Menu

Pwn Palace

Passwords... A necessary evil!

12345… You feel safe knowing that you have a password set to protect your documents. A week later, you log into your machine only to find that something is a little off. All of your photos and documents are gone. You haven’t been on your computer since your password change. So what happened?

Passwords are an often inconvenient necessity when it comes to safeguarding your data. Corporate policies require password changes periodically, and more often than not, these password changes come at intervals that most users see as “too often”. But is it really too soon to change your password? The weakest link in any security chain is the employee. Hackers understand this, and the employees are usually the first target when someone with malicious intent decides to breach the security of a facility.

Confidentiality degradation

In July of 2015, the website AshleyMadison.com was hacked. During this breach, over 60GB of data was compromised, and subsequently the data was released. This data dump included various details of the websites users. The information included were messages, credit card transactions and card numbers, user addresses and more. The passwords fortunately, were only dumped in a hashed form. This means that neither the hackers, or the average joes scouring through the data could tell what the users real passwords were, right?

To an extent, this particular piece of data was safe. However, they were only as safe as the strength of the password itself. Popular hacking distributions such as Kali Linux or BackBox include software used to crack hashed passwords. These tools compare the hashes of popular passwords, as well as common dictionary words. If it finds a match, it is determined that the hash belongs to a particular password, which is then displayed to the attacker. This can take minutes, days, months or years, depending on the strength of the password. How are password strengths determined?

Password Complexity

We all live in a digital age now, where technology is common place. Your children are learning technologies that may not have even been in existence until you have reached your teenage years! With the sudden influx of newer technologies, including cell phones, watches, refrigerators and even your home alarm system, the world is now moving towards a concept known as I o T, or Internet-of-Things. This means that eventually, every device in the world could potentially be reachable through the World Wide Web. This opens up a host of new dangers that we have never had to face, and new challenges that must be met. So how do you protect that data?

Let’s reiterate that a device’s security is only as strong as the user setting the password. It is very tempting to use personal information or simple words as your password. However, using anything that could be found in your standard dictionary can prove disastrous, as these can be hacked in minutes. In order to make it more difficult for an attacker, it would be beneficial to the user to use long, mixed and complex passwords. Let’s look at an example.

James Tinder creates an account for an online dating site. Before filling out his profile, he must create a password. James thinks about how much fun he had on his vacation, and decides to use “beaches” as his password. Feeling secure in knowing that his account is now protected, he doesn’t give it much more thought and continues with his account creation.

According to the website howsecureismypassword.net, it states that his password can be cracked instantly. Should an attack occur on that site and the hashes are dumped, James would be in a little trouble… So how can he fix it? Simply replacing letters with numbers and adding a few special characters can go a long way. How long would it take to crack “B3@ch3$2015!”?

By increasing the length of the password, as well as the variety, James went from “instantly” to “344,000 years”!  Now THAT’S a huge difference. Keep in mind, that website isn’t 100% accurate, and merely gives you an idea as to the strength of your password. There are programs and tools that will mangle passwords and replace characters with common values. In doing so, it will still take a considerable amount of time and resources. The hacker is more likely to move on to the next target, rather than waste all of his time on your password.

Conclusion

As we have stated before, passwords are a necessary evil. Hacking breaches occur frequently, so the chances of your account being compromised are not as low as you would think. There are precautions that you can take in order to better protect your sensitive information. You can create a longer password using a mix of letters, numbers and specials characters. You can also check your chosen password using online tools to get an idea of how well your password will stand up against attacks. Lastly, you can use a password manager such as LastPass to store your passwords. The options are almost limitless, but one thing is certain. Doing nothing at all could have disastrous, and sometimes life altering consequences.

-Kyle Gonzalez, FEMAC Director of Data Security

Go Back

 Posted in General

Comment