World Password Day: From 1234567 to 4Se¢&uri%tY2

Today’s digital society leaves us almost no choice: Passwords are still one of the most important access tools when it comes to IT. But there are ways to make the use of passwords secure without any of the usual frustrations. We just have to use them.

  #Cloud Security   #Cyber Defense Center   #Security Awareness   #Security Risk Assessment   #Security Strategy Architecture   #SIEM  
Marc Rudin
+41 58 510 18 07
marc.rudin@umb.ch

If they are too long and too complicated, we can't remember them. If they are too short, they are not secure. If we use a special password for every IT service, our password list becomes so long that we have to write them down somewhere. This, in turn, is of course a security sin. So, what is to be done?

 

Password uncertainty and no end

Careless use of passwords is widespread. There are studies that show that 60 percent of passwords in companies do not meet the minimum requirements. It is therefore not surprising that more than 80 percent of cybersecurity breaches were made possible by inadequate password security[i]. Every year, lists of the most commonly used passwords are published, and again this year they look pretty much the same as in previous years[ii]:

 

  1. 123456
  2. 123456789
  3. qwerty
  4. password
  5. 12345
  6. qwerty123
  7. 1q2w3e
  8. 12345678
  9. 111111
  10. 1234567890

 

We know today that 10,000 of the most common passwords would open more than 90 percent of all accounts existing on the Internet - because most users use the same password over and over again, often for years. Cybercriminals know this as well, of course, and this is the reason why there is now actually a worldwide «Password Day»[iii], which takes place on May 5 this year.

 

Size does matter

Password hackers have made immense progress in recent years - thanks in part to ever-advancing computing power and increasingly affordable cloud technology. A Hive Systems study found that any eight-digit password can now be cracked in less than an hour[iv]. Even more alarming: Passwords containing fewer than seven characters can now be cracked almost instantly; in 2020, it still took eight hours to crack a complex password consisting of eight characters. But here's the good news: a password of 12 characters created with a reputable password manager would take up to 3,000 years to crack with raw computing power, according to the study.

 

Security is essential, and a password manager is the most secure

Passwords should therefore be at least 12 characters long. It makes them more secure if they contain capital letters, numbers and special characters and no personal information (names, dates of birth). Never use a password more than once (see above).

These are exactly the rules that make password management complicated. That's why it's recommended to use a password manager that stores your passwords and helps to create new and secure ones. This way, you only need to remember the password for the password manager. Many good password managers even offer their services for free[v].

Either way, always set up two-factor authentication whenever possible. Criminals who have stolen your password will not be able to access your account without the second factor, such as a hardware or software token or an SMS text message[vi].

 

Cybersecurity for a digital world

At UMB, we view cybersecurity as an integral discipline across the IT landscape and understand the challenges of a rapidly changing world. Cybersecurity is not viewed in isolation here at UMB, but as part of IT, workplace and digitalization concepts, which also include access controls and passwords. Only balanced organizational and technical measures will effectively protect your company. To do this, new security dimensions must be introduced that complement classic prevention (network and perimeter protection). On the one hand, this includes the ability to detect an attacker at an early stage. On the other hand, it must be possible to initiate the right countermeasures quickly. Please contact us if you are interested in this topic.

 

[i] 81% Of Company Data Breaches Due To Poor Passwords

[ii] Here's 2022's worst passwords — don't use any of these

[iii] World Password Day (May 5th, 2022)

[iv] https://www.hivesystems.io/password-table

[v] Best Password Manager to Use for 2022

[vi] SecurID Identity and Access Management

How hackers crack passwords

The passwords you use on websites are stored in servers as hashes instead of in plain text like “password” so that if someone views them, in theory they won’t know the actual password.
You can’t do the reverse. A hash digest like 5f4dcc3b5aa765d61d8327deb882cf99 can’t be reverse computed to produce the word “password” that was used to make it. This one-way approach for hashing functions is by design. So how do hackers who steal hashes from websites ultimately end up with a list of real-life passwords?

Hackers solve this problem by cracking the passwords instead. In this context, cracking means making a list of all combinations of characters on your keyboard and then hashing them. By finding matches between this list and the hashes from the stolen passwords, hackers can figure out your true password - letting them log into your favorite websites. And if you use the same password on multiple sites, you’re in for a bad time.        Source: Hive Systems