Is There A Way To Avoid Getting Hacked?
We all thought the more characters available to use in a computer password, the better. After all, 6.6 quadrillion eight-character combinations can be fashioned from a pool of 26 uppercase letters, 26 lowercase letters, 10 digits and 33 special characters and punctuation marks.
Using at least one of each reduces the number of possible combinations—a sacrifice that should make passwords harder to guess—but a recent article in The Wall Street Journal revealed those rules have been tossed out for being ineffective. What's the problem?
The rule makers didn’t anticipate how people would apply the guidelines when they invented passwords. “In principle, it should be a random string,” said Cormac Herley, Microsoft Research expert on password security and authentication. “In practice, it’s ‘monkey’.”
Some Users Tried But Took Shortcuts
- If forced to include a number in a password, they tended to tack a “1” onto the end.
- If compelled to use a special character, they were inclined to use substitutions like “$” for “s” or “@” for “a.”
- If obliged to throw in an uppercase letter, they might lead with it, as in proper noun.
- They were predictable.
- If users actually choose a random password with a mix of characters and case—the longer the better—and more difficult to guess; but most resist, because random strings are hard to remember.
You are never 100% hack proof, but you don’t have to make it easy to become a victim either. WSJ’s Nathan Olivarez-Giles explains how to see if your personal info has been taken in a hack, and what you can do to be safer. Words on the other hand are easy.
- Knowing that, some users tried to incorporate weird characters in easy-to-remember ways, but for hackers, “P@$$w0rd1” is as easy to guess as “password.”
- Others invested noticeably less effort in trying to protect their online accounts.
- Fact: When 32 million passwords were stolen from RockYou in 2009, a discovery reported that more of that website’s users had selected “123456” as a password than any other combination.
- New guidelines issued in June by the National Institute of Standards and Technology suggest that a string of random words - warning: song lyrics aren’t random - will be harder to guess than “princess” and easier to remember than “fKB%397x^tyM0dc.”
“The advantage to a passphrase is it’s longer,” said Matt Bishop, co-director of the Computer Security Laboratory at the UC-Davis, who advised thinking of a passphrase, then sprinkling it with special characters, as in “correct=horse+battery&staple!”
This is not 'unguessable' but increases the number of guesses an attacker is forced to make. To make it even harder to guess and harder to remember, consider misspelling the words.
Hackers Have Secret Ways Of Gaining Access To Online Accounts
Malware installed on someone’s computer collects passwords by recording keystrokes, while phishing tricks users into sharing account information. In these instances, password strength is irrelevant. Here's Where It Matters:
- Online, when hackers attempt to log into websites by guessing
- Offline, when they try to decipher lists of stolen account information
Online guessing is very common since it’s easy to talk about hundreds, millions or billions of guessing attempts a day - across any online service. But, after too many failed attempts on any one account, most service providers block the effort by temporarily locking the account. It's better for hackers (though more difficult) to steal a password file and work on it uninterrupted. Working offline, a hacker using a powerful computer can launch a billion guesses per second - an incredible number! Consider that number!
- To protect users, websites encrypt passwords. The most secure approach uses one-way encryption known as hash (where there is no key to reverse the encryption) and salt (the practice of storing a random number with the password).
- Salting makes otherwise identical passwords look different once they are hashed, so that deciphering one common password doesn’t give hackers access to all the duplicates. Without such security, password strength may be moot.
No one knows what portion of account breaches are caused by password guessing versus phishing or other kinds of attacks, but the message from experts like Dr. Herley and Dr. Bishop is still to aim for password strength. The latest guidelines are meant to make that easier. How will your firm go about following them?
Data Source: WSJ