We talked about how biometrics can be used for multifactor authentication in order to verify someone’s identity. Biometric authentication refers to something you are (as…
In this digital day and age, most of us know what a password is. If you’ve found this article or any other like it, you likely have a social media account, an email, or somewhere you store pictures and documents. These all require passwords. Most of these platforms have requirements for what the passwords should look like. The requirements could be a specific password length, the presence of different numbers or symbols in the password, or even that the password cannot be something easy to guess. This is done to prevent people from accessing your information.
Have you ever stopped to wonder why different platforms have different requirements? Or why they force you to have certain characters or password lengths in the first place?
In this article, we’ll talk about what makes a password strong, and why sometimes passwords just aren’t enough to fend off attackers. To start, we first need to discuss some potential techniques that attackers may use to figure out what your password is.
To better understand how to keep strong passwords, we need to understand the various techniques through which malicious hackers can use to get access to your passwords:
If a criminal can physically touch a computer, they could do a lot of damage. They could even get information from the surroundings of that computer. Several forms of physical access include:
This is the simplest but the most time-consuming technique that hackers use for obtaining passwords. This is mostly used when every other password cracking technique fails. Here the password cracking programs try to use every possible combination of words, numbers, letters, and special characters (like @!@#$%^&*) to crack the password. This technique may not be very practical if the password contains different types of characters (e.g. lowercase letters, UPPERCASE LETTERS, Numbers from 0-9, Special Characters like @!@#$%^&*, etc), or if it’s relatively long. Nowadays, the only time brute force attacks may work is when the attacker is using a rule-based attack, where the attacker can predefine some rules to the program, such as the length of the password, the number of upper case/lower case characters, the number or type of special characters, etc...but even then, the sheer volume of attempts typically makes brute force attacks impractical, especially if they have to be performed over a network (such as on a website) since that will also add latency.
In a dictionary attack, which is a type of brute force attack, the attacker uses a dictionary of commonly used passwords and runs them through a password cracking tool. This is much better since it tests for only a list of the most commonly used passwords. Here’s a quick mental exercise for you: how do you think attackers find out the most commonly used passwords by people? By the way, here’s an example of a dictionary list of the most common passwords.
Let’s assume you have an account with company X which stores their passwords in a hash format.
If you’re not familiar with hashing, here’s a quick explanation: nowadays, most applications don’t store user passwords as a plaintext (human-readable format) in their databases, what they do is take the human-readable plaintext passwords and hash them with an algorithm. According to NIST, hashing is the process of using a mathematical algorithm against data to produce a numeric value that is representative of that data. (NIST Glossary)
Whenever you log in with a human-readable plaintext username and password, their system uses an algorithm to convert your plaintext password into its hashed equivalent and tries to match it with the pre-existing hashed password on their database. If they match, then you are logged in. Now let’s say that somehow company X’s password database gets leaked. The first thing hackers will do is run the leaked hashes through a rainbow table. A rainbow table is a table containing a list of passwords and their corresponding hashed form of the password.
Because many people use the same password for different sites, if the attacker somehow gets your credential from company X, they can use that to try and log in to your other accounts (banking, social media, email, etc…). If they are using the same credential, then they will be able to get access to those other systems. This is called a credential stuffing attack.
We just went through a list of a few password attacks to demonstrate that there are many avenues through which an attacker can figure out what your password is. For some of those attacks, it doesn’t really matter how “strong” your password is (ie: with shoulder surfing), while for others, it can make a big difference (ie: with brute force attacks).
Since this article is focusing on password strength, the question becomes: what’s the best way to choose a strong password?
When it comes to password strength, people typically talk about two main factors:
Password length is the most important factor in determining password strength, and we’ll explain in more detail why in just a moment.
Length especially matters when the attacker is running various types of brute force attacks. If your password is 8 or fewer characters, it can be brute-forced relatively easily, especially by powerful machines. The best password recommendation is to use memorable sentences because they will 1) be much longer that way, and 2) be much easier for you to remember.
Passwords with higher complexity (the amount of varying information in it, like uppercase, lower case, symbols) are relatively safer, but only when combined with password length. Password length is far more important than password complexity, and in fact, complexity usually just makes passwords harder for people to remember, so it is not recommended unless you’re using a password manager (and that is recommended).
XKCD’s site created an image that answers the question of which is best between length and complexity, and we think it’s one of the best ways to visualize it:
From the image above you can clearly see that using a short password and replacing some letters with a special character increased complexity, but it’s harder to remember.
Instead, using four common long words decreased the complexity of the password, but made it significantly harder for an attacker to crack because of its length. Even though it is using common words, which are susceptible to dictionary attacks, it would still take a very long time to crack the password due to its length, which is why length is so much more important in generating strong passwords.
Lucky for us, some smart people came up with the idea of password managers. One of the main challenges of coming up with strong passwords is that we’re afraid we’ll forget them. So we end up shortening them or using everyday objects or people that we’re close to. Or we write them down on sticky pads next to our monitors. All of these things introduce major weaknesses to our passwords.
Instead, password managers:
The way that they generate strong passwords is by following these rules:
Apart from those, they also help with following these rules:
Here a point needs to be made that you won’t be able to remember such “strong passwords” for different websites and that’s where password managers can help you. Read more about password managers here.
Everything that we’ve discussed up until this point has been regarding making passwords stronger…but even if we have the strongest password in the world, our accounts can still end up compromised, and for many reasons. Some of which are completely out of our control.
Maybe the organization storing your passwords didn’t store hashed versions of passwords and instead stored the plaintext version, and a malicious actor got their hands on this database.
Maybe you’re using public WiFi that doesn’t properly encrypt communications with a platform you visited and logged into.
Or, maybe you fell for a phishing attack and typed in your password on a fake login form.
Whatever the reason, the strongest password in the world won’t help you against those attacks.
That’s why the Internet is (slowly) moving towards either passwordless authentication or some form of Multi-Factor Authentication (also known as MFA).
Multi-Factor authentication is “an authentication system that requires more than one distinct authentication factor for successful authentication. [It] can be performed using a multifactor authenticator or by a combination of authenticators that provide different factors.” (NIST Glossary)
An easy way to remember what multi-factor authentication entails is by remembering what the authentication likely needs of you: something you know, something you are, something you have.
Two-Factor Authentication uses one or more of these to ensure that a password is not the only way to access an account. Typically, this form of authentication uses Something You Know and Something You Have (password and an access code from a text or an app) or Something You Know and Something You Are (password and fingerprint or facial recognition scanner). Rarely are all three used for the same account, unless you are dealing with highly sensitive systems or information.
To help keep track of best practices when it comes to generating, using, and even storing passwords as both users and as developers, we've created three different cheat sheets that follow the NIST Password Guidelines:
In this article, we talked about passwords. We discussed what a good password looks like, offered some tips to make them stronger, and left you with some tools to protect your account. Hopefully, these tools will prevent an account of yours from being accessed without your permission. We can’t win every battle we choose, but we can make the opponent regret picking us by making it much harder on them!
There was a problem reporting this post.
Please confirm you want to block this member.
You will no longer be able to:
Please allow a few minutes for this process to complete.