Passwords are a sensitive topic around IT personnel. It’s one of the most important pieces of information for any user, because they give us access to our accounts, files, and devices. Having said that, passwords are in most cases very easy to guess. Hey, “123456”: you're not fooling anyone. In fact, on a recent study performed by Passlo, “123456” was the most used password by the FTSE 100 of the London Stock Exchange in the UK.
And to no surprise, “password” was in second place. Why? Because we’re lazy, and we don’t know better. There is no “password crash course” on our school system, and most of our password knowledge has been learned by following certain rules and guidelines provided by our own devices and services. And of course, most of us don’t even care about the consequences. Why do I have to care about my email password if I don’t have a bank account and I stash my money below the mattress?
A savvy hacker can get into your email account, and based on his research on your emails, get to know your address, social security number, and even the names of your friends and family. Having all that information is critical: an attack of social engineering may leave you without money even if you don’t believe in banking.
So, let’s delve into the consequences of having bad passwords, what is a bad password exactly, and how to defend ourselves against any attacker: man or machine.
Why a secure password is a good idea
Computer devices and systems are fundamentally built with digital doors to access or use them, and passwords are usually the keys to those doors. Of course, nowadays we use a huge amount of computer devices, from PCs, phones, and home appliances, to machines and servers in the workplace. Most of those machines are connected to the internet and to each other, sometimes in ways that are hard to explain in layman's terms.
Passwords are important because they secure these doors that protect key aspects of our lives. Our bank accounts have passwords: if a hacker gets them, our money is in danger, or our credit cards can be used in fraudulent ways. Our email has a password: a malicious actor can break havoc as we said earlier, searching for useful information that can be used to commit fraud, to attack another person using social engineering, or even by using your social security number to open accounts in your name.
Our computers, especially when we have admin accounts, aren’t safe either. An admin or root access to a machine can be used for a huge amount of malicious purposes. A hacker may install whatever he wants on your device, such as malware, and encrypt your files to hold them hostage on a ransomware attack. A hacker can also install a keylogger: an app that records everything you type in, including your ‘other’ passwords and private conversations. As you may have deduced by now, a single key –the ‘unimportant’ password of your computer or mobile phone– may be able to handle the entire keychain to a hacker.
The cherry on top of the security mistake sundae is using the same password for everything –akin to having 25 copies of the same key to open every door in your house.
Bad passwords
According to most security researchers, there are two ways to know with certainty when a password is bad: when it’s easy for a computer (or a human) to guess it, and when it’s hard for a person to remember.
Brute force and dictionary attacks
There are a lot of ways for someone to obtain your passwords, such as phishing or social engineering. However, when a hacker doesn’t have much control –or doesn’t know that much about you– he will use tools to decode your password, commonly known as crackers. This is software specially designed to break-in using a method called “brute force”: try as many combinations of numbers and letters as possible until you get a match.
A brute force attack can be time consuming for a machine, but yields successful results.
Cracking a password is made easier by one of the first mistakes of any computer user: using a common word in your password. Almost every professional cracking tools make use of awordlist or a list of default passwords. This method is called a “dictionary attack”, and it’s very easy to get positive results with it. Remember how common “123456” was? The same can be said about “password1”, “qwerty”, “secret”, “nothing” and “admin”. A lot of combinations of letters and numbers can also be found in this Wikipedia article that collects data from several data breaches.
Common algorithms to encode your password are also dangerous, such as spelling your password backward, using leetspeak or internet slang, and even interleaving words (e.g. “swtaarrs”). Most dictionary attacks have some of these techniques in mind when trying to break into your accounts.
Public and private information
Let’s face it: everyone has had a password with our home address, our birthdate, or the name of a relative. We can’t stress enough how unsafe these passwords are. A person with some knowledge of you may be able to guess your passwords without even trying or using any of the software described above.
Social media can be dangerous too. Sites like Facebook hold and make public information that can be useful for a hacker to appraise data you may have used in your passwords. For example, if I was born in 1990, there is a chance that any 4-digit PIN number that I have could be “1990”, or “0831”, for my month and day of birth.
We should also emphasize that password hygiene calls for secrecy. Don’t disclose your passwords to friends and family. When you’re typing your password, don’t let anyone watch it or record it. If you think your password is compromised, change it immediately.
Hard passwords
The other side of the spectrum is a password like this: “zX7dhbo02Tns1iYpaW8”. A beautiful, uncrackable password, but so hard to remember that is unusable.
Another rule of thumb of security professionals: if your password is so hard to remember that you have to write it on a piece of paper, a post-it note, or a notebook, it’s absolutely worthless. A written password is very easy for someone to steal and misuse. The same goes for passwords saved or stored in other devices. The most common case is that person who stores sensible passwords for their banking or computer on their mobile device, even as photographs. If someone steals your phone, that person suddenly has the keys to the entire castle.
You might as well let the guy in by yourself.
The only case where a password should be that hard to remember is when you use software like a password manager. You could have very hard passwords for all your accounts, and not having the need to remember them. Otherwise, just stick to our advice on having great passwords.
How to have great passwords (and how to keep them secure)
There are a considerable amount of techniques to slow down a password cracking process. In theory, the longer and nonsensical your password is, the better. But as we said earlier, a hard password can be hard to remember, therefore useless. Use one or several of these techniques to become a master of passwords.
Use a combination of letters, numbers, and symbols
The most common way to add complexity to a password is by replacing some of the characters with numbers. There is a usual replacement of vowels: the letter “a” is replaced with a 4, “e” with a 3, “i” with a 1, and “o” with a 0. Another recurrent replacement is the letter “S” with the “$” symbol.
This is a very basic technique and your password won’t be very difficult to decipher if you’re consistent, so the trick is to randomize it. Try to use words that have two of the same letter, and only replace it for a number or a symbol on the first one.
Of course, you don’t always have to replace letters, and instead, you can add numbers and symbols to letters as you see fit. Just don’t make your password impossible to remember in the process.
Try an algorithm or invent your own
You can devise a process to modify a word, a phrase, or a sequence of numbers to craft a very strong password. The trick is to remember the algorithm, so you can retrace the steps and always remember it. That way, the attacker needs to know the specific algorithm or combination you created to crack it.
We advise you not to use the same algorithm for all your passwords, though. Here are some examples:
Interlacing numbers and letters. For example, my pet’s name and her birthdate: “0m8o0c5h1i9”. Just steer away of the obvious ones, like “1q2w3e4r”, number 13 on the list of the most common passwords of 2019.
First letters of a sentence. A good and very pneumonic way to create a password. For example: “The pizza place called Joes is in # 623 Main Street! Good pizza” can be translated to “TppcJii#6MS!Gp”, which is gibberish for a machine but makes a lot of sense when you know the sentence. You only need to remember the original phrase –and your own spelling, grammar and punctuation rules– and you’re good to go.
A secret language or argot. This is a technique that could have its own paragraph but, to be fair, almost all secret languages are algorithmic in nature. For example, in Latin America we have a secret language called jerigonza, where you duplicate every vowel in a syllable adding the letter “p” (e.g. “Vamos” is “Vapamopos”, “Caballo” is “Capabapallopo”, and so on). Using a secret language is useful to avoid getting cracked by dictionary attacks, because your password becomes nonsense to a machine. Here’s a useful list of worldwide secret languages.
Use pop culture that can’t be traced back to you
Most of our passwords tend to be things we like to remember, like important dates or movies and musicians we enjoy, which are easy to guess. What if we go the other way around?
Let's say for example, you’re a girl who likes soccer and stoner rock, and hate pop music and chick flicks. Anyone who’s trying to guess your password using social engineering –i.e. by studying your behavior in social media– would default to your personal taste in music and films, with attempts like “liverpool”, or “kyuss01”, and you can fool them just by using passwords like “MeanGirls” or “ILoveLadyGaga”.
Of course, this technique is still vulnerable to a dictionary attack, because you’re using plain, recognizable words. We encourage you to combine this approach with other recipes, like a strong algorithm.
Use a password manager
One safe alternative is to use software that does all the heavy load of remembering passwords that are hard to decipher while creating new ones if needed. Most password managers are very safe and need very little configuration on your devices, and can generate strong, uncrackable passwords for your accounts.
Takeouts
Cybercriminals are always looking for creative and complex ways to get inside our devices, but amidst that complexity and creativity lies a familiar road: passwords. No matter how secure a device is or how many countermeasures it has, if a hacker gets the keys, it’s game over.
We encourage everyone to protect their devices by being smarter. If you think your password is complex, think again. Change all your passwords periodically, be inconsistent, don’t repeat them between accounts and devices, and always think of new ways to improve your password strategy. After all, your security is at risk.
Norman Gutiérrez is our Security Researcher at Prey, one of the leading companies in the security and mobility industry, with more than 8 million users worldwide. In addition to this, Norm is Prey's Content and Communication Specialist, and our Infosec ambassador. Norm has worked for several tech media outlets such as FayerWayer and Publimetro, among others. In his free time, Norman enjoys videogames, cool gadgets, music, and fun board games.