The problem with passwords that humans come up with is that people want to create passwords that they can easily remember. Most people do that so they don’t have to remember 100 passwords. I get it. Actually, it’s pretty much impossible (unless you have a photographic memory) to remember 100 passwords that are changing at various time intervals for all of the web sites and applications that you have accounts on. So you have your five favorite passwords and you use variations of those each time. Maybe add a 1, then a 2, then a 3 as the last character or first when you are prompted to change your password?
If I’m a hacker, all I have to do is think like someone that uses patterns for their passwords. I know that people add exclamation points in place of Is. (e.g., IdontL!kepwds). I also know that people like to add their birth years or birth dates (e.g., Broncos1976!). I also know a variety of other characteristics of commonly used passwords.
I can create (or just download) a file of all the words in the dictionary plus all variations of each of those words (e.g., Broncos1976!, Broncos!976, Broncos1976…). Then, I go hunt for an insecure website by searching hacker forums. I identify an insecure site that lets me test all my passwords against a list of known email addresses I have (many sites use email addresses for user names). Once I find a match and can log in as someone else, I can either try to exploit the site the account gives me access to or try to log into other websites using the same credentials and variations of those credentials. Since most people use similar passwords for all their credentials, a hacker can take an individual’s password from one published hack and try the same password against various banking websites to try to gain access to an individual’s bank accounts.
Sound scary? It sure does. Consider that as computing power increases, the human ability to pick passwords does not increase the same way. For a few hundred dollars, a hacker can purchase enough computing power from Amazon to brute force an eight character password with some letters and symbols in less than 24 hours. That would compromise most people’s passwords easily since brute force attacking implies checking every combination of characters and digits. There are downloadable tables of the 10,000 most common passwords that can be used as a starting point for hackers. Realize that they only need to go for the low hanging fruit so to speak. They won’t waste their time on the harder and more complex passwords because they can find so many weak ones without much effort. It turns out that the entropy (randomness) of the password is what is the most key to creating one that’s harder to be cracked. The problem is that the entropy is what makes them so hard for people to remember.
One answer…use password keeper tools (e.g., 1Password, LastPass, Keeper Password) to store all your passwords and random password generators within the tools to develop complex passwords with a lot of entropy. Then, link your workstation and your mobile devices with the password tool and the passwords cease to be important and are remembered by your tool.
Another answer…sign up and use Multi-Factor Authentication (MFA) when possible. MFA uses at least two of the following categories: knowledge (something you know), possession (something you have) and inherence (something you are). A common form of MFA uses a password and a soft token to generate a one-time key to gain access (e.g., Google Authenticator). MFA is stronger than using any single password since it requires a user to have knowledge of something (e.g., password) in addition to having something (e.g., soft token) or being something (e.g., fingerprint, retinal scan).
Rob started with Linford & Co., LLP in 2011 and leads the HITRUST practice as well as performs SOC examinations and HIPAA assessments. He has spoken at Data Center World on compliance-related topics and has completed over 200 SOC examinations. He started his career as an IT auditor in 2003 with PwC in the Systems and Process Assurance group, and has worked in a variety of industries in internal audit as well as for the City and County of Denver.