🔐Securing your account: Part 1: password hygiene

In the first part of “Securing your Account,” let’s talk about password hygiene.

Let’s be honest, passwords aren’t the most exciting topic – but they’re a big deal.  Think of all the sensitive info you’ve got online: bank accounts, medical records, social media, maybe even your family’s photos.  Weak passwords are like leaving your front door unlocked with a big “WELCOME!” sign.  So, let’s dig into why strong passwords are essential, how hackers crack them, and which tools can help you protect your accounts. 

Let us start with the fundamental question: Why do we need Strong Password?

You might wonder, “Why would anyone want to hack me?”  Well, here’s the truth: hackers don’t necessarily target individuals; they target weak security.  They have tools that run through common passwords and patterns at lightning speed (although sometimes it depends on the capabilities, skillset and an intention of individual hackers or hacker groups), looking for easy wins.  If your password is simple or reused across sites, they can get in quickly.  Once they’re in one account, it’s much easier to access others, especially if your passwords are the same across multiple sites. 

For example:

“password123” – a very common password that can be cracked or guessed instantly.

“iloveyou” – Sweet, but very common, and hackers know it.

“qwerty” – Super convenient, but hackers know that trick too.

Weak passwords like these are easily cracked or even guessed with basic software or “brute-force” attacks, where hackers try as many combinations as possible until they hit the jackpot.  So let’s look at what makes a password strong enough to stand up to these kinds of attacks.

What Makes a Strong Password?

There are a few basic rules to follow when creating a strong password:

Length: Aim for at least 12 characters, although 16+ is better.

Complexity: Use a mix of uppercase, lowercase letters, numbers, and symbols.

Uniqueness: NEVER reuse passwords across multiple sites.

Avoid Predictability: NEVER use personal info (birthdates, names, favorite foods), obvious sequences, or patterns like “123456” or “abcdef.”

Here’s a quick comparison of a weak vs. strong password to give you an idea:

Weak: “Emma2023” – It’s personal, predictable, and too short.

Medium: “T!g3r$Play@Night!” – This one’s long, has mix of upper, lower, special cases and number, somewhat harder to crack.  Although e is replaced with 3 and S with $.  These sorts of techniques are well-known to hackers. 

Strong: “T9&x@P3!rX#Gq2$L” – 16 chars long, includes uppercase and lowercase letters; contains number and special characters and avoids any dictionary words or predictable patterns. Hard to crack, very strong.

Now, creating these unique, complex passwords is one thing – remembering them all is another! That’s where password managers come in.

Free Tools to Help You Create and Manage Strong Passwords

Using a password manager saves you from having to remember dozens of unique passwords, all while keeping them secure. Here are some great free tools to get you started:

Bitwarden

Bitwarden is a popular, open-source password manager that securely generates and stores complex passwords.  It is encrypted and community-tested, so it’s highly secure.

Features: Encrypted vault, password generator, auto-fill, multi-device support.

LastPass (Free Version)

LastPass offers a free version that can generate and store passwords.  Easy to use and syncs across devices, though the free plan only allows syncing on either mobile or desktop.

Features: Encrypted storage, secure notes, password generator, multi-factor authentication.

KeePass

KeePass is a bit more manual but incredibly secure. It’s open-source and stores passwords on your device, keeping everything offline if you prefer.

Features: Strong encryption, offline access, customizable options.

NordPass (Free Version)

NordPass is easy to use and offers free password storage and generation.  It can sync across devices, making it convenient for multi-device use.

Features: Automatic sync on mobile and desktop, secure notes, password generator.

What Tools Hackers Use to Crack Passwords – and How Long It Can Take

Here’s where it gets real.  Hackers employ many tools that can guess passwords at unbelievable speeds.  By understanding these tools and their capabilities, you’ll see why strong, random passwords your best defense is.

Here are a few of the most used password-cracking tools:

John the Ripper: An open-source tool that can crack passwords using wordlists and brute-force techniques. It’s powerful and supports various password hashing algorithms.

Hashcat: Known as one of the fastest password crackers, Hashcat can perform brute-force attacks at lightning speed with GPU acceleration.

Aircrack-ng: Typically used for Wi-Fi password cracking. It captures data packets and attempts to crack passwords with dictionary or brute-force attacks.

Cain and Abel: A Windows-based tool that cracks various types of passwords, including Windows LM hashes.

Note: All the tools are easily available in Kali Linux distro.  For educational purposes only!

Now, let’s look at how long it would take these tools to crack different types of passwords.

Password Cracking time

The example table below outlines how long it takes to crack a password.

| Password Type | Examples | Approximate Time to Crack | Explanation |

|---------------------------------—|----------------------|-----------------------------------------|--------------------|

| Simple Password (6 characters) | 123456 | < 1 second | Very short, common patterns, easy to guess. |

| Single Dictionary Word | sunshine | < 1 second | Single words are easy for dictionary attacks. |

| Simple Phrase (8 characters) | password1 | ~1 second | Common phrase with a number, easily cracked. |

| Moderate (8 characters, mixed) | Passw0rd! | Minutes to hours | Slight complexity but still short length. |

| Random (12 characters, mixed) | @3Gz#9Ls*2Nq | Days to years | Stronger with high complexity and length. |

| Passphrase (16+ characters) | ApplesAreRed#123! | Years to centuries | Long, complex, and less predictable. |

| Random (20 characters, high complexity) | T!2cR7#n&$x3P@5q9D | Centuries (with strong encryption and salting) | Nearly impossible to crack with brute-force. |

Key Takeaways:

o Short, predictable passwords are cracked almost instantly, while long, random passwords are virtually unbreakable in a reasonable time frame.

o Tools like Hashcat and John the Ripper can perform billions of guesses per second with GPU acceleration, which makes brute-force attacks faster than ever.    

o   Use Length and Complexity: Aim for at least 12-16 characters with a mix of letters, numbers, and symbols.

o   Avoid Common Patterns: Avoid anything that can be guessed easily (birthdates, names, predictable sequences).

o   Use a Password Manager: Generate and store complex passwords without the need to remember each one.

o   Enable Multi-Factor Authentication (MFA): MFA adds a layer of security. Even if your password is cracked, hackers still need a second code (like one sent to your phone) to get in.

o   Regularly Update Critical Passwords: For sensitive accounts like banking and email, it’s a good idea to update your passwords periodically.

Wrapping Up

Passwords might not be exciting, but securing your online life is worth it.  Imagine the hassle of dealing with a hacked account – it’s way easier to spend a little time setting up strong passwords now.  Tools like Bitwarden, LastPass, and KeePass make it easy to generate and store complex passwords, so you can have peace of mind.

Next time you’re tempted to use “password123,” remember: a little complexity goes a long way in keeping you safe.  Cheers to better passwords and safer browsing!