7 Tips To Toughen Passwords

  /     /     /  
Publicated : 22/11/2024   Category : security


7 Tips To Toughen Passwords


As this weeks LinkedIn and eHarmony--and likely, Last.fm--breaches demonstrate, many website users continue to pick atrocious, easily cracked passwords. Are your passwords safe?



Its been a bad week for passwords.
So far, 6.5 million users of
LinkedIn
and 1.5 million
eHarmony
subscribers had their password hashes uploaded to a hacking forum on the InsidePro website, although security experts suspect that many more accounts may have been compromised.
Meanwhile, streaming music service Last.fm Thursday confirmed that its currently investigating the leak of some Last.fm user passwords. While it didnt detail how many of its 40 million users might be affected,
security experts think
about 17.3 million MD5 unsalted hashes were stolen, that 16.4 million have already been cracked, and that the breach may date from 2010 or 2011.
[ Mobile device security is proving a bigger challenge than many IT shops expected.
Can IT Be Trusted With Personal Devices?
]
Needless to say, all three sites have recommended that every one of their users change their password on the site--just in case. But whats the best type of password to pick? Here are 7 best practices:
1. Pay Attention
The single biggest password security problem is
apathy
. While the LinkedIn and eHarmony password hash databases uploaded to the InsidePro password-hacking forum werent respectively labeled as such, many security researchers quickly identified the likely social networks involved, owing to the sheer number of passwords that were literally linkedin, eharmony, harmony, or some variation thereof.
Whats the problem? Simply that those passwords--amongst
many of the other choices
--are extremely easy to crack. In the case of the 6.5 million leaked LinkedIn passwords, for example, 1,354,946 were recovered within a few hours time with HashCat / Jtr and publicly found wordlists on a customer grade laptop,
according to
security researcher
Stefan Venken
.
2. Use Unique Passwords
When it comes to creating passwords, remember to use separate and unique passwords for each site. Password reuse is your enemy, said Roger Thompson, chief emerging threats researcher at ICSA Labs, via email. Thats because when criminals obtain passwords, they often trade them with other people via underground bulletin boards, after which theyll test whether user credentials--username, password--for one site will work on another. Last year, for example,
Sony had to lock
about 93,000 user accounts after attackers used credentials stolen from other sites to attempt to log in to peoples PlayStation Network, Sony Online Entertainment, and Sony Entertainment Network accounts.
3. Explore Life Beyond Letters
For
stronger passwords
, use non alpha characters such as ?!$% in the password, Thompson also recommended. He also said that common passphrases, such as I like BBQ should be avoided, since theyre easy to crack. But complex passphrases--for example, a bunch of random words strung together--do make for good passwords, he said.
4. Use Uncommon Patterns
Also try to not pick easily recognizable patterns. Users should not rely on common patterns in an effort to improve password security, said Seth Hanford, the operations team lead for IntelliShield, which is part of Cisco, in a
blog post
. For example, recent research has suggested that sets like possible day / month combinations (4 digits starting with 19 or 20, or combinations which can be interpreted as day/month values like 0501) are particularly weak.
5. Lose The Biographical Details
Avoid using public details about yourself to
build a password
. Dont use things that can be discovered about you, such as your hometown, or the name of your pet or spouse, said Thompson. Unfortunately, the same should go for password-reset questions, as presidential candidate
Mitt Romney learned earlier this week
when someone accessed his Hotmail and Dropbox accounts after resetting his password to one of their own choosing. They were able to do that by guessing his favorite pet password-reset challenge question, meaning the pet name used was evidently a matter of public record.
6. Love Longer Passwords
Use long passwords, as modern graphics cards make
childs play of short passwords
. How fast can hackers crack passwords? The answer [is] 2 billion [combinations] per second using the Radeon HD 7970 (the latest top-of-the-line graphics processor), said Robert Graham, CEO of Errata Security, in a
blog post
. Since a five-letter password has 10 billion possible combinations, that means it can be cracked in five seconds. Compare that to six characters (500 seconds), seven letters (13 hours), and eight characters (57 days). Meanwhile, if its nine letters, its too difficult to crack with brute force, he said, although there other ways to go about cracking passwords, or example by using
rainbow tables
.
For comparisons sake, Venkens analysis of the breached LinkedIn passwords found that eight-character passwords were most common (33%), followed by six characters (21%), seven characters (16%), nine characters (15%), 10 characters (9%), and 11 characters (4%). Security experts have noted that since LinkedIns user base is largely professional, and thus used to following IT password rules, they likely picked stronger--including longer--passwords than the average website user.
7. Use Password Managers
Perhaps the single best technique for creating secure passwords is to choose random, long strings (>12 characters) managed by a secure password manager, said Hanford. Added bonus: Password managers typically include built-in strong and random password generators, thus eliminating the guesswork. Even better, many will synchronize your password lists across every PC, smartphone, or tablet that you own.
Which password manager should you use?
LifeHacker
offers one roundup. But beware: A
study of iOS password managers
, released earlier this year by researchers at Black Hat Europe, found that out of 13 studied applications, only one correctly implemented strong crypto. In the wake of that research, however, many of the developers named in the report said theyd be fixing how their applications use crypto.
Employees and their browsers might be the weak link in your security plan. The new, all-digital
Endpoint Insecurity
Dark Reading supplement shows how to strengthen them. (Free registration required.)

Last News

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
7 Tips To Toughen Passwords