Author Profile Picture

Kat Jackman

QA.com

Group Communications Manager

googletag.cmd.push(function() { googletag.display(‘div-gpt-ad-1705321608055-0’); });

Passwords aren’t going anywhere: How to stay safe

default-16x9

With so much in the news about hacking disasters - it's time that we all got clued up on what is and what isn't a safe online password.

I had a chat with one of QA's cyber security trainers to find out what he knows. In a nutshell, passwords are not going away just yet, so it's best to try and take guidance on how to try and stop those robots from hacking into the accounts of your workforce.

Last month QA conducted some research and found that nearly 60% of large organisations said that they felt that their workforce did not have the right skills to protect themselves from a cyber-attack. It is the end-user and employee awareness and training that organisations are going to be focussing on investing in, over the next 12 months. Those who are not technical could be the easy targets of cyber-attacks, like 'phishing emails'. It is so easy to be fooled into handing over your log-in details voluntarily when you think you are being contacted by a known supplier or contact when it is, in fact, a fake email from a criminal intended to extract valuable data from you and your organisation.

 Does the length of the password affect the strength of it?

A short password is easy to crack. A long one is hard to remember. If you make a long password you can remember – a word and date, for example – it's easy to crack again. Even then, if you invest the effort to come up with – and remember – an amazing password… what about the 99 other places you need passwords? Reuse that good password and you’re back to square one next time Yahoo! gets their database stolen. Or LinkedIn. Or Adobe.

What are the common mistakes when choosing a password?

The point of passwords is to authenticate us: to prove we are who we claim to be. But we are bad at them. We've yet to get details of the Yahoo! hack, but the Adobe hack revealed awful passwords – nearly 2 million of ‘123456’. These are obviously bad. To avoid this, many systems force us to use, ‘complex’ passwords. But these can be a fool’s paradise – often ending up as a simple stem-word – say, ‘station’ – with a few symbols and numbers at the end: St@tion6!

This would pass complexity, but would be cracked in no time: password crackers are onto this. They can run through massive wordlists, try every letter substitutions and thousands of number combinations in a few milliseconds. With decent hardware, in an offline attack, it’s possible to run hundreds of millions of guesses per second. Even ‘complex’ passwords are now hackable.

 Is an unusual combination of words a good approach?

An approach that had some success was choosing simple words and sticking them together – as popularised by XKCD. For example, making a password of ‘DeskPineappleBicycleBend’. This is better than above, but crackers are starting to work on these too. Six or more random words is now recommended, which brings back the ‘how do I remember it’ problem.

So, what is the formula for a safer password?

An approach suggested by Bruce Schneier is to choose a phrase that has meaning and use that to form your password. Let’s say you’re a fan of 2000s pop duo Daphne and Celeste. Their top hit memorably instructed: “Ooh stick you, your mamma too, and your daddy.”

Easy to remember. Just taking the first letters of each word, you could get a password along the lines of: osyymtayd – not great, but with a little imagination, this could easily become: ooh!sU,yMAMA2&ydd!

Something like this can be genuinely tricky to crack. It’s not close to any dictionary words, not trivial to guess, and at 18 characters is long enough that brute force (trying every combination) should take at least a few decades. Great. Except that coming up with one of these for each thing you use – and remembering which is which – is going to be tricky again. Making strong passwords is easy – making strong passwords you can remember is hard.

How can passwords be saved?

Many serious security people now talk about password managers. A password manager is a secure vault where all passwords can be safely saved, encrypted using a ‘master key’. Provided that master key is strong, then the passwords should be safe. Yes, there are risks, but vaults work well enough for banks.

Probably the most well-known Password Manager is LastPass – a popular cloud-based service. For those that can’t quite trust the cloud with all the keys to the kingdom, KeePass is a popular choice. PasswordSafe also has a strong reputation.

Modern password generators can store all your passwords, either in a file or in the cloud. Some have found ingenious ways of avoiding storage altogether. Most will help automatically generate random, hard to crack passwords which you can use. So now you can use strong, genuinely secure passes everywhere – without limiting yourself to just things your poor old brain can remember!

Weak passwords are bad. Password reuse is worse. Writing them on a post it on your screen is probably the worst. A good password manager allows you to use different, strong passwords for every site, without ever writing them down for anyone to find, and without running into the human memory problem.

Instead, you can pour all your efforts into your one strong master password. Use your imagination. Pour your heart into this one. It just might be the last one you ever need.

Anything else to add?

Security is never ‘fixed’. Nothing is perfect. There are still risks and always will be. But a good password manager with a strong master password and steps to ensure that isn’t compromised – this seems to be about as good as it gets for now.

Ah, roll on reliable useable biometrics!

For official cyber security training for your entire workforce - you can head over to our website for info about end-user cyber security training with QA.

www.qa.com/cyber 

 

Author Profile Picture
Kat Jackman

Group Communications Manager

Read more from Kat Jackman