Staying cyber safe online has quickly evolved to being a top priority in our everyday lives. One of the most effective ways that just about anyone can implement is using your own mind. And what I mean by that is educating yourself on what attackers will be looking for when trying to crack your passwords. Being knowledgeable with the latest methods will keep you one step ahead. In part 1, I shared how password creation plays a role in preventing security breaches and provided you with further insight, all from the perspective of an attacker. Now that you are equipped with this knowledge, let’s talk about what you can actually do about.
Pulling Passwords Out of the Hat
First, generate a random string of characters. Password crackers don’t typically operate with a completely random string of characters. For instance, the password “9V3amEyd3Gk*” is unlikely to be cracked using standard methods.
However, no one is going to remember that password. And since we should never reuse a password, we definitely won’t remember 50 different kinds of passwords like that. This is why password managers are recommended. This allows you to generate random passwords that would take potentially millions of years to crack, and you don’t need to remember them. However, speaking from experience, many of our older generations aren’t as comfortable using password managers. Whether that’s because they’re wary of the passwords being stored in the cloud, which they don’t trust, or that they aren’t as comfortable using computers in general, and as simple as it may seem to some people, it may seem daunting to others. This can often result in passwords being written down in books or on sticky notes or even in documents on the computer itself! This should go without saying, but that is not recommended.
If you find yourself in this situation, you might wonder how you can create a strong password that can be remembered. If we look back at entropy, we found that increasing the number of combinations results in a more difficult-to-crack password. If we can’t use randomization, what is our next option? Making longer passwords. Adding special characters or numbers may result in 15-20 additional options for each character. But each character in length adds at least 26 options, and if you also use capitalization, that doubles. This is where we transition from thinking of a “password” to a “passphrase”, something I wish we’d start using to shift the mindset away from short one word passwords to longer and more dynamic passphrases.
How and Why Passphrases Work
With passphrases, you’re able to dramatically increase the entropy of a password. Let’s say you’re a Star Wars fan, and you know that to create a good password it should contain all the things we talked about. So you make your password “S74rW@r5F4N77”. Using password checkers across the internet I get a range of estimates from 22 years to 2 million years to crack that password, sounds great right? There are a few caveats to this. Firstly, these calculators aren’t factoring in the fact that it’s using actual words, and it isn’t factoring in research on the target. If I captured the hash of someone, and I checked their social media to find out they’re a big Star Wars fan, I would create a word list that includes different Star Wars terms. Through standard rule sets, I would end up cracking this password much faster if I do proper research on my target. Even if I didn’t, my standard word list contains “starwarsfan” in its list, which means ultimately I would end up cracking this password, and it would likely only take a day or two.
So what should our Star Wars fan do? Use a passphrase. Use a quote, a motto, something relatively unique and obscure that they will remember because it has some meaning to them. For instance, using ”Iamyourfather” is too common a phrase, and would also be ultimately discovered. Using a quote from your favourite character and then adding our usual adjustments to it may result in something virtually uncrackable. For instance, perhaps your favourite character is Han Solo. At one point he says the phrase “Let’s keep a little optimism here.” Using “Letskeepalittleoptimismhere” as our basis, those same password strength testers from before range from 228 years to functionally the end of the universe. Because we’ve added length, and we’ve used a phrase that is not commonly used or recognized, this password may be as good as a password that is just a random string. If we wanted to further increase it’s capability to not be cracked, we could include the usual special characters, numbers, and capitalization, but unlike other passwords where it has to be almost every letter is changed, you could do something as simple as adding normal special characters that would fit the sentence, and maybe turn keep into k33p to vastly increase the time it would take to crack this password.
Now that we’ve got a passphrase that we know is strong, we can’t use it for every password. This is where I depart from standard recommendations. It’s recommended to never use patterns, because it can functionally be the same as using the same password if the pattern is determined. However, using multiple different ways to make your passwords unique can result in a pattern you recognize, and a pattern an attacker can’t see.
For example, say you’re using our passphrase to sign up for an account on Amazon. You could then use a pattern with the website name itself to fabricate a password. For instance, you can take vowels or consonants and put them into the password, such as “Passwordmzn.” This isn’t bad, and unless an attacker really looks at the password and where it’s from, it may not be discovered, but some websites or applications will be very obvious that this is what’s being done. Another may be that you use the context of the website name to be a clue to the remainder of the digits. Say you’ve got 4 siblings, Jack, Fred, Sarah, and Mary. You could look at Amazon, and see that the first letter that matches the first letter of one of your sibling is M. From there you could then attach her birth year, or full date, or something related to her that you know and remember. For example, it would end up being “PassphrazeMZN1983” This results in a unique password, using a long passphrase that’s meaningful to you and uses a contextual clue that only means something to you.
It’s recommended that you think of your own contextual clue, and you can even have multiple that you apply to each password, further increasing length and adding the number of seemingly random characters to the end of the password, so that should it ever be leaked in plaintext, a malicious actor won’t necessarily be able to use it on other pages.
A final option some people could take advantage of is making their password in a different language. Here in Canada almost all passwords will be in either English or French. If you use a password in an unexpected language, this will also dramatically increase potential cracking time. Even more so if you use an unused language like Latin, or a language with different characters like Korean.
Using these recommendations, you can expand on the above ideas to make your passwords something you always remember, and nearly impossible to crack. Perhaps you have a list of phrases, one you use for commerce sites, one you use for hobby applications, one you use for banking, and one you use for email. This allows you to separate out your different accounts even further, so that in the unlikely event that all our previous steps taken result in both the password being discovered and the pattern being discerned, it results in only that “category” of applications needing to be changed. Lastly, it is always recommended to use Multi-factor authentication, or MFA. This is where you get a notification on another device (typically a cell phone) asking if the person logging in is you. This allows you to control logins and if the password is compromised, you may still block the login.
The Bottom Line
To sum up, use a password manager if you’re comfortable doing so. If you’re not, use passphrases instead of passwords. Choose a passphrase that is meaningful to you, but not something that’s in popular culture, and then spruce it up with your own creativity. As I said from the beginning, I try to think like an attacker. This would definitely ruin my day as an attacker trying to crack passwords.
Author Spotlight: Dan Berry, Offensive Security Consultant
Dan Berry has been the offensive security specialist at IT Weapons for over a year, and is an expert in providing advice from the perspective of an attacker. Dan has been refining ITW’s offensive security offerings to be more efficient and provide a better value to clients, while constantly looking to innovate and provide more complete and valuable information about their security posture.