Not the username, but the password is the most important part of an online account, and it is relatively easy to explain why. A username usually is displayed somewhere on the site the account is for. A Facebook wall post, a reply in an online forum or the writing of an article all show the username in one form or the other. And even if the username is not displayed openly it can be guessed more easily or often substituted with a user’s email address.
An account password on the other hand is not visible anywhere. Attackers with the right account password can usually get into an account easily, not so on the other hand if they only have the email or username of the user on the site.
Now that we have established that passwords are the most important part of a user’s online presence we need to find out how to make them as secure as possible.
To begin we need to analyse how attackers get login information, that is username and password. There are several options including
- Brute Force
- Dictionary Attacks
- Social Engineering
- Exploiting the web server or scripts of the service.
Brute Force describes a relatively simply concept. A program tries all possible character combinations until it finds the correct password. That’s fine for short passwords but nearly impossible for longer ones. The time it takes depends on several factors, including a website’s defense mechanisms (blocking IPs after x false attempts, adding captchas or locking down accounts for x minutes before a new password can be tried) but also the computer system or network of computers used to brute force the password.
Back in 2006 John P. calculated that it would take an average computer 2.1 centuries to brute force an eight character password using upper and lower case, numbers and special chars. Supercomputers on the other hand could reduce that number by a large factor but would still need days, weeks or years to crack the password.
Brute force attacks have limited chances to succeed if the password is as long as possible.
Most computer users pick passwords that they can remember easily, the name of their pet, their favorite movie, ice or flower, parent names, hobbies or birthdays. These accounts are the easiest to hack, and dictionary attacks provide the right tools for the job.
A dictionary does not necessarily have to contain all the words found in a standard dictionary. Some attackers prepare special dictionaries for each attack, say flower names if the website that is attacked is a flower community.
The attack is limited to the words in the dictionary used in the attack. This can be combined with a few rules, like testing the words plus a combination of the word and chars, for instance adding a number at the end of each word.
Dictionary attacks are useless if the online user does not use a real word in the password.
Social engineering is a technique that tries to get the password directly from the account owner. Attackers could fake an email from the registered site asking for the password directly or asking the user to follow the link to complete a quick survey (which happens to load a fake website that looks like the real one). Chats or phone calls are other popular means to social engineer a user.
The solution is simple. Legit sites will never ask for the account password. Users who never part with their password are safe from social engineering.
There is nothing a user can do about site exploits. If the site uses weak scripts or has a bad security then it is possible for an attacker to exploit this in many ways.
Both standard brute force attacks and dictionary attacks will yield no results if the account owner follows the following password guidelines:
- Never select a dictionary word, name or anything related as an account password
- The password should contain a mixture of all allowed chars, e.g. upper and lower case letters, numbers and special chars.
- The password should not be to short, advanced users select a password length close to the maximum allowed
- A password manager like Last Pass is the ideal tool to save and generate the passwords.
Interested users can experiment with different password strengths at the Password Strength Checker website.
Have anything to add? Let us know in the comments.