Password Security. What everyone with an online account needs.

I’d like to share techniques for password security and hardening your presence online. If you have a well-hardened online presence, then would-be attackers will simply move on to an easier target. Just think, we currently have thousands of passwords in our database, which is so secure we dare people to try and retrieve one. How do we keep it all secure and hackproof? Ah, just read below.  

As a former AASP (Apple Authorized Service Provider) employee, I have seen first-hand how the good ‘ol sticky note method can spiral out of control. Keeping passwords written down on physical media increases the risk of losing them, which makes for a worse user experience. Like anything else in life managing your credentials for online services is all about risk management. We want to decrease two risks: 

  • The risk of losing or forgetting passwords 
  • The risk of your credentials getting compromised 

The solution to this problem is simply using a password manager, or more accurately a credential manager. I recommend one where you have full control over how it stores your credentials. The open-source KeePass provides this service. It is an ultra-lean program that stores your credential database encrypted and local to your PC. It also has various ports of the software that allow you to open these databases on mobile devices. 

Having KeePass means you only need to remember two passwords, the one that gets you into your computer, then the one that gets you into your KeePass. The rest of your passwords are arbitrary and having different, long, complex passwords for all the services you use is no longer a daunting challenge.  

This is how we keep track of thousands of different complex passwords without wasting time trying to memorize them. But – this raises a few questions: 

  • Why use so many different passwords in the first place?  
  • Why does a password need to be complex and lack dictionary words, substitution, and common key stroke patterns?  
  • Services or websites usually just lock out after three failed attempts anyways, right? 

The answer to these questions is that hackers are not just plugging in random usernames and passwords into PNC’s site trying to get lucky. Instead what they do is attempt to gain access to less secure databases of emails to password hashes. The database that a lower tier forum or a small business’s website might hold. If they can get access to this database, they can then start working on decrypting the password hashes they find. 

Password security start here. Whenever you create an account online, your password is never stored. Instead, an encrypted tunnel is built between your PC and the webserver. Your password is sent in plain text inside this encrypted tunnel, therefore encrypting the password, to the server where it is hashed using some common hashing algorithm, plus any extra tricks the web engineer might have added. This hash and the rest of your account information is stored inside a database for future reference. The string used to create the hash is discarded. Whenever you sign into the service your password is hashed again, if the hashes match you are authenticated. 

When hackers gain access to this database of hashes, they now have unlimited attempts to guess strings that might resolve the hash given many hashing algorithms. If the account is from a less secure service, they may not have too complex of a hashing algorithm, and if your password isn’t too complex either the hash will be decrypted within seconds.  

Our first step of thwarting their plans is to use more complex passwords. The only thing deterring us from using more is if you ever were presented with a situation where you had to type in that password because copy-paste was not an option. KeePass will also generate random passwords for you of any desired complexity including any sort of characters you want. You could create a passcode including capitals, lowercase, special characters, and a number. Or any combination of these things. We also like to introduce using Cisco Duo as a multi-factor authentication method.  

Our second step is to use a different password for every service you use. This is the magic bullet that stops the typical credential failure mode of finding a username and password hosted by a less secure service, then using those in something like a bank account. By using different passwords this problem is solved. The password manager enables us to use as many different passwords as we want without having the strain of remembering them. 

The third step, and this one does not focus on passwords, is to have multiple emails. I suggest just two personal ones. One for critical services like banking, online taxes, investment, etc, and another you use for social media accounts, streaming, and forums. This will help you further thwart hackers by making even your username elusive. If you are careful this important email inbox will only contain important emails as well, which helps keep you organized. Any good mail client can hold multiple mailboxes.  

That’s how we keep our accounts on lockdown and how we recommend others to do the same.  I’ve linked below the KeePass download landing page as well as an online utility where you can test how secure your passwords are. It is a webpage with an algorithm that runs locally inside your browser, not sending your password over the internet, and can give you an idea of how long it might take to crack your password given the hash it creates. If your password can be cracked with hashes.com it is not strong enough. There are tools that can be run locally on a computer, using a powerful GPU allowing for parallelization of guessing attempts.  

If you would like more information and assistance in keeping your team and employees safe, feel free to reach out to us anytime. Click here.

Here is a link where you can download KeePass:
https://keepass.info/download.html
A link where you can test your passwords for complexity:
https://www.my1login.com/resources/password-strength-test/
Crack Hashes:
https://hashes.com/en/decrypt/hash

Don’t Stop Here

More To Explore