By Harrison Stites. In the last issue of SECURED, Chris Shull, Chief Information Security Officer, wrote about the importance of passwords. Specifically, Chris emphasized using unique and long passwords for each login to prevent hackers from accessing your accounts. However, for most users, remembering long, unique passwords is not feasible. Today, we will describe the tactics hackers use to compromise your passwords so that you can better defend yourself and your accounts from these attacks.
The two most generic password attacks are “brute force” and “dictionary” attacks, both of which attempt to use automation to guess your password. In these attacks, having a long password that includes special characters, numbers, and capitalization exponentially increases the safety of your password. If you use a randomly generated eight-letter password of all lowercase letters, there are 208,827,064,576 (26^8) possible combinations. However, if your password also includes numbers, the number of possible combinations for your password goes up to 2,821,109,900,000 (36^8). Every extra character adds another exponential power to the number of possible combinations, which is why having long passwords is essential to keeping your accounts secure. The same goes for adding capitalization, numbers, and special characters, all of which make it harder to crack your password without insider knowledge.
Dictionary attacks are similar to brute force attacks but also use a massive database of common passwords or words to narrow down the potential combinations. For example, if your password contains the word “dog” along with a string of numbers, a dictionary attack that had “dog” and “d0g” would be able to crack your password much faster than a traditional brute force attack. If your password contains full words, they can be especially vulnerable to these types of attacks. Additionally, if even part of a password is repeated across accounts, it is much more vulnerable to both brute force and dictionary attacks.
Another way that hackers gain access to your password is through public and unsecured Wi-Fi networks. Hackers can act as a “middleman” between your device and the network, gaining access to any passwords or sensitive information. Be careful logging into accounts while on public Wi-Fi and consider using a VPN or personal hotspot as an alternative. Hackers also use phishing attacks to gain access to accounts and passwords. For more information on how to protect yourself from phishing attacks, click here.
Using complicated, long, and unique passwords for every account is important for security, but it is difficult to remember all of that information. One strategy for remembering your passwords is to create long and seemingly meaningless passphrases. For example, “the duck ran from the one dog while eating 5 purple carrots” can be shortened into a password that looks like “Tdr/n4rom1d00gWe5Pur%Ca&”, which is much more complex but can still be remembered. In creating these passphrases, imagery is key to creating something that you can remember. For example, “the green fox arm-wrestled the giraffe on a blue house” is a vivid image that you can picture in your mind and are more likely to remember as a result.
Password managers offer a solution to the password problem by allowing you to use long unique passwords without having to remember more than one master password. However, the security of browser-based password managers is dubious. If you log into a shared device or someone accesses your personal device, your passwords can become compromised. A much safer option is an app- or web-based password manager, which has better security and comes with a variety of features. Visit the WashU OnTheHub page to find a password manager that meets your needs. The store has several password management options at various price points.
Regardless of the password strategy you choose, maintaining strong, unique passwords is crucial, especially for essential accounts such as bank and school logins. Keep your data safe by using the tactics discussed here, and reach out to our office at infosec@wustl.edu if you have questions or additional password management tips. Thank you for your ongoing efforts to protect yourself and our institution from cybercrime.