With the continued exposure of hacking and security breaches in the news, it seems that nobody is protected from being hacked and that even professional hackers are not immune when it comes to using poor passwords. So what makes a good password?
There are numerous guides on how to create a good password. From the method of using familiar phrases that select the first initial and lengthen the phrase with characters and punctuation, to the “correct horse battery staple” method. With the power of hardware continually advancing it is becoming easier for attackers to crack passwords more quickly, even using purely brute force attacks.
Passwords are converted into hashes using a variety of cryptographic functions. The purpose of these functions is to prevent the results of the encryption being converted back into the original plain text word or phrase. In the case of a security compromise each hash would have to be reverted to the plaintext value.
For instance using the MD5 hash function, values “d0cd793c2bc50fd0e4dd2b3b0db1fcb3” and “6a72c76a9261562bc80d10d6051a6374” would have to be converted to “TNSRocks” and “TNSRocks1” respectively.
General purpose hash algorithms like SHA1, SHA3, and MD5 are built for speed. They aim to handle large amounts of data and convert plaintext into hashes with minimal computation times. These properties make them favorable to attackers who are able to try several billions of hashes each second. The faster the hashing algorithm, the more it is viable to this type of attack.
In contrast, the slow hashes, like SHA512, considerably increase the amount of complexity and reduce the number of guesses to a few thousand per second, making them harder to exploit using brute force attacks.
Professional crackers use several methods to defeat encrypted phrases. The basic methods use brute force attacks on smaller strings to try every possible combination of characters from “a” to “z”; generally up to 6 characters or less as the computational time exponentially increases with each additional character and larger sizes can take days, weeks or longer to crack.
Lists of plain text passwords which contain deciphered hashes for commonly used passwords like “123456”, “password”, “qwerty”, “ninja” and “abc123”, or more complex phrases like “1@ml337”, “p@$$w0rd” and “pass!word1” are also used. Combinations with slightly different words combining words or phrases like “hero8dad2015!” or “meanwhileback@theranch!” which are easy to remember but also less challenging to crack are used as well.
Ultimately attackers use more sophisticated tools that give insight to patterns within the hashes. They apply specifically tailored rule sets which utilize knowledge of the requirements used to generate the passwords and use statistically derived patterns using mathematical systems such as Markov chains. Empirical behavior methods are also exploited; knowing that many passwords start with an uppercase character and end with a number or symbol.
So what can we do? Ultimately there is no secure password. The best we can do is make it as difficult as possible for attackers to compromise our passwords for the longest amount of time.
To that end, the answer is to use truly randomized passwords which are of considerable length. Using truly randomized passwords reduces the exploitation from hash dictionaries and increases the time required for a brute force attack to be successful.
An effective truly randomized password needs to:
- have a minimum of 12 characters
- contain upper and lower case letters
- contain symbols and numbers
- have no discernable pattern or meaning
Many password managers are now available and are making this process easier. They facilitate creation of random passwords with a number of selectable criteria; length, upper, lower, numeric and special characters.
The most important criteria with password managers is to have a long truly randomized master password and use uniquely generated passwords for every application.
Do you need help auditing or enforcing secure passwords for your organization? Give TNS a call today.
Categories: Managed Security Services, Managed Service Provider, MSP Blogs
