Password Security & Strength | LastPass

Password Security

IT department across the world have always pointed to the number one weakness of a computer network or infrastructure. It is and will always be the end user. And the number one weakness with users in an organization is weak and poor password choices. I can already guess you as the reader, one what ever type of login you are using IE for websites, banking, business, etc…. have used a password with either of the following:

  • Name
  • Birthdate (Month, Day, and/or Year)
  • Nickname
  • Some type of food (Maybe your favorite)
  • Hobby
  • Pets Names
  • Address
  • Phone

That list is just to name a few and but maybe you are smart and reversed the characters or numbers in your password. Well guess what, if I guessed you did this, don’t you think the Brute Force attacker or Password Cracker can also? It is important for the Law Enforcement community to choose strong passwords as we have access to a lot of information and databases which is sensitive in nature and needs to be protected. I would hate to be the person who had a week password which allowed some type of law enforcement system to become compromised or informational leak.

A good website to test your password is How Secure Is My Password. You simply enter your password or an example password scheme you use and the system will tell you how long it would take a computer or password cracker to guess your password. In the screen shot below, I simply used a name and a year of birth (Letters and Numbers) and as you can see would only take a computer 1 minute to break in.

Password Security Checker

* Note: You might be thinking the website is collecting the password you enter when you are checking how secure it is. This is not the case as the checker is all Browser / Client Side using Javascript / jQuery, and your password is not being collected, or sent anywhere. The How Secure Is My Password website also has a secure certificate so your traffic is encrypted.

So now we know passwords provide the first line of defense against unauthorized access to your computer, website, email, and many other electronic services, the stronger your password, the more protected you will be from hackers and malicious software. You should make sure you have strong passwords for all accounts you have.

Password Strength

Even though most website and security system force the choice of good password, many times the minimum is simply not good enough. Below is a general guideline for creating strong passwords to use. Your password should be:

  • At least ten characters long. If you add more characters, the harder your password will be to crack. Password length is the single most important password security feature.
  • Does not contain your user name, real name, company name, or any identifiable information about you. Do not use you kids names, pet names, grandparents, or anything of that nature.
  • Does not contain a complete word. Password crackers use what is called a “Dictionary Attack” so if you are using common words in your password, it will be simple to crack.
  • Is significantly different from previous passwords.
  • Contains characters from each of the following four categories;
    • Uppercase Letters – A, B, C
    • Lowercase Letters a, b, c
    • Numbers – 0, 1, 2, 3, 4, 5, 6, 7, 8, 9
    • Symbols found on the keyboard (all keyboard characters not defined as letters or numerals) and spaces – ` ~ ! @ # $ % ^ & * ( ) _ – + = { } [ ] \ | : ; ” ‘ < > , . ? /

A password might meet all the criteria above and still be a weak password. For example, Hello2U! meets all the criteria for a strong password listed above, but is still weak because it contains a complete word. H3ll0 2 U! is a stronger alternative because it replaces some of the letters in the complete word with numbers and also includes spaces.

Password Strength Tips

Help yourself remember your strong password by following these tips:

  • Create an acronym from an easy-to-remember piece of information. For example, pick a phrase that is meaningful to you, such as My son’s birthday is 12 December, 2004. Using that phrase as your guide, you might use Msbi12/Dec,4 for your password. Put this in the How Secure Is My Password website and it would take a computer 63 Thousand Years to crack your password.
  • Substitute numbers, symbols, and misspellings for letters or words in an easy-to-remember phrase. For example, your son’s birthday could be 12 December, 2004 could become Mi$un’s Brthd8iz 12124 (it’s OK to use spaces in your password).
  • Relate your password to a favorite hobby or sport. For example, I love to play badminton could become ILuv2PlayB@dm1nt()n. If you used this in the How Secure Is My Password website, it would take a computer 138 Duodecillion Years to crack your password.

More About Password Security

Don’t Double Dip

So you have followed every suggestion and have a good password. Of course since it is a good password, it took you some time to memorize it but you got it down. So you are now using it on multiple accounts. This is bad. This is really bad if one of the accounts you, the website or business has been compromised, they could potential have your password. Due to the fact most usernames are email addresses, the cracker / hacker now has your password to those multiple accounts. The biggest problem is that when company servers or computers are compromised and your account information and password had been exposed, it usually takes the company several months to announce this and leave you clueless that your password was comprimised. Try to use a unique password on everything. You can even include the name of the site / computer in the password to make it longer, and even more challenging. Better yet, just use a password manager like LastPass, Roboform, just to name a few.

Don’t Change So Often

What!!?!@?!@ Most IT departments set schemes to have users change passwords every 30, 60, or even 90 days. Though a good idea initially, most users will just add numbers to the end of their passwords, making their passwords weaker. Longer time frames to change password encourages users to use stronger passwords and avoids these types of simple to crack schemes.

Passwords Managers

There are definitely a multitude of Password Managers out there which are really useful, especially ones which are in the cloud, and can be used across multiple devices. You might be thinking passwords in the cloud? Most password managers encrypt your passwords in the cloud by using a master password and the device saving it as the encryption key. So as with the topic of this post, a very strong password for your master password with your password manager is key! (No pun intended). Even if the business or database of the password manager is compromised, the only way to get your passwords is to brute force your master password. understand though the compromised data is now local on the hacker / crackers system so brute forcing your master password / encryption key is fast, and more easy! Make sure you are using a very very strong master password (I know I have said this)

LastPass

I have used the LastPass password manager for several years now. It is easy, supports all major web browsers including chrome, Firefox, Safari, opera, and Edge. LastPass also supports all mobile devices including iOS, Android, and Windows Mobile. LastPass is free for one device so many people just use the free version on their mobile device (since it it always with them), to store their passwords. Their paid version is about ten bucks a year and allows you to sync your passwords across all devices. LastPass also features a Password Generator to create uncrackable passwords and passphrases. LastPass also supports the use of Two Factor Authentication.

Share:

Leave a Reply

Your email address will not be published. Required fields are marked *