Some things about passwords in 2021

2021-02-17 19:11:25

TL;DR

So, many sites ask you to write these things:

But why? Why should you use a bigger password? I’ll give you some examples.<br><br>for example- how long will it take to crack a password Named… password?<br>… pretty fast. looking at the common password list, seems like a lot of people are using easy to guess passwords. How about… a random 8 letter password, like “ijnokmpl”&nbsp; (and if it’s hashed in SHA2-256 (an algorithm, which encrypts your password, so that nobody won’t see/understand it))?

Using Hashcat, it didn’t take too long. Using random characters took my 3080 (hash specs are here) 2 minutes and 10 seconds. Okay, lets update the password. lets add 1 to the password (“ijnokmpl1”). how long will that take? will we be more secure?

it would take approx. 11 hours to crack your password. That’s a lot better. Adding any new symbol. which isn’t the same type as previous characters is good. But… what if… We knew that user would put first 8 characters like letters, and then, as a “small social engineering trick”, would put in the next requirements in password list (for example, “you need one digit in your password”.&nbsp; This also is a big problem, when creating a password- most of the people look at the password requirements and treat them as a “todo” list, they will try to “check” each of the requirements from top to bottom until they all are done. And frequently, they are put at the end of the “original” password.)

Even if I would know some characters (like first 4), and if I don’t know the rest of them and know the length… it would take a hacker less than 20 seconds to guess your password

and, if a hacker didn’t know the length, and knew some symbols in password, it would still take him less than a minute to guess your password, if he ever got your encrypted password.

So, you might see a problem- If you create a password just like the website asks you (1 big letter, 1 number (in that order), your password might be compromised in some seconds. This is also a good reason, why you should not re-use password on multiple sites (for example, using password “ihatetrains” in one website, while using “ihatetrains2021” in other). If your password would get compromised, it would be a lot easier to guess your password on other sites, like Gmail/youtube and other accounts. Also, fun fact- from Troy hunts post it’s clearly visible, that most of the websites ask at least 8 symbols (or… even less), but, as seen before, it’s not enough. And then there is the position, that “passwords, getting longer, are harder to remember”. Well, that’s true. If you’re using about 20+ web services, which require passwords, it would be hard to remember all these passwords, if they would be 12+ characters long, alpha-numeric, and would have random symbols in them. or additional info, it also isn’t advised to save passwords in your browser/computer, because, if you haven’t password protected the access to your passwords (firefox example), an attacker could get access to your email and passwords pretty easily.&nbsp; Even worse, if he has remote access to your computer, he could download your browser passwords and decrypt them. Continuing previous “even worse” train, it’s hard to even know if even one of your passwords has been compromised already because some of the organisations don’t want to notify their users, that they were breached. If you want to know, if your email/password has ever been breached, please check Troy Hunt’s website- haveibeenpawned.com. This website might help you understand if one of your accounts might already be breached, and I would advise checking this website at least once a month. In my opinion, passwords also must be generated using a password manager. Also, there are a lot of them around now, like

Personally, I would advise using a password manager, which saves your password “vault” (like KeePass) on your local computer, where nobody has access to this file, rather than in somebodies server. Because you’re using a password manager, this will mean that you’re going to increase the possibility to increase “Single point of failure” (SPOF)- If somebody has access to your password manager, he has access to all your accounts.&nbsp; It would be advisable to put Two factor authentication (like google two factor) on your<b> password manager and web resource.

Also, I would advise generating truly random passwords, which are longer than the required character count on the website, because that would mean that a hacker doesn’t even know how long is your password, or even what characters will it have.<br>



Back