The Problem with Passwords!!
Passwords have always been a pain to deal with, and it's a pain that has only gotten worse as our lives become increasingly interconnected with various websites and web apps.
While the current trend among the tech savvy when it comes to online security is MFA (Multi-Factor Authentication) or Passwordless Authentication solutions, there still seems to be a significant portion of the population that struggle to understand the importance of good password hygiene and how best to manage it.
I'm hoping this post will help some of those who are still using, either weak passwords, or the same password and username combinations (including basic variations of the same password) across multiple web logins, understand why it's a bad thing and how using a simple password manager can dramatically increase your online security.
Weak Passwords vs. Strong Passwords
A password is generally considered weak if it is too short or easily guessable.
How short is too short?
Generally any password less than 8 characters long is considered too short. To understand why this is, check out this simple Password Calculator tool at lastbit.com.
It calculates how long it would take a single, average computer to crack a password of a given length and complexity using a Brute-Force Attack. A Brute-Force Attack is when the computer runs a program that systematically tries every possible combination of characters and digits until it finds the correct combination that equals the password.
For example, the image above shows the password length of 5 lowercase characters and 1 computer that can process 500,000 passwords per second, which are the default settings of the Password Calculator Tool at lastbit.com.
To explain how this works, we first need to work out how many possible combinations there are, so we take the number of letters in the alphabet (26) and raise it to the power of 5 (the length of the the password).
This gives us a total of eleven million, eight hundred and eighty-one thousand, three hundred and seventy-six possible combinations.
26^5 = 11,881,376
Since the speed of the computer is set to 500,000 passwords per second, we can divide the number of possible combinations, by the number of passwords the computer can process per second to get the total time it would take for the computer to try every possible combination in a Brute-Force Attack.
11,881,376/500,000 = 23.76
That's less than 24 seconds!!
In reality, most computers can actually process millions of passwords per second.
I ran some benchmarks on my laptop and found it can process around 9 million passwords per second, which brings the total time to brute-force the above example down to less than 2 seconds!!
So now lets see what happens when we change the password length to 8 lowercase characters.
As you can see, just by increasing the password length by 3 extra lowercase characters, the Password Calculator is now indicating it would take up to 5 days to brute-force the password.
This time I've added only 1 extra lowercase character, bringing the total length to 9 characters, and it will now take up to 5 months to brute-force the password.
That's because we now have:
Five trillion, four hundred twenty-nine billion, five hundred three million, six hundred seventy-eight thousand, nine hundred and seventy-six possible combinations.
26^9 = 5,429,503,678,976
Adding Complexity
Now that we've seen why longer passwords are a good idea, it's time to talk about complexity.
In our examples so far, we've only been calculating the time it takes to brute-force passwords made up entirely of lowercase characters. But what happens if we now add complexity instead of length to the password, by including the numbers 0-9?
In this example I've left the password length at 9 characters long, but changed the level of complexity by including the use of numbers from 0-9 as part of the password.
By doing that we increase our base number from 26 up to 36, so now our calculation looks like this:
36^9 = 101,559,956,668,416
That's one hundred one trillion, five hundred fifty-nine billion, nine hundred fifty-six million, six hundred sixty-eight thousand, four hundred and sixteen combinations.
We've gone from 5.4 trillion to 101.5 trillion combinations just by including numeric digits, and we're now up to 7 years to brute-force the password!!
So lets do one more example using both upper and lowercase characters and the numbers 0-9 in our 9 character password.
By adding uppercase characters, we've increased our base number to 62 making our new calculation looks like this:
62^9 = 13,537,086,546,263,552
So there's now thirteen quadrillion, five hundred thirty-seven trillion, eighty-six billion, five hundred forty-six million, two hundred sixty-three thousand, five hundred and fifty-two possible combinations to try and brute-force, which could take up to 871 years!!!
Hopefully this illustrates the importance of password length and complexity in mitigating Brute-Force Attacks.
But wait, it's not all beer and skittles yet! We still need to talk about...
Easily Guessable Passwords
Now that you know how to defeat a Brute-Force Attack, I should probably mention that it's usually an attackers last resort.
As you now know, brute-forcing anything other than the simplest of passwords can be somewhat time consuming, so this is where the Dictionary Attack comes in handy!!
A Dictionary Attack is similar to a Brute-Force Attack, but with one distinct difference. Instead of iterating through every possible combination of characters until it finds the password, a Dictionary Attack simply tries to guess the password by iterating through a list of words that are known to be frequently used as passwords.
These lists are commonly known as "Word Lists" and are generally curated by attackers using passwords discovered from data breaches and then shared online.
This approach to cracking passwords is incredibly effective as a lot of people still use everyday words or variations of them as their passwords.One of the most popular word lists that's been around for over a decade is "rockyou.txt".
This was the result of a data breach at a company called "Rockyou" in 2009, when an attacker compromised their user account database and gained access to a list of over 32 million usernames and passwords (the passwords were not encrypted and stored as plain text), and then uploaded them to the internet. The current version of "rockyou.txt" contains over 14 million unique passwords that were used across the 32,603,388 Rockyou accounts and is still frequently used in Dictionary Attacks.
However, "rockyou.txt" is just one of many word lists that attackers have at their disposal. In 2021, a 100GB text file known as "RockYou2021" appeared on the internet containing 8.4 billion passwords that seemed to be compiled from various other word lists and data breaches, so there's a good chance that your easy to remember password will also be easy to guess during a Dictionary Attack!
The best defense against this type of attack is to use passwords that are made up of random letters, numbers and special characters that DO NOT form any known words.
For example, "9Ukxdi.Gj5jr^kz,Cd" is definitely not any word that I know, so it's highly unlikely to appear in any *
word lists, which means it wouldn't be susceptible to a Dictionary Attack. It also has sufficient length and complexity so that a Brute-Force Attack would would not be a feasible option either.
By now you should have a pretty good idea as to what makes a password weak, along with the dangers of using them.
So now we have one more area to cover when it comes to poor password hygiene...
Why it's Bad to Re-use Passwords
Why is it a bad idea to re-use the same password across multiple online logins?
Well when a data breach occurs on any website or web application where user login credentials (username and password) are stolen, the attacker will often perform a Credential Stuffing attack.
This type of attack uses automated tools to try the stolen credentials on a bunch of other sites to see what other accounts they can gain access to. They do this because they know how often people re-use the same username and password combination as their login across multiple sites.
If you think "It won't happen to me, it only happens to people who are careless", then I'd suggest perhaps taking a moment to check out https://haveibeenpwned.com to make sure it hasn't happened to you yet.
No matter how careful you are with your online activities, you have no way of knowing how secure your data is, once it's stored on someone else's web server. That's why it's vital to create a unique password for each different site that you log into!!
So now that you understand why it's important not to re-use the same password for multiple logins, and why weak and easily guessable passwords are also a bad idea, it's time to talk about ways to avoid doing this in the future... \
Password Managers
A Password Manager is software that's designed to securely store login credentials in an encrypted database, as well as help with generating strong passwords so you don't have to try and think of them yourself.
The main advantage of using a password manager is that you only need to remember a single password, the master password.
One disadvantage is that the master password is used to decrypt all of the credentials stored in the password managers database, so make sure you create a strong master password, then write it down and store it somewhere safe!! Because if you forget your master password, you won't be able to access any of the credentials stored in the password manager!!!
Using a password manager is fairly straight forward:
- You use your master password to login to the password manager.
- You click on a button to add a new entry
- Fill out the fields in the "New Entry" form: Title, Username, URL and any other relevant information. (See image below)
- The password manager will probably have prefilled the password field with an automatically generated, unique password. (You can either use this password or replace it with your own).
- Then click "Ok" to save.
Next time you need to access those credentials, you simply:
- login to your password manager with your master password,
- search for that entry by the title you gave it,
- then double click on that entry to view all of it's info.
Once you close close the password manager, all of your data is encrypted until you login with your master password again.
Probably the most difficult part is getting into the habit of using it, but once you do, you'll be glad that you did, when you next need to you sign up to a site or service and don't have to try and think of a good password to use.
Choosing a Password Manager
When it comes to deciding on a password manager to use, there's quite a few to choose from, including both paid and completely free options.
Other than price, one of the biggest differences you'll find between various password managers is where they store your data. You'll need to decide if you want to store all of your passwords either online or locally on your device.
Online or cloud based password managers such as Bitwarden, store their data online, which can make it easier to sync and access from multiple devices, however, if you have no internet connection then you have no access to your passwords.
You also need to consider how comfortable you are with storing your passwords on someone else's server. Your database will be encrypted, so the likelihood of anyone gaining access to your data is relatively slim. The greater concern is accidental (or even intentional) deletion or corruption of your data. Once again, the likelihood of this occurring is fairly slim and could just as easily happen if it was stored locally on your machine.
Password managers that store their data locally, like the popular open source password manager Keepass, means that you have total control over your passwords, however they can make it difficult (but not impossible) to sync your data across multiple devices.
When deciding on a password manager to use, always be sure to do your homework.Compare their features and prices and look for reviews from other users to make sure the password manager you choose is going to suit your needs.