09 Mar Passwords are dead. When will we learn?
Three days ago, Citrix announced that it had been breached. By every report, the way that the bad actors got in was through weak passwords, via a “password spraying” attack, though this has not been officially confirmed. In terms of who was responsible and how long the bad actors have been in the network is also currently up for debate, with different security organizations claiming different hacking groups and different time frames.
What’s not under debate at the moment is that “weak passwords” were at play, and some reported that the actors were able to get around their two-factor authentication, i.e. “2FA” Almost certainly because their 2FA was SMS (text message based).
What frustrates me to no end is the fact that people are still using weak passwords, recycling those weak passwords, and not using 2FA. What is also frustrating is that there are so many web applications, websites, mobile apps, and internal applications, that require your password be “complex” but only have an 8 character minimum requirement.
Let’s take a look at “complexity”…. How secure would you think this password is: “!L0veDogs$” ? (the quotes and ? are not part of the password). It has all the makings of a great password, right? Letters, numbers, uppercase, special characters and it is 10 characters long. However, when I put that password into a site that tests the strength of passwords, this password can be cracked in 4 weeks. If I simply made it one character longer, it would take six years to crack. One more character after that, so 12 total, and we’re looking at 400 years to crack.
What about passphrases? Passphrases are perhaps the best way, and easiest way, to create a password. When setting up an account at Neiman Marcus, you might use the passphrase: “I am very fashionable” (Quotes not included in the passphrase) Any ideas on how long that would take to crack? 596 Quintillion years. That is no joke! No complexity on that passphrase, but it is 22 characters long. Length trumps complexity “All day night and all day long!”
Back to to the issue… a countless number of web apps, websites, mobile apps, internal applications, and anywhere else you use a password is still caught up in the complexity world and they limit the number of characters you can use! So many have it wrong, and they seriously need to change their authentication requirements!
When choosing a password, make it a passphrase (as long as the app/site will let you). Minimum of 12 characters, but more is better. Use a unique and easy to remember passphrase on every app/site you have an account on. Never use the same passphrase twice. Enable two-factor authentication through a phone based app, such as Google Authenticator or Microsoft Authenticator. Also, implement a password manager such as LastPass. If a website doesn’t allow passwords greater than 10 characters, or requires complexity and has no two-factor authentication method, skip it. Go create an account with their competitor.
Integrating these changes will keep you infinitely more secure, and in todays’ day and age, we at NINJIO preach “Secure Living”