So you think your password is strong

spO0q 🐒 - Apr 19 '22 - - Dev Community

Let's talk about weak passwords.

Obvious weaknesses

The following passwords must be avoided:

taylor21
qwerty
abcdefgh
iloveyou7
123456
123456789
buddy123
Enter fullscreen mode Exit fullscreen mode

Many similar passwords are available in public Brute-force wordlists such as Rockyou.

E = log2(Rᴸ)

The formula does not really matter. Focus on the length and the randomness.

Of course, it's best if you can mix uppercases and lowercases with special chars and numbers, but the longer, the better. This is precisely what the fomula highlights.

8 chars, even with a complex combination, can still be discovered way much faster than a long series of 22 lowercase letters.

The necessary time to guess the password by Brute-force will be exponentially bigger with long passwords, like minutes vs. years.

Some counterintuitive examples

You can find the following passwords in the rockyou.txt list:

!@#$%^
P@ssw0rd
Enter fullscreen mode Exit fullscreen mode

@ for a and 0 for o are often used in the hope of obfuscating chars but Brute-Force software include them.

Nice try!

People who are not cybersecurity-aware yet may have interesting but unsafe approaches. For example, they might use a weak password deliberately and think hackers won't try such trivial combinations.

It does not work like that. Hackers use dictionaries and wordlists that include the most basic passwords.

Even good security policies can be misleading

Many websites and apps have broken passwords policies. Some of them push their users to very predicatable strategies, for example, by forbidding special chars or limiting the total length to 8.

However, even seemingly strong policies can lead to unexpected outcomes:

At least 1 lowercase
At least 1 uppercase
At least 1 number
At least 1 special chars
At least 8 chars

While the above rules look legitimate, users can still set passwords that are easy to guess.

For example, my name is Julien. I can enter Julien$7, which complies with the policies but is terrible in terms of security.

The hacker only needs a short list that include my firstname and free tools such as John the Ripper will do the rest.

7 solutions that work

  • set long passwords (more than 16* chars if possible)
  • don't reuse passwords (1 login, 1 password)
  • don't save passwords in the browser or ensure it's encrypted with something like a master password
  • change passwords regularly
  • use passwords managers
  • use haveibeenpwned to determine whether your password has been leaked or not
  • enable 2FA/MFA whenever you can

* 16 because most security policies set the minimum length to 8 chars. I'm not saying it's the magic number for bullet proof passwords. If you can set longer passwords like 22, 23, 24 chars, it's great.

The extremely rare cases where a weak password can be good

Image description

Source: Memcenter

Some organizations use weak passwords and vulnerable applications to track and hunt cybercriminals.

This approach is called Honeypot. The idea is to lure hackers into thinking they’re infiltrating a system when in reality, they’re being trapped by the cybersecurity team.

Image
How to create a slick CSS animation from The Fall Guy

webdev, css, animation
Image
Day 3 of NodeJS||Important Modules

webdev, beginners, tutorial, node
Image
How do Altcoins work?

cryptocurrency, asic, bitcoin, crypto
Image
Practical IoT Solution Using Azure IoT Hub

microsoft, iot, cloudcomputing, azure
Image
Global Outage of Microsoft Services

news, bluescreenerror, bsod, globalmicrosoftoutag
Image
Why should you have a Staging environment?

cicd, release, deploy
Image
Veterinary Pharmacovigilance
Image
Code Commit - Um "Git" privado na AWS.

aws, devops, codecommit, cloudcomputing
Image
How to train your cat to code: bizarre learning approaches

programming, learning
Image
Day 4: Modules and pip in python

python, react, programming, 100daysofcode
Image
How to earn income on BitPower
Image
Investigating the Impact of Chiropractic Care on Senior Patients' Mental Health and Emotional Well-Being with Tom Herchakowski
Image
Organic Fertilizers: The Eco-Friendly Choice for Sustainable Agriculture

organicfarming, organicfertilizer, agriculture, sustainablefarming
Image
Cookie Consent SEO:
Image
👽 NOTEPAD vs ME 🤠

webdev, javascript, beginners, programming
Image
Microwave Oven vs. OTG Oven- Why are They Used?
Image
Strategies for Healthcare Providers to Encourage
Image
Emergency Plumbing
Image
Are you looking for the best web development company in Calicut?

webdevelopmentcompany, website, webdev
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Terabox Video Player