ThreatPost is carrying an article highlighting the weakness of common words as passwords. I won’t duplicate the article here but I just want to discuss some simple points regarding HOW NOT to do it and HOW to do it.
Some of the pathetic passwords (as in: please stop doing this, thanks!)
If you have any of these as your passwords please learn more about passwords and specifically how their security is completely contingent on their remaining a secret.
How to secure your passwords against hacking
- DON’T USE COMMON WORDS, PERIOD! Hackers have dictionaries of these and only need to look up your hashed password against their dictionaries to find out your password. They can do this in a matter of minutes.
- DON’T JUST APPEND A ’1′ OR ’123′ OR SOMETHING EQUALLY PREDICTABLE ONTO A COMMON WORD, THINKING IT MAKES IT UNCOMMON. You’re not a genius, thousands of people before you have used the EXACT same password thinking they too were clever. You are a hacker’s best source of entertainment.
- DON’T REUSE THE SAME PASSWORD ACROSS 2 OR MORE SITES/SERVICES. If and when your password gets hacked the damage will spread far. If I hack your Gmail account password I’m going to assume you used this password for your Facebook account, your Flickr account etc…
- NEVER, UNDER ANY CIRCUMSTANCES EMAIL YOUR PASSWORDS! Once emailed, they are no longer secure and potentially belong to everybody.
- USE A RANDOM PASSWORD GENERATOR! Hackers thrive on patterns so stop giving them. A random password has little to no patterns (depending on the generator). Don’t just stare at your keyboard and make one up yourself, use an app like (shameless plug) KEYBOX to do it for you and help you remember them.
The take-aways from this article
- You don’t need to be a highly experienced hacker or cryptanalyst to break hashed passwords. Just use an application like hashcat.
- Even the advanced hash algorithms in the SHA family can succumb to recovery if common words are used as passwords. Time to support the BCrypt algorithm.
- It’s survival of the fittest out there. Those of you who are aware of the dangers and decide to protect yourselves will fall victim less often. Those of you who keep using ‘password’ as your password are convincing the rest of us that the equivalent of driver’s licenses for computers are warranted.
Security can be easy thing, if you care enough to invest in it and the benefits are immediate and everlasting so get to it if you haven’t already.