To create effective passwords, let’s begin by making sure we’re all on the same page about what is a password.
Passwords are a form of identification that people use to prove their identity when logging in to a system. Passwords are “something you know” and therefore must be memorized or stored securely. If you forget a password or it is easily accessible by others, then that password is no longer useful or effective.
Consider an illustration:
Alice is creating a new account for a website. In order to create an account, this website requires that she enter an email address and a password. Her email and password are the credentials that will be associated with Alice’s account. Once her account is activated, Alice is required to go through the website’s login process by providing valid credentials to gain access. The process of authentication is meant to prevent unauthorized access to an account.
When Alice created her account’s login and password credentials, she had to consider what a secure password would be for her website. Like many websites, this one has a policy that requires her password to be at least eight characters long, uses at least one uppercase letter, one lowercase letter, and a number. This policy is meant to increase the size of the search space for that password; that is, the total number of possible passwords.
Most people, like Alice, come up with their own passwords. The problem is that people can be predictable.
Consider four-digit PINs. People might choose a combination of numbers that have meaning to them, such as a year (e.g., 1975, 2001, 2019) or a date (e.g., 1225, 0704). Perhaps they want to do something quick, easy or memorable, like choosing a pattern of numbers (1111, 1212, 1234, etc.). Research shows that people don’t choose passwords and PIN numbers at random. In fact, from a set of 3.4 million four-digit PIN numbers, one researcher found that over 10 percent of them were “1234”. From a set of 10,000 possible combinations, just 20 of them accounted for over 26 percent of all the chosen PIN numbers. Looking at passwords, instead of PINs, indicates that there are still a lot of patterns that might be useful in making an educated guess at someone’s password.
All of these educated guesses and data about previously used passwords can be stored in a password dictionary. This is basically a file that can be used as a reference when guessing a password. When someone uses a dictionary to guess a password, it is often referred to as a dictionary attack. A dictionary attack is the combination of a set of rules for making more educated guesses with the relentlessness of a brute-force search.
There are dictionaries publicly available for download in any language of your choice (often including fictional languages) of first names, last names, cities, birth years, colors, foods, and so on. Software built to use these dictionaries when guessing passwords can combine these together in various ways and transform them using customized patterns.
For example, people might think that the notoriously bad password of “password” can be made more secure by typing it as “Pa55w0rD”, but that is not true. Character substitution is a common transformation that some software can do when it guesses passwords. Software can replace one or more instances of the letter ‘s’, for example, with the number 5 or changing a letter to be upper or lowercase. Each transformation still requires the submission of a guess, but they are still educated guesses based on, in this case, lists of the worst and most commonly used passwords.
On a smartphone, you might look at the pattern of fingerprints on the screen to guess which numbers are used. While not guaranteed to be correct, this pattern might change how you approach that search space by starting with a specific combination of numbers. This technique is called a smudge attack. These attacks can help you justify either keeping your screen really clean or not cleaning it at all! On physical devices, like the keypads you might find on garage door openers, car doors or ATMs, this vulnerability might present itself as staining or wear rather than smudges.
Social Engineering Attacks
Of course, the best way to reduce the search space is to know the answer! This is where social engineering comes in to play, or where hackers will try to find a personal weakness. There are various forms of social engineering attacks when it comes to technology, including phishing (email), smishing (SMS or text messaging), and vishing (voicemail). The main objective of these social engineering techniques is to gather information.
For example, phishing occurs simply by sending an email to one or more people asking for their information. Often the email is made to appear as though it is coming from a reputable source. Typically, there is some claim of an urgent problem that the recipient would be affected by if they don’t respond.
How can you use this information?
Create an effective password that is memorable, but complex. Generally, longer passwords are stronger passwords, but this only holds true if the password isn’t easily guessed from a dictionary attack. Don’t use the same password across multiple websites. If you have an account on a website that is hacked, that information will certainly be used to try and breach other websites that you might visit. And finally, beware of phishing (email) schemes.
All of these tips will help your create an effective password that keeps you and your information more safe and secure online.