Password “brett1” would take 54 milliseconds’ to crack, “brett123” a minute and “brett2016” only 42 minutes.
Password scams are real, here is a real life example…
Every IT technician gets the call at some time…
A good friend of 10 years called me after his wife had been victim to a telephone scam. A Telstra user, she received a call from "Telstra" to say their PC was infected - a pretty standard scam for those of us involved with digital security.
The result was that the scammer had locked the PC using Window’s own SYSKEY security program.
My friend dropped off his PC and install disks, the scammers had cleared his restore points, so there was no way of restoring the PC back to its original state before the social engineering attack.
I found a program designed to crack passwords - a legitimate program designed to help people who had forgotten their passwords or had been scammed.
The password utility was free up to 5 or 6 characters in length. A few seconds later, the password 4123 was cracked. Actually, it was probably less than 2 seconds.
I immediately thought of how easy some of the passwords I’d seen used in the workplace could be cracked by even the most unskilled hacker with this program.
Passwords are one of the biggest problems in digital security at the moment. Several companies are making moves to reduce or eliminate them, but until other methods are simple, reliable and easy enough for widespread implementation we are stuck with the old passwords.
In the past few years I've seen some terribly concerning passwords - a three letter word (all lower case), simple names, Password1 etc. Some of the worst offenders have been company directors, financial managers, and therefore putting their entire business at risk.
Whenever somebody wants access to your bank account, personal information, identity etc... they will start with your less secure accounts. The jackpot for them is the account that your other accounts use for verification, such as an email account…
Here are some tips on how you can pick the most secure password:
- Passwords in 2016 really should be 16 characters in length or more, with triple complexity - that's three of the four following - lower and upper case letters, numbers or punctuation.
- Avoid repetition, dictionary words, phone numbers, any part of the corresponding username/account name, or simple number/letter sequences.
Brute force attacks start with "rainbow tables" - passwords organised by popularity from lists stolen from other sources. Often these passwords include "Password1", "qwerty", "asdfjkl;", "Sarah", "abc123" and even common phrases such as "let me in".
The trick is to find methods that provide enough complexity to make your password too hard to bother for a brute-force attack, without making it too hard to live with.
One suggested method is using the first letter from a favourite phrase.
An example of this I saw several years ago was the line from Gone with the Wind - "Frankly my dear I don't give a damn" was turned into the password “Fmdidgad”. “How secure is my password” site at http://howsecureismypassword.net gives it 22 minutes to survive a brute force attack.
By adding numbers and characters – “Fmdidgad12#%” will take 34 thousand years!
CNET suggest the same method is very effective when more complex and longer. A password of 15 characters can take 16 billion years to crack. However, the Holy Grail in passwords is to find something simple to remember, something you can increment a few times before starting a new password model, and of course something terribly difficult to guess/brute force.
Here are a few suggestions-
- Break the password into two or three segments- The most random segment could be shared by all employees in a department, or small business. If each user in a business has a password that starts with "#$8! " and then is followed by a password of another 6 characters, it becomes hard to crack. "big1dog" is evaluated as a two second crack, but "$#8! big1dog" is rated at 11000 years of brute force.
Employees can keep the second segment of the password secret, providing local security.
- Include a letter or number- A good password could be incremented by a letter or number, so the above password could be incremented to "$#8! big1dogA" and "$#8! big1dogB". Don't do this too often or you risk an old password being discovered and the new one being deduced through the simple pattern used.
- Utilise Password programs- Password programs such as KeePass are another method, allowing a completely random string to be saved, and allowing a user to require only a single difficult password to remember.
For more help on password security, visit the following websites or have a chat to us today!