Secure passwords

The easy way to better security

G DATA Guidebook

Many users are unaware of how far-reaching the consequences are when a single password is spied on or successfully guessed. Think of confidential business documents or additional passwords for other services that have been sent to you via email. This information, which an attacker can get hold of by looking through your private documents, can open doors and gateways to misuse. Of course, it can be tedious to make every password as secure as possible and to remember a separate one for each instance of use. We will show you how to set up secure, easy to remember passwords with the right strategy.

Who am I? The subject of authentication

People speak of authentication when they need to be sure that somebody really is who they claim to be. This is a major challenge in the online world and the use of passwords has been a common way of achieving this for a long time. But all this is of little benefit if “weak” (easy to guess) passwords are used. Many attackers are aware of this, as are the malicious programs they have developed and use. They keep trying out passwords until they finally guessed the correct one (called “brute force” attacks).

How long does it take an attacker to hack a password?

Many users employ passwords that relate to personal information, such as their birthday, to make them easier to remember. Attackers know this as well. They can also work out other popular memory aids such as the names of pets or partners without too much effort.

If you use a powerful computer to hack a password that can test 1,000,000 passwords a second, an 8-character password consisting of capitals, lower case letters, numbers and special characters can take up to 29 years to work out (as of 2016). Under the same circumstances, a 5-character password is guaranteed to be hacked within 26 minutes!

Frequently used passwords

Unguessable but genuine. Among the most frequently used passwords are:

  • 123456
  • password
  • passw0rt
  • qwerty
  • login

A few hints and tips for creating strong passwords

Generating a good password is a science in itself. There are countless security factors and possibilities that have a bearing on this subject. At this point we should provide you with a couple of simple principles.

  • The length of a password is a critical factor. Generally speaking, long passwords are more secure than short ones. HOWEVER: A long password consisting of just one or a few letters/numbers/special characters is of no use. If a 10-character password is required, “AAAAAAAAAA” won’t help. Also avoid sequences of numbers or whole keyboard rows such as QWERTYUIOP.
  • It is not just about length but complexity. A successful combination of lower and upper case letters along with numbers and, if possible, special characters, can increase the security. BUT: The more specific the password guidelines are, the more likely an attacker is able to hack the password using automated systems. If the guideline states: “Use an 8-character password with at least one number, one upper case letter, one lower case letter and one special character”, the attackers already know the nature of 4 of the 8 characters.
  • For a secure password, you could string together the first character of each word, the numbers and the punctuation marks from the following sentence: “Today on July 10th, I set up a secure password with at least 18 characters”. This gives the following password: “ToJ10,Isuaspwal18c”. To make such a password even easier to remember, you can also generate one with personal recognition value, e.g. from abbreviations regarding your favourite song: “The sound of silence by Simon & Garfunkel from 1966 is my favourite song” then gives “Tsos_bS&G_f1966imfs“. At least dictionary attacks won’t help attackers with such free-formed sentences.
  • So-called “Leetspeak” can also be used, where characters are replaced with numbers and special characters that look similar: The sound osilence = 7h3_50und_0f_51l3nc3. Variants of this method might be to use phonetic spelling or backwards writing, for example, and much more. As you may already have guessed, there is also a “BUT” in this case: Attackers are aware of Leetspeak etc. as well. When they launch their automatic attacks, they use entire dictionaries in Leetspeak and fire the terms at the login form (a type of dictionary attack). Leetspeak and the like can still be a factor in your password of course.
  • Generally speaking, the following applies: Do not use words as they appear in the dictionary. Attackers also have electronic dictionaries for terms of endearment, passwords, names etc. and simply run these past the login mask. Popular phrases in different languages are also listed in such dictionaries. A combination of apparently random words increases the security, as it increases the length and, in the majority of cases, the complexity as well. Such a combination of words is also called a passphrase.
| Generic passwords can be easily hacked. QWERTY for example is not a secure password.

Store passwords or not?

Many applications enable the password to be stored for reasons of convenience. Avoid doing this where possible. It is not always guaranteed that the password is stored in a secure, encrypted form. Many programs store passwords on the system in plain text, unencrypted, making it easy for attackers to read them. Find out how the software you are using works before trusting it with the storage of your access data. As a rule, good password managers meet these minimum requirements.

What you still need to look out for

Use a separate password for each service and do not use duplicate access details. This will prevent anyone from getting into your services all too easily if they have worked out a password. Furthermore, the chosen password should be known to you alone and not be passed on to friends, work colleagues or relatives, nor written down.

So is my password 100 percent secure yet?

If you understand and apply the above tips, you will meet the requirements for strong passwords. But the security of this access data is not only dependent upon that.

  • Malware: The password may not now be guessed by people or hacked by an automated process in a finite amount of time. However, cyber criminals also use malware that has been especially designed to spy on passwords. This includes spyware in general, password stealers and keyloggers specifically, as well as banking Trojans. The latter often have the capability of reading and recording victims’ access data as well. Hence protecting the computer and mobile devices with a comprehensive security solution is crucial.
  • Database hacking: When you generate access data for a service, you place this data in the hands of the service operators. You have to trust them to store the data securely. However, in the past database hacking was a common occurrence where personal data and logins were got hold of in plain text or with inadequate encryption. Probably one of the best-known cases in recent history was the attack on adultery website Ashley Madison, where complete datasets on millions of users were published.

  • You should check whether your data have been found during a cyber attack and were published on the web. The Hasso Plattner Institute offers a trustworthy service for this.

Summarised briefly, a good password should...

  • be long enough and consist of more than one word!
  • have a certain level of complexity!
  • only be known to you!
  • be easy to remember despite the complexity!
  • be stored in a suitable password manager – if at all!
  • be protected against malware by a comprehensive security solution!

Nerdbox

Tip for professionals: Besides the use of a strong password, we also recommend using multiple authentication at every available opportunity. We have put together more information on this in an article in the G DATA SecurityBlog: “Multi-factor authentication. How many factors do you actually need?