Passwords protect all of your online life and using weak or duplicated passwords can leave you facing huge risks when it comes to security. 2 factor authentication and password managers provide easy ways to greatly increase your security online.
One of the biggest problems with passwords is that we humans need to be able to remember them. To make passwords easier to remember, especially given how many the average user now has, we make them more simple. As passwords become more simple it becomes exponentially easier for a computer to crack your password. This is mainly because there are less possibilities to guess in a brute force attack where a PC simply tries as many combinations as it can until it guesses the right one. It also means even if an attacker only manages to get hold of an encrypted or hashed version of your password it greatly reduces the amount of time to crack the hash using tools like Rainbow Tables. This isn't related to just the length of your password, the longer it is the better, but also to do with what your password is comprised of. Using words that can be found in the dictionary is generally a bad move when it comes to making a password but makes it easy for us to remember.
This great website can show you just how strong your password is and you can also see just how easy it is to make your password incredibly strong. Whilst any password strength meter can't ever be totally accurate, they are a great guide. If you double the strength of your password, you make it twice as hard for an attacker to crack it. If that takes it from 10 days to 20 days or 100 days to 200 days all depends on the attacker and their capabilities, but the fact remains it will be twice as hard for them.
Try out a few passwords on the site and see how they stack up. It goes without saying you should never use one of your actual passwords because you should never trust any site unless you have to. Just try some out and see how strong they are.
scotthelme - 9 hours to crack
ScottHelme - 1 year to crack
ScottHelme1234 - 98 million years to crack
ScottHelme1234@ - 157 billion years to crack
The estimates here are based on the hardware capabilities of your average desktop PC and are for a brute force attack where an attacker would try guessing all possible passwords until they found the right one. If an attacker had access to some considerably more powerful hardware, which is very easy to come across with services like Amazon's EC2, and they were to use more sophisticated attack vectors, these times could be slashed to fractions of what they are. The idea is simply to show you how easy it can be to increase the strength of your password.
Even if an attacker only managed to get hold of the hashed version of your password, that is the version that is securely stored in a database, it can still be incredibly easy to break a weak password. Sites like CrackStation can demonstrate just how easy this is and you may even find this shocking. Head to their website and paste these password hashes into the field, fill out the Captcha and click the Crack Hashes button.
Congratulations, you just cracked some passwords! Admittedly these are only MD5 hashes, and they aren't salted, but CrackStation can run the same attack against any unsalted password hash for many much stronger hashing algorithms. The simple fact is so many websites still operate such poor security an attacker will always target the low hanging fruit. If they do manage to grab your password from a website with poor security they're going to be hoping you've used the same password somewhere else, which takes me nicely to my next point.
Another major concern when it comes to online security is the reuse of passwords. Because passwords can be difficult to remember, and because there are so many to remember, people often use the same password on multiple sites. This represents an incredibly huge risk because if an attacker did manage to gain access to your password, the first thing they would generally do is visit a lot of common websites and try to login with your email and the password they have obtained. If you do use the same password on multiple sites, and one was breached revealing your password to an attacker, just have a think where else they could go and login using that password. You might not be concerned that your account on Facebook is compromised but could they now go and login to your emails, eBay, PayPal, Amazon? The real kicker here is your email account. If an attacker targets a site and obtains your password, if they can login to your email account they can reset your password for pretty much any website where you have an account by using the password reset feature. That could be a disaster. The obvious and only way to prevent this from happening is to not use the same password again on any website.
2 Factor Authentication
2 factor authentication is a feature that adds an additional layer of security to the login process requiring more than just a username and password from the user. Many big sites including Facebook, Google, Twitter and Hotmail now have the option to use 2 factor authentication. When you login using your username and password you are then required to enter a unique code, almost like a PIN number. This code is either sent to you in a text message when you try to log in or there are apps like the Google Authenticator that will generate one for you when you open it. You link your phone number or the app to the service when you enable 2 factor authentication and from that point on you must use it every time you log in. This means if an attacker managed to obtain your password, once they try to log in they would also need access to your phone, preventing them from accessing your account.
To enable 2 factor authentication for Twitter simply navigate to your account settings from your PC and locate the 'Login Verification' section:
For Facebook, again from your PC, open Account Settings from the Settings menu in the top right and enable Login Approvals under the Security section:
To enable 2 factor authentication for your Google account, click on your profile picture in the top right and select Account. From there select Security and then enable 2-step verification:
Last but not least, Hotmail (Outlook/Microsoft account). Again click your profile image in the top right and click Account Settings. Select Security Info and you can setup two-step verification for your account.
Whilst it does add a slight amount of inconvenience to the login process it makes it incredibly difficult for an attacker to break into your account. Whilst they can steal your password from anywhere in the world, gaining access to your phone is a whole other ball game. That and if they did get access to your phone you have a pin/password on that too, right?... You should also disable the message preview on the lock screen or status bar. On most phones when you receive a message you can still read some/most of it from the lock screen in the form of a notification. Now you're going to be receiving security codes via SMS it's worth enabling the privacy feature to prevent people from reading them as they arrive!
For Android you can normally open your SMS app and hit the menu button to look for your settings. You then want to disable the preview of a message on the lock screen or status bar.
For iOS devices go to Settings -> Notifications -> Messages and disable 'Show Preview'.
As an additional help in situations where you don't have signal or can't receive a text message you can use the Google Authenticator app. This app is not just for Google accounts and can tie in to different accounts like your Hotmail/Outlook to generate login verification codes. When you open the app you are presented with a security code to use when prompted during login. The code can only be used once and has a short validity period.
Just download the app and then during the 2 factor authentication setup process, if they support authenticator apps, you will be presented with a QR code that you can scan with the app!
Another great way of protecting your passwords is to use a password management program. I have been using Password Safe for a while now and have to say I'm very impressed. Originally created by Bruce Schneier, who literally wrote the book on cryptography, it offers great security for all of your online passwords.
The basic idea is that the password safe stores all of your passwords for everything. To gain access to the safe requires your master password. This has to be a very strong and long password but it is the only one you need to remember. Once you insert your master password you can simply right click and copy your other online passwords and paste them in to the login fields for each site. The major advantage here is that because you don't have to remember each and every password, they can be very complex and very long but crucially, they can all be unique. This greatly increases your security as it makes it much harder for an attacker to crack your password due to the added complexity. Even if they do crack it or otherwise gain access to it, it will only work on the one website where it was used and nowhere else because it is unique!
Password Safe also has an associated iOS and Android app so you can export a copy of the password safe and then import it on your mobile device. This means you can have access to all of your accounts anywhere you go and still maintain excellent password security. For that ultimate peace of mind you can upload your password safe to a cloud storage site like DropBox or Google Drive and have access to it anywhere you might need it or in a disaster scenario like a major data loss.
To create your own password safe first download and install Password Safe. Once you're ready launch Password Safe and click New:
Select a location and name for your Password Safe file and click Save:
Now for the most crucial part of the process, the combination to your safe. This needs to be very long, contain upper and lower case letters, numbers and symbols. This is the only password you will need to remember from this point so don't worry, just make it strong!
Now your safe has been created the first thing you should do is alter the default password policy to make the password generator create even stronger passwords, because stronger is better, right?! Click Manage, then Password Policies, select the Default Policy and hit Edit. Increase the password length to 20:
Now that the password generator is set up to create some really strong passwords you can go ahead and create your first entry. Fill out the Title, which is generally the site where you will use this password, your Username for that site and then hit Generate followed by OK:
Now that your new Facebook password has been generated you need to go and login to Facebook and change your existing password to your new strong password. Simply right click the Facebook entry and "Copy Password to Clipboard" so you can paste it in when you change the password. This is also the same method that you will use to log in, simply copy and paste the password so you don't ever need to remember it!
If you have a lot of online accounts and passwords to manage like I do then you can use the groups feature and break your accounts down in to email, social media, banking or however you see fit. This prevents you having to scroll though a huge list of passwords!
Now all you need to do is create a new password entry for each site you use and change the password to the one managed by Password Safe. This really doesn't add too much inconvenience to the login process of sites once it's set up. After you've entered the master password for Password Safe, logging in to a site is simply a matter of copying and pasting your password. Once all sites have a strong, unique password you can rest assured that you're risk of being compromised has been greatly reduced. Coupled with 2 factor authentication and avoiding the issue of Why You Shouldn't Store Passwords In Your Browser that I covered in a previous blog, your online security is now much, much better.
Short URL: https://scotthel.me/PasswordSecurity