CREATE A REALLY STRONG PASSWORD: A PEN TESTER’S PERSPECTIVE.
Attackers have figured out how to crack even what you and I think are the toughest passwords. HALOCK pen testers almost always find passwords as a weak spot in every investigation. With so much at stake, it’s a wonder why password safety still isn’t being taken seriously.
In a recent study at Concordia University in Montreal, researchers found that password strength testers are not all that accurate or consistent. Instead of relying on a password checker, follow this list of Do’s and don’ts and your passwords should be stronger.
- Don’t use dictionary words, or common proper nouns (cities, states, etc.) in your passwords.
- Don’t use common defaults (cisco, apple, password, etc).
- Don’t reuse similar or sequential passwords when it’s time to change. If your last password was compromised (Password1), an attacker has a pretty good idea what you changed it to. Don’t use Password2, Password3, et al.
- Don’t use personal details or other information an attacker could infer by checking your social media page before targeting you. Maiden names, your dog’s name, favorite food, etc. would be examples of passwords that should be avoided.
- Don’t try a character pattern-based password. Anything pattern-based is a common target for brute force attacks. For example, A123!A123!A123!A123!A123! might seem secure, but the pattern can carry through to the hash. Once the first five positions are cracked A123! the rest is already known and merely repeated.
- Don’t use simple character substitution. It might be easy to remember “I always use a zero where the password has the letter ‘O’ as in Passw0rd”. It’s easy to remember, but any password scanner or brute force tool incorporates this as well.
- Do use mixed case passwords. PASSword does not equal password or passWORD.
- Do add numbers (0-9) and special characters (!@#$%^&*) to your passwords for good measure.
- Do use different passwords on different websites and applications. Even the strongest password, if obtained, is a weak spot if you use the same password everywhere (websites, etc.). If any are compromised, they are all effectively compromised at that point.
- Do use long passwords. The longer the password is, the harder it is for a hacker’s tools to guess them. Privileged account passwords should be even longer.
- Do use passphrases. A generally viable approach to remembering passwords is to use a passphrase: Today, I’m writing an article about selecting good passwords! could be committed to memory as 2dayI’mWaAaSgP! This passphrase will be easy for you to remember, is long, contains letter, numbers and punctuation, and will be difficult for anyone to guess.
- Do use a random password vault. These generally come with random password generators and can securely store hundreds of passwords without you needing to know or remember what they are.
- Don’t rely solely on passwords for critical systems. Use a second factor of authentication such as RSA tools or Google Authenticator.
Do you have any other tips to share? Feel free to tell us in the comments!
Also, be sure to download a security awareness poster that will remind you to change your password.
Time to check your security controls? Schedule a penetration test.
HALOCK is headquartered in Schaumburg, IL, in the Chicago area and advises clients on information security strategies, risk assessments, penetration testing, security management and architecture reviews, and compliance throughout the US.