LinkedInFacebook 

Security Spotlight: Are you opening the door to a cyber-attack?

June 24, 2015
By Scott Rokita

Passwords are one of our most basic lines of defense against a cyber-attack. Unfortunately, most of us do not give them the thought and attention they deserve. These days, a user name and password is required for just about everything we do online, and every site wants you to use one that is somehow unique. Although this can translate in to inconvenience for us later when we forget what password we used, there are reasons why this is so important.

There are several different types of attacks used by computer hackers.  Two of the most common types are brute force and dictionary attacks. 

Brute Force attacks– “The systematic, exhaustive testing of all possible methods that can be used to break a security system. For example, in cryptanalysis, trying all possible keys in the keyspace to decrypt a ciphertext.” [1]

Dictionary attacks – “A type of brute force method for uncovering passwords and decryption keys. It sorts common words by frequency of use and starts with the most likely possibilities; for example, names of people, sports teams, pets and cars. For greater security, users should not use passwords that could be found in an ordinary dictionary. While a dictionary attack can be done manually by an individual, it is easily done via software and a database with millions of words.”  [2]

Both of these attacks are very similar, although there are defining differences. A brute force attack systematically tries every combination of possible characters used in a password.  A simple example of this is a 3 digit, numbers only password.  An example of the list that would be used is; 000, 001, 002, 003, 004 … 997, 998 and 999.  This attack takes a lot of processing power, but this is a lot less of an obstacle than it once was. 

A dictionary attack will use a list of passwords to pull from versus trying every possible combination in succession.  This generally will greatly reduce the number of passwords that will be tried against the target system.  However, a list found online (available for a suggested donation of $5) includes almost 1.5 Billion passwords and contains

“… every wordlist, dictionary, and password database leak that I could find on the internet (and I spent a LOT of time looking). It also contains every word in the Wikipedia databases (pages-articles, retrieved 2010, all languages) as well as lots of books from Project Gutenberg. It also includes the passwords from some low-profile database breaches that were being sold in the underground years ago.”[3]

If you are using any one of the words or phrases on this list as your password, you are making things way too easy for hackers.

If you’re like me, you are annoyed that you have to use a different password for each one of your (hundreds, so it seems) of accounts.  But we all know that if you use the same password for some or all of these accounts and one is compromised, it could be a disaster. If your Facebook password is the same as your bank password, you are entrusting the security of your banking information to Facebook, and taking an unnecessary risk.

Here are 25 of the most frequently used passwords (this means worst!) from 2014 according to ITProPortal: [4] 

1.       123456

2.       password

3.       12345

4.       12345678

5.       qwerty

6.       1234567890

7.       1234

8.       baseball

9.       dragon

10.     football

11.    1234567

12.    monkey

13.    letmein

14.    abc123

15.    111111

16.    mustang

17.    access

18.    shadow

19.    master

20.    michael

21.    superman

22.    696969

23.    123123

24.    batman

25.    trustno1

If you recognize one of the above as one you are currently using, change it now! But what to change it to?

A strong password is a long one - as long as you can tolerate or remember. The longer the password the better, with a best practice recommendation of 22 characters. Passwords should also be a mix of letters (lower and upper case), numbers, and symbols.

USA Today released an article May 15th, 2015 which may give you some ideas for creating your own strong passwords.

“1. It has to contain a random collection of letters (uppercase and lowercase), numbers and symbols

2. It has to be at least 8 characters or longer

3. You must use a unique password for every different account

That's a tall order. While something like "Tl|_|,BwwB2R" is really strong, it isn't easy to remember. Or is it? Let me show you how I came up with it.

Start by thinking up a random sentence. You can use a catch phrase, quote or even a song lyric. I chose a lyric from one of my favorite Bruce Springsteen songs: "Tramps like us, baby we were born to run."

I took the first character from each word to get "tlu,bwwbtr". Not bad, but it could be better. So, I added some symbols in place of similar letters. U becomes |_|, the "to" from the original lyric becomes 2. Then, I capitalized a few of the letters to make a strong password that I can easily remember: "Tl|_|,BwwB2R".”[6]

Good luck! And remember, your network is only as secure as your weakest link. 

References:

[1], [2] Definitions retrieved from PC magazine. http://www.pcmag.com/encyclopedia/

[3] Location of web site where one list is found.   https://crackstation.net/buy-crackstation-wordlist-password-cracking-dictionary.htm

[4] Information from most used passwords is found.  http://www.itproportal.com/2015/01/21/the-top-25-common-worst-passwords/

[5] Blog Krebs on Security, Passwords Do’s and Don’ts is found. http://krebsonsecurity.com/password-dos-and-donts/

[6] Komando, K. (May 15th, 2015). How to create a strong password. USA Today. Retrieved from: http://www.usatoday.com/story/tech/columnist/komando/2015/05/15/strong-passwords/27240877/