Passwords – they can easily add up!
Having to create and remember passwords for this and that, while staying safe and secure, can be quite the task. We all know it’s more convenient to use the same password for multiple services but that comes with a HUGE security concern —compromise of one leads to exploitation of all!
What can be done to circumvent this for corporations, or even users outside of a work environment?
For corporations, there are a few ways to work around the issue.
Single-Sign On (SSO) is a great example of limiting the number of authentication requests for users who are trying to access multiple resources from various locations. Simply authenticating a single password (most often when logging into a corporate computer) allows access to all resources in that user’s security group. Ensuring a strong initial password is highly recommended to make it safer for users who only use a single password when accessing needed resources to perform work duties.
To strengthen this even more, experts always recommend using Multi-Factor Authentication (MFA) to ensure the user logging in is indeed a valid user. This second method of authentication can often be a physical piece of equipment – a security token or a smart card. The second authentication piece automatically generates a password/PIN to be entered, which means users don’t need to remember yet another password on top of the already secure initial login.
In a non-corporate environment, users can still follow these guidelines, but it may seem a bit extreme. It all depends on your take on this and how secure you want to be. Some services do allow users to configure MFA or one-time-password tokens that can be tied to (most often) a user’s cell phone. You can, however, resort to setting a new and different password for each service. This will add to the burden of memorizing more passwords (that’s what you’re doing, right, and not writing down passwords?), but it does increase security. Alternatively, use a password manager service such as Keeper or LastPass to take care of the memorization and complexity requirements for you where MFA is unavailable.
Regarding larger corporations and domains, there is the option of implementing a Public Key Infrastructure (PKI) for some services. This requires a Certificate Authority (CA) on the network that signs leaf certificates validating users. Users would obtain the CA’s public key, which was signed by its private key, and use their own public key to validate themselves. This comes after they create their own certificate using their private key and having the CA sign that request, thus validating that they are who they say they are on the network. Note that there are public CAs that are well-known on the Internet, which differs from a corporate CA that may or may not be publicly recognized.
Considering the above, just what does a strong password consist of and what should be avoided at all costs?
- ‘password’ as a password
- other standard dictionary words
- simple variations of standard dictionary words
- prepend / append numbers to simple words
- personally attached information; birthdates, anniversaries, family or friends
- numbers instead of letters for simple words; i.e., 3 instead of e
Modern day resources can allow for an easier time in brute forcing passwords using programs that fill in the information in various ways.
Here’s a brief example of how easy it can be to crack basic passwords. Let’s use “mypassword” as a password for a service, the MD5 hash of which is “34819d7beeabb9260a5c854bc85b3e44”. Computer systems usually store passwords as a hash to avoid storing them in plaintext. Even then, not all hashing algorithms are the same. By simply doing a Google search for that hash value, decryption tools have already reversed the hash and output “mypassword” as the initial string. Arbitrarily using “)&*Gyiol80”, the hashed result is “1eb893fa4fd86c65a0ac248979fe0515”. Searching for this did not yield a result — well not as of yet, at least! Refer to the references below for more details on testing yourself.
On the flip side, good passwords consist of a lengthy variation including mixed-case alphabetic characters, numbers, as well as special characters. At least eight characters is recommended but, as they say, the more the merrier! Passwords that are easy to remember but difficult to guess are prime examples, as are passwords that can be typed without the need to look at your keyboard. You never know when someone may be peeping over your shoulder.— Emil Hozan
PASSWORD MANAGEMENT, February 2008 [PDF file] https://www.infosec.gov.hk/english/technical/files/password.pdf
Author, Dave Asprey (December 2, 2011). The Cheapest Way to Use the Cloud to Crack MD5 Using Google Instead of AWS. Retrieved from https://blog.trendmicro.com/the-cheapest-way-to-use-the-cloud-to-crack-md5-using-google-instead-of-aws/
MD-5 Hash Generator, online tool. https://www.md5hashgenerator.com/
MD-5 Decryption, online tool. http://www.md5decrypt.org/
Anca Gagea says
Awesome post! Very informative! Well written!