Back to Basics: Password Security

One could easily argue that passwords are quickly becoming obsolete, however, we still use them to access our apps, emails, online stores, you name it. Since they are still around, we might as well continue to make the most of them in order to improve our system security. Password security is arguably a good place to start with good cybersecurity practice.

Most people use a word in their passwords in various forms:

  • A word — Security
  • A word followed by some numbers/symbols — Security.
  • A word with ‘leet speak’ applied — S3cu41ty
  • Multiple words stuck together — howsecureisthis

Password-cracking attacks

Password Security Infographic courtesy of the National Cyber Security Centre

This is where the hacker uses phrases that are commonly associated with you and could include: birthday dates or that of family/friends, siblings’ and friends’ names, your maiden name, where you live or have lived, pet’s name etc.

This is where a computer uses a word list, usually from the English dictionary to try and find a password that works.

If the average English-speaking adult knows somewhere between 12,000 and 30,000 words, imagine how easy it would be for a computer to narrow down to these words and in a minimal amount of time?

Rendezvous sounds like a workable password, but it’s not.

This is more or a less an advanced dictionary attack where the computer adds some numbers and special characters to the word list.

Evidently, ‘#qwerty123’ is an easy password to crack.

A brute force attack involves automated guessing of a significant number of passwords until it finds a match. It therefore makes no assumption as compared to the dictionary attack and hybrid attack.

How to improve your password security

Longer passwords with a combination of upper and lower case letters, numbers and special characters are better as it will take a sequential tool longer to run through the iterations.

Pro tip: Use a phrase in your mother tongue and with spaces in between.

Easier said than done, right?

It’s easy to use one password whenever we sign up on anything because remembering all the different passwords is a hustle. This is where a password manager comes in handy.

Password managers such as LastPass and Sticky Password can be used to create randomly generated passwords for all of your accounts, which one can access using a master password. You’re probably thinking ‘I’ll need a password to access my passwords?’ Yes, yes. On the upside though, if you create a strong master password then you only have one password to remember: the master password.

Think of MFA as a natural extension of having a solid password control. It’s effective in heading off attacks especially brute force cyberattacks. When MFA is enabled, even if an attacker successfully steals your password, they won’t be able to access your account.

While there’s no guarantee that these techniques will prevent an attacker from learning your password, they will make the cracking process harder for as long as apps and websites alike continue to ask for a username and password as login credentials.

Article by Rachel Achieng’.

A community of Women in Cybersecurity from various backgrounds and counties across Kenya.