Although SSO, OTP and MFA are starting to become the norm, we are still reliant on passwords to secure our accounts. This is true for both our work and personal life. But how do you make a secure password?
NIST released some guidelines a while back which help lay out the steps you should take in order to create a strong password.
NIST Guidelines: https://pages.nist.gov/800-63-3/sp800-63b.html#memsecret
- An eight character minimum and 64 character maximum length
- The ability to use all special characters but no special requirement to use them
- Restrict sequential and repetitive characters (e.g. 12345 or aaaaaa)
- Restrict context specific passwords (e.g. the name of the site, etc.)
- Restrict commonly used passwords (e.g. p@ssw0rd, etc.)
- Restrict passwords obtained from previous breach corpuses
These are just guidelines though and still don’t help the everyday user in deciding what password to use. Below are hopefully a few steps that will help you think of that secure password.
Before we start, we need to know how these hackers will be attempting to crack your passwords. If we know that, we can better protect ourselves. Kind of like a Blue Team, Red Team approach.
A non-IT user will often assume that there is a person trying to crack their password and that’s their downfall. This often results in them thinking that “no one, will know or guess that my password is J0hnD@vis3009”.
Although there is human interaction, the leg work is often done by computers. Therefore, for most cases, there is no guesswork. It’s just trial and error.
A hacker may be using a custom or common wordlist in order to crack your password. These are available on the internet or pre-downloaded on Kali/Parrot.
For custom wordlists, hackers will use techniques that are covered here: https://ctrlaltdel.blog/2019/05/25/generating-custom-wordlists-for-targeted-attacks/
Applications like, John The Ripper, Cain and Abel and THC Hydra can use wordlists such as rockyou.txt which contain around 14,341,564 unique passwords, used in 32,603,388 accounts. Depending on the specs of the machine, they can crawl through 100s of passwords every minute.
Obviously, things like MFA and account lockout thresholds help to fend off live brute force attempts but it doesn’t mitigate them all. Certainly not against offline attacks.
We can all buy a safe but if the pin is 1234, what’s the point?
To a machine, you changing a ‘o’ to a 0, is nothing. These applications can test 100s of variants of dictionary words and numbers in minutes. Once you understand that you are going against a computer, you can see why you need to create a more secure password.
The password that you use doesn’t need to be JKjncsdn*”3hbrjh43bN”3md.,91834”!32 as you will never remember this. You could in theory use a password manager but what password are you setting for that and where are you storing it?
What you are trying to achieve is a password which you won’t forget but is lengthy and random. Look below and see which one you think is a secure password:
You may be thinking not the top one because they are dictionary words but you would be wrong. Spice up your life contains 4 known dictionary words but Spiceupyourlife is not a word and will therefore will be less likely to be present in a wordlist.
Using https://howsecureismypassword.net/ we can see the results will take:
- 8 QUINDECILLION YEARS
- 5 DECILLION YEARS
- 3 SEPTILLION YEARS
Now I don’t get how they get this figure but I’m calling bull. Non the less, the top one still takes longer and sort of proves my point. This is because the application doing the hash comparison or brute force attack will have to go through every variant at a time (Depending on what tool is used). Meaning it will go through every variant of a 4-character password before it tries a 5 character one. If your password is 10 characters long, it will take longer to crack and could therefore deter the hacker from trying as it would take more effort and time. It’s kind of like the concept of making your house less appealing to burglars than your neighbor.
Now that you get this, try and think of one yourself. Think of phrases or a lyrics of a song you like. Even better, think of a plain obvious sentence and put it together.
Now add a number and a character here and there. Your birthday might be 01/06/1990. Why not use the day and year, missing the month? Why not use your lucky number or numbers in your car registration plate? Although these are linked to you, using only parts of the numbers will help pad your password out a bit more:
Again, adding a common characters is obvious but does help pad the password out even further and therefore moves your password to the next character set:
Hopefully this helps highlight the need for more secure passwords and helps you create your own.
Remember though, try and avoid using the same password for multiple accounts and defiantly avoid storing them in a txt file or writing them down.