CyberLabs, CyberLabs

CyberLabs #2 – Password security, the reason why you should create strong passwords

Michał Błaszczak, 5 October 2022

cyberlabs-bezpieczenstwo-hasel

Passwords nowadays

Passwords are something we use every day. For us, they are crucial, as they’ve become the key to sensitive data we don’t share on a daily basis. That’s why cybercriminals care so much about them (they often obtain passwords through phishing or by hacking into a particular system – the popular password leak). While in the first case a password, even a complicated one, will be shared with the attacker openly, during a data leak our password is hashed and cybercriminal must recover it (and it’ up to us whether he succeeds).

CyberLabs #1- Phishing as one of the most popular cyber threats

One password, one system

This headline for each of us should be a certain rule that we use while registering a new account in another system. Plus, it’s worth considering at this point whether our existing accounts were created according to this rule. If not – it’s worth changing it. This principle is very important, as you may often hear that in a certain attack, the criminal managed to obtain a login and password with which he could later log into many systems.  This lack of cyber-hygiene is what makes it possible for a cybercriminal to quickly take over many of the accounts we use.

ideal-password

Leaks vs. password security

When a database containing our passwords is leaked, we very often come across a message that tells us to change them immediately. This is, of course, a reasonable reaction, but worth knowing that passwords in databases are not stored in an open form (at least they should not – what form they are stored in depends on application developers). In databases, the information is stored as a hash.

To make a long story short, it looks as follows: the user provides his account password during registration, after submitting the form, the password using a hashing algorithm is turned into a string of characters called hash (the hash for a given password is always the same, obviously using the same hashing algorithm such as md5).

The entire process is a one-way street, which means there is no possibility to reverse it ( you can’t easily turn the hash into the password hiding underneath it). For us, it’s an important piece of information, which means during leaks the attacker doesn’t have our password directly, but only the hash that needs to be cracked or “recovered.” Depending on whether the attacker is able to recover our password in a reasonable period of time is crucial information for us, since it determines if cybercriminal gains access to our account.

Password recovery time is mainly influenced by the level of its complexity (such as how long our password is, whether it includes all kinds of characters, whether it’s a “generated” password or rather, e.g., our name + date of birth) – the longer and more complex the password, the harder it will be to recover. Additionally, the security of passwords itself is affected by the hashing algorithm chosen by developers.

How password leakage occurs?

There are actually many ways the leak can occur. Looking at the leaks over the past few months, we can see recurring patterns. Many times it all starts with phishing and data spoofing of an employee with the help of which the attacker gains access to the company’s internal network. Other leaks start with already forgotten systems, which were supposed to be available only for a while, and which after several years have a lot of vulnerabilities. While other leaks start with passwords or API keys, which are available in public repositories. For this reason, you shouldn’t wait for the attack and start much earlier to carry out regular audits of our systems. Plus, remember as well that often the attack starts with the “manipulation” of an employee, so let’s also conduct proper training or controlled phishing attacks, which will significantly sensitize employees.

BIMI as an anti-phishing shield

How does password recovery work?

As I mentioned, the password recovery time from hash is strongly influenced by the level of password complexity. However, in order to understand why this is so important, you need to know what methods cybercriminals use to recover a password from a leaked hash. At first, though, it should be said that password recovery involves generating a huge number of hashes from certain strings of characters and comparing them with the original hash (that is, the one we want to crack). If hashes are the same, it will mean that we have found the password we are looking for.

Password recovery methods

    • Dictionary attack – in this case, the attacker relies on a so-called dictionary, which contains, for example, popular passwords (from other leaks), names, common names, etc. When recovering a hash with this method, a single word from such a dictionary is taken, then a hash is generated from that word and compared with the hash we want to recover. The attack will succeed if our password is a common string such as Password.Of course, the attacker can create a password from several dictionaries. So if one dictionary contains the word “Strong” and another “Password” the cybercriminal will also check the hash for the password “StrongPassword”
    • Brute Force – using this method, the criminal checks every possible combination. Before launching the attack, he can define how long passwords should be generated, whether they need to consist of uppercase and lowercase letters, or perhaps also include digits. With this method, the criminal can use so-called masks, which define what type of character should be checked in a particular place, e.g. he may assume that lots of people use 8-character passwords, which start with a capital letter, the last two characters are digits and the rest are lowercase. With this approach, he will significantly reduce the number of combinations to test. Using this method, the attacker is able to recover any password, the only problem is the time in which the computer is able to check all the combinations for specific assumptions, and whether this time is acceptable.
metoda-silowa-silnikowa

Dictionary attack vs. brute force

The above methods can be successfully combined so that the cybercriminal is able to more effectively recover passwords from hashes gained through, e.g., a leak. While reading about password recovery methods, we may come to a fairly simple conclusion.

Our passwords cannot consist of simple words, as it will be possible to recover such a password using dictionary methods.

What’s more, as long as we use predictable passwords, where a particular type of character will be in specific places, e.g. the mentioned password with a capital letter at the beginning and numbers at the end, the attacker will be able to crack it in a reasonable time as well, since the character layout is quite predictable and commonly used.

How to create secure passwords?

All we need to do firstly is to ensure that our password is long enough (a minimum of 15 characters), and secondly it contains every kind of character in random places. An example of this kind could be, e.g. a password generated on a website available on the Internet):

6nA27x7#2W8!k&g

Such a password won’t be found in any dictionary of course, moreover, the attacker will not be able to determine the location of specific characters. Even if a cybercriminal finds that our password has 15 characters he will be left to check all possible combinations made up of all potential characters (about 90) on each of the available 15 places. That results in a huge number of combinations which a cybercriminal won’t be able to check in a reasonable amount of time.

Password Managers

In the previous section the information was presented, which clearly states the safest way is to use long (min. 15 characters) passwords consisting of all kinds of characters in random places. The only “downside” of such passwords is the potential problem of remembering them. Plus, if we follow the rule: “one password, one system” we may find that we have numerous passwords that are not easy to remember. Here, with the help comes Password Managers, a special safety locker for our passwords. An example of such a Manager might be KeePassXC, which creates a special “safe” kept locally on our computer. Access to this safe is protected by a password (the only one we need to remember), so it’s worth making it strong enough. Also, such a Password Manager can be secured with a hardware key, which we”ll discuss later in the article. Thanks to such a solution, we may keep our passwords protected (since we have a place where we can store passwords, we might as well generate passwords longer than 15 characters – this, of course, will only benefit our security).

keepasxc

KeePassXC is an open source manager that is available for various systems and that we can integrate into the browser.

Certainly, KeePassXC is not the only one of its kind. We can successfully find other applications on the Internet. Some Managers additionally have plug-ins that we can install in the browser so we don’t have to enter passwords each time, others have a mobile application added. So it all depends on our needs and we’ll certainly find a solution that satisfy us.

Two-factor authentication

Two-factor authentication (2FA) is an additional security feature used during the login process for an individual account. When signing in, a login and password are still required, however, on an account with 2FA enabled, you will need to provide an additional “ingredient” such as code from a relevant app.

2fa

Two Factor Authenticaton (2FA) can help protect your online accounts, even if your password is stolen.

Types of 2FA

When deciding on two-factor authentication, we need to think which additional authentication method to choose. Depending on the specific application, the number of available methods may vary, but we will still have a choice:

    • SMS code – if we choose this option while logging into our account, we receive an additional one-time code sent to our phone number provided during setup.
    • In-app code – this method is very similar to the previously mentioned SMS code, but in this case the code is generated in a special application, which we need to install on our mobile device earlier, while the app itself must be “linked” to our account. Generated codes are available for 60 seconds, after which a new code will be created..
    • HW key (dongle)- this is the most secure method of two-factor authentication. While codes from the previous two methods can be obtained through phishing, using this method we must physically plug the dongle into the USB port when logging into our account. Without this step, we won’t be able to log into the account!

Is it worth using 2FA?

Definitely yes! Two-factor authentication will significantly affect security of your accounts. If the previously mentioned leaks of databases containing your passwords occur, using two-factor authentication effectively makes it more difficult for an attacker to access your account. For that, if we use strong generated passwords our account can be really well protected.

Password security: a handful of good tips:

    • Apply the rule: “One password, one system.” This way, even if an attacker is in possession of our password (whether through phishing or by recovering the password from the hash), he will only be able to use it for one system thus significantly reducing the attack surface.
    • Use two-factor authentication at least for the accounts that are more important to us (the ideal situation is one in which we use 2FA on every account). If a similar situation as above occurs, i.e. our logins, passwords are taken over, the attacker won’t be able to log into the account. Remember that 2FA codes can be acquired during a phishing attack, so be careful where you enter these codes!
    • To create passwords, it’s worth using so-called password generators, through which we can create appropriate long and complex passwords for us. This will help to resist attempts to break or recover them.
    • Don’t store your passwords in text files or sticky notes. For storing passwords, remember using special Managers such as KeePassXC
    • Some leaks we might not even be aware of. So from time to time we should check at, e.g., https://haveibeenpwned.com/ to see if our e-mail address appears in any leak. If we discover that it’s in a leak, we’ll be informed about the name of the website from which our data leaked. Additionally, the site will tell us what kind of data is involved.

Stay secure! 👾

CyberLabs - Subscribe our newsletter and stay up to date with news from the world of Cybersecurity!

Most popular