Skip to main content

by Daniel Dennis

BKD LLP is an IMA Member

In 2019, legacy systems continue requiring passwords in spite of the numerous articles that cover various methods of eliminating passwords from everyday use. Creating secure passwords—and by extension, remembering them—can be frustrating.

If an attacker obtains your password’s hash (a string of random cryptographic characters that represents your password), and your password is too weak, you may be at increased risk of having it compromised. The requirements to get started cracking passwords are easy to meet—any off-the-shelf computer with reasonable graphics capabilities can do it. As the power of the computer increases, the time it takes to crack the password decreases significantly. This is where two characteristics—length and complexity—become key.

If your password is too short, then a brute-force attack can crack it in a matter of time. If your password is too simple and relies on a base word found in the English language, the time required also is reduced. Cleverly interchanging the $ for the S or the @ for A won’t make a difference—password cracking software is designed to catch those. The length of your password protects against brute-force attacks, while complexity protects against dictionary attacks. The problem is striking a secure balance that is reasonably long and complex, but not so difficult to remember that you have to write it down.

BKD Cyber cracks thousands of passwords each year. Many follow a basic formula: a child’s name followed by a number (often a two- or four-digit number representing the birth year) with a symbol tacked on that changes every time they’re forced to change the password. If your password’s hash is compromised and an attacker is attempting to crack it, a password like this is almost as ineffective as “Password1”!

With the industry making a push to get away from the usual rules for length and complexity, it’s important to point out some of the common trends in passwords that we consider weak because they’re cracked with little effort—and often within just a few hours:

  • The current month or season with the year at the end
  • Any holiday with the year tacked on
  • The city or street where you are located
  • Your company name
  • Your department or job title
  • Your child or pet’s name with a number, especially a birth year
  • The name of any popular song, nursery rhyme or biblical passage (including abbreviations)
  • The word “password” in any form, regardless of how many characters and/or numbers you transpose
  • Vulgarity or racial slurs
  • Sentences like “i hate passwords”
  • The name of any Windows service or common network protocol

A good approach to creating a secure password is to use a phrase you will remember and break it down into pieces that appear random. For example, if you used something like “This is my password,” then the result would be “TimP.” Just be sure the length meets password guidelines. Also, steer away from common phrases or quotes and popular passages from books and movies. These are often stored within wordlists and are detected almost immediately.

To view the original article, click here.