Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

Passwords: Tips For Better Security

You can make your passwords more secure if you follow a few simple rules: Don't reuse passwords, make them long and random, and don't be afraid to write them down, say security experts.

Strategic Security Survey: Global Threat, LocalPain
Strategic Security Survey: Global Threat, Local Pain
(click image for larger view and for full slideshow)
How safe are your passwords?

The LulzSec hacking group may have ceased its 50-day hacking spree, meaning that users of InfraGard, the U.S. Senate, and Sony websites, among others, can sleep more soundly at night. But people shouldn't let the apparent cessation of the latest laugh-seeking hacking campaign lull them into a false sense of security.

There's a growing body of evidence--based on numerous LulzSec exploits, last year's hack of Gawker, even a 10-year-old study of the password-picking habits of Unix users--that people prefer short, non-random, and therefore unsafe passwords. They also tend to reuse those same passwords across multiple sites. The underlying rationale is clear: it makes passwords easier to use.

Unfortunately, it also makes for poor security. For example, look at one of LulzSec's attacks against the Atlanta branch of FBI affiliate InfraGard, in which the hackers stole members' username and password combinations. Those credentials then allowed LulzSec to gain access to Atlanta InfraGard member Karim Hijazi's business and personal Gmail accounts. Hijazi is a somewhat controversial security consultant who is CEO and president of botnet monitoring startup firm Unveillance. But even he reused his passwords.

Password reuse, however, isn't the only issue. Another threat is that attackers will gain access to a website's password database and steal a copy. At that point, even if the database is encrypted, attackers can hammer away at it offline, using a tool such as Password Recovery Toolkit from AccessData to crack it in relatively little time. Processing power is no object. Indeed, researchers at Georgia Tech have tapped the graphics cards built into PCs to crack even hashed passwords with fewer than 12 characters, in short order.

Not coincidentally, the Georgia Tech researchers recommend using passwords that are at least 12 characters long, and which mix letters, numbers, and symbols. But who's going to remember a unique, randomized (aka highly entropic) 12-character password for every semi-critical website they use?

Thankfully, options abound for creating long and strong passwords. For example, people can use pass phrases--sentences, really--instead of passwords. Another option, meanwhile, is to build passwords using some kind of predetermined logic. The password "mniE," for example, would be short for "my name is Earl." (Ideally, of course, the password would be much longer.) Proponents of this approach often recommend using a variation that builds in the name of the website, so that one password can be altered to address various other websites. For Amazon.com, for example, the variation could be "mAMAniE."

Despite the potential security improvement, according to Jesper M. Johansson, formerly the security program manager at Microsoft, and now the principal security architect at Amazon.com, it's unclear if many people bother to use pass phrases. Furthermore, based on some rough estimates, he said that it's likely that a person would need to use a six-word pass phrase--which is starting to get clunky--to attain the same level of entropy as a nine-character password. Finally, reusing parts of passwords across different websites means that attackers who steal username and password combinations might be able to reverse-engineer the logic.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8818
PUBLISHED: 2020-02-25
An issue was discovered in the CardGate Payments plugin through 2.0.30 for Magento 2. Lack of origin authentication in the IPN callback processing function in Controller/Payment/Callback.php allows an attacker to remotely replace critical plugin settings (merchant ID, secret key, etc.) and therefore...
CVE-2020-8819
PUBLISHED: 2020-02-25
An issue was discovered in the CardGate Payments plugin through 3.1.15 for WooCommerce. Lack of origin authentication in the IPN callback processing function in cardgate/cardgate.php allows an attacker to remotely replace critical plugin settings (merchant ID, secret key, etc.) and therefore bypass ...
CVE-2020-9385
PUBLISHED: 2020-02-25
A NULL Pointer Dereference exists in libzint in Zint 2.7.1 because multiple + characters are mishandled in add_on in upcean.c, when called from eanx in upcean.c during EAN barcode generation.
CVE-2020-9382
PUBLISHED: 2020-02-24
An issue was discovered in the Widgets extension through 1.4.0 for MediaWiki. Improper title sanitization allowed for the execution of any wiki page as a widget (as defined by this extension) via MediaWiki's } parser function.
CVE-2020-1938
PUBLISHED: 2020-02-24
When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that ...