to users about a good choice of password. They found that passwords based on thinking of a phrase and taking the first letter of each word are just as memorable as naively selected passwords, and just as hard to crack as randomly generated passwords.

Combining two or more unrelated words and altering some of the letters to special characters or numbers is another good method,but a single dictionary word is not. Having a personally designed algorithm for generating obscure passwords is another good method. However, asking users to remember a password consisting of a "mix of uppercase and lowercase characters" is similar to asking them to remember a sequence of bits: hard to remember, and only a little bit harder to crack (e.g. only 128 times harder to crack for 7-letter passwords, less if the user simply capitalises one of the letters). Asking users to use "both letters and digits" will often lead to easy-to-guess substitutions such as 'E' → '3' and 'I' → '1', substitutions which are well known to attackers. Similarly typing the password one keyboard row higher is a common trick known to attackers.

Source: https://en.wikipedia.org/wiki/Password#Choosing_a_secure_and_memorable_password

 

"The Password is dead"

That "the password is dead" is a recurring idea in computer security. It often accompanies arguments that the replacement of passwords by a more secure means of authentication is both necessary and imminent. This claim has been made by numerous people at least since 2004. Notably, Bill Gates, speaking at the 2004 RSA Conference predicted the demise of passwords saying "they just don't meet the challenge for anything you really want to secure." In 2011 IBM predicted that, within five years, "You will never need a password again." Matt Honan, a journalist at Wired, who was the victim of a hacking incident, in 2012 wrote "The age of the password has come to an end." Heather Adkins, manager of Information Security at Google, in 2013 said that "passwords are done at Google." Eric Grosse, VP of security engineering at Google, states that "passwords and simple bearer tokens, such as cookies, are no longer sufficient to keep users safe." Christopher Mims, writing in the Wall Street Journal said the password "is finally dying" and predicted their replacement by device-based authentication. Avivah Litan of Gartner said in 2014 "Passwords were dead a few years ago. Now they are more than dead." The reasons given often include reference to the usability as well as security problems of passwords.

The claim that "the password is dead" is often used by advocates of alternatives to passwords, such as biometrics, two-factor authentication or single sign-on. Many initiatives have been launched with the explicit goal of eliminating passwords. These include Microsoft's Cardspace, the Higgins project, the Liberty Alliance, NSTIC, the FIDO Alliance and various Identity 2.0 proposals. Jeremy Grant, head of NSTIC initiative (the US Dept. of Commerce National Strategy for Trusted Identities in Cyberspace), declared "Passwords are a disaster from a security perspective, we want to shoot them dead." The FIDO Alliance promises a "passwordless experience" in its 2015 specification document. In spite of these predictions and efforts to replace them passwords still appear as the dominant form of authentication on the web. In "The Persistence of Passwords," Cormac Herley and Paul van Oorschot suggest that every effort should be made to end the "spectacularly incorrect assumption" that passwords are dead. They argue that "no other single technology matches their combination of cost, immediacy and convenience" and that "passwords are themselves the best fit for many of the scenarios in which they are currently used."

Source: https://en.wikipedia.org/wiki/Password#.22The_Password_is_dead.22

 

Easy to remember, hard to guess

A password that is easy to remember is generally also easy for an attacker to guess. Passwords that are difficult to remember will reduce the security of a system because (a) users might need to write down or electronically store the password using an insecure method, (b) users will need frequent password resets and (c) users are more likely to re-use the same password. Similarly, the more stringent requirements for password strength, e.g. "have a mix of uppercase and lowercase letters and digits" or "change it monthly", the greater the degree to which users will subvert the system.

In "The Memorability and Security of Passwords", Jeff Yan et al. examines the effect of advice given to users about a good choice of password. They found that passwords based on thinking of a phrase and taking the first letter of each word are just as memorable as naively selected passwords, and just as hard to crack as randomly generated passwords. Combining two unrelated words is another good method. Having a personally designed "Algorithm" for generating obscure passwords is another good method. In the latest improvements, more and more people are noticing change in the way that passwords are secured.

However, asking users to remember a password consisting of a “mix of uppercase and lowercase characters” is similar to asking them to remember a sequence of bits: hard to remember, and only a little bit harder to crack (e.g. only 128 times harder to crack for 7-letter passwords, less if the user simply capitalizes one of the letters). Asking users to use "both letters and digits" will often lead to easy-to-guess substitutions such as 'E' → '3' and 'I' → '1', substitutions which are well known to attackers. Similarly typing the password one keyboard row higher is a common trick known to attackers.

Research detailed in an April 2015 paper by several professors at Carnegie Mellon University shows that people's choices of password structure often follow several known patterns. As a result, passwords may be much more easily cracked than their mathematical probabilities would otherwise indicate. Passwords containing one digit, for example, disproportionately include it at the end of the password.

Source: https://en.wikipedia.org/wiki/Password_cracking