I attended the Swedish annual ITSMF Expo conference in September 2022, and one seminar was about password security. The seminar was held by David Jacoby, a famous Swedish White-Hat hacker. He recently participated in a Swedish TV serial (“Hackad”) where he and his team got challenged to find ways to break in and find vulnerabilities in various systems. If you wonder what on earth the picture of the horse above has to do with password security, then read on!
He started by sharing how well-organised the hackers are. Some parts of the hacking have become an industry, and the hackers have an entire value chain. The ones stealing passwords and credit cards are not necessarily the same as those who realise their value. A stolen credit card number with details may be worth $2 on the secondary market. The Russian mafia systematically uses these cards to get relatively small amounts from each card.
The danger of all internet-connected devices
Nowadays, we fill our homes with all kinds of devices connected to the Internet. In addition, we rarely upgrade the firmware of those.
In many cases, firmware updates are not even released. A hacked internet-connected device can be used with a credit card to avoid the bank or payment gateway suspecting any fake transaction. The advantage of this arrangement is that the hackers can realise a higher amount than if they tried from elsewhere. In many countries, banks use OTP codes via SMS. But even that is not required for all smaller international transactions.
When discussing devices, USB memories must be mentioned. If you have not done it already, ensure your Anti-Virus software does not allow any USB memories or external disks other than those you have certified for your backup use. And Macintosh owners, don’t assume you are safe. Many Macintosh owners believe they are safe, but that is false safety. Macintosh is also vulnerable to hacking!
Ransomware, another major threat, is no longer about encrypting data but threatening to release the data, which often has a much higher value for the affected companies. Since typically, they have backups. Everyone has something to hide, and keeping it hidden, is worth the money for hackers. This is now a proper industry! The easiest way to keep them out is to improve our password security. David Jacoby gave some excellent tips on how to improve password security, which I wanted to share.
How poor is your password security?
According to one source, the ten most commonly used passwords are Password (believe it or not), 123456, 123456789, 12345678, 1234567, Password1, 12345, 1234567890, 1234, Qwerty123. Other common passwords are dictionary words followed by a digit or a year and a character, such as Birmingham1997! Many people who realise this is too easy to hack use their pet names, maiden names, animal names, emotions, and food items. But basically, all of these are easy to guess or to hack.
In addition, if you use the same password for multiple services, it means that if that service has a data leak, the entire black hacking community would have access to your password and try it out on all other services. The same applies if you use Facebook, Twitter, Google, or similar to log in to other services.
Cryptic passwords
Most of us believe that a password such as h#tRe7JwQ2pO is safe because it is complex and doesn’t mean anything. And well, it is reasonably safe. It would take 34 thousand years for a computer to hack it. This password has what is called high entropy. It has a lot of information compared to a dictionary word. What is concerning is that it is also tough to remember. It becomes a nightmare if you need to remember one such complex password for every single service you log in to. Therefore, we typically write it down and store it in a word document or a vault. But then, the safety of our passwords depends on this storage place’s security. An article describing the NIST password guidelines and best practices lists many good things to ensure that safety is maintained.
How to improve password security while still remembering them
However, David Jacoby gave us much more practical advice. Rather than relying on vaults and complex cryptic passwords. He suggested that we use what humans are good at to beat hackers. Rather than using a vault, we can learn to construct passwords that are easy to remember. First, come up with a few words that are not connected. Let’s say Grass, Horse, Birds, and Sun. Now while these words are unrelated, it is not hard to visualise them together. Look at the picture above. We have the Grass, Horse, and Birds, and I just noted that I missed the sun! But you would not be able to see the rest if the sun was not up. So that’s ok!
Now you have the first part of all your passwords – GrassHorseBirdsSun.
It is long, and since the words are not connected, it is also safe, even if it is not very complicated for humans to remember. While it is composed of four different unconnected words, the entropy in proportion to the number of characters is undoubtedly lower than the cryptic password mentioned earlier. With the present processing speed, it will take a computer approximately six trillion years to break it. Apart from that, it is easier to remember, and it is also much easier to type. Just ensure that you don’t use words that are easily connected to yourself. Hackers are excellent at doing their homework. With the development of Artificial Intelligence, we can assume that soon it will be easier to guess what kind of words you like.
How to manage password security for different services?
That solves half our problem. Here comes the rest of the solution to make passwords easy to remember:
Since it is difficult to remember a unique password for every kind of service, the following is a trick to be able to use unique passwords for each service but with a minimum amount of memorising. The trick is to use the same long password which you can remember and then add a keyword for each service:
Here are some examples
Password | Service |
GrassHorseBirdsSun@myface | |
GrassHorseBirdsSun@mylinkedind | |
GrassHorseBirdsSun@companymails | Company mailbox |
GrassHorseBirdsSun@msteams | Microsoft Teams |
Some mailboxes may also demand a digit; then you add that but use the same, so you remember it. Note that I did not use the name of the service itself. I modified it slightly not to make it too obvious.
You may still want to store your passwords in a vault, but you may never need to look them up but would remember them easily.
What about services we rarely use?
You can create a temporary password for services you rarely use, and as long as you give your email address, you can happily forget it after you use it. Next time you use it, you can use “Forgot my password” instead to reuse the account. It doesn’t make sense to remember all passwords. However, don’t even then use trivial passwords. If you use this method, there is, of course, one password you still have to remember. Your mailbox password!
Multifactor Authentication
Multifactor Authentication protected by biometric identification is the gold standard, and primarily when these are based on an app (and not SMS), they are considered very safe. But there are challenges there as
well. Would any of your family members have access to your mobile phone? In such cases, it is not considered safe. But even for this, there is often a need for a password, and the idea shared here may help you to remember them by heart more easily.
How to remember numbers?
There are good techniques to memorise numbers if you need to remember numbers. If you convert each digit to the letter in the alphabet, 1 to A, 2 to B, etc., you think of a word that starts with that letter, which is easy to visualise. Let’s say you have a code 4276 you want to remember. The picture to the right with Dolphins shaped like Bananas with Grapes and a Flamingo in the background
Digit | Letter | Animal |
4 | D | Dolphin |
2 | B | Banana |
7 | G | Grapes |
6 | F | Flamingo |
Conclusions
Hackers are getting better and better at hacking, and thanks to the raw computer power they have at their disposal, we are living in an age where security is no longer optional. This article has covered a few tips on how to use ways in which our human brain is still better than computers. The most important tip is constructing passwords by combining unrelated words instead of cryptic characters that are easy to remember but hard to crack.
Now, to make this even better for you, you should not use the kind of words I have suggested. You need to be innovative and build on these ideas. I have developed my twist to what I have shared, and what I have shared here is just the principle of how you also can improve your passwords. These methods can reduce the risk of being hacked, even by David Jacoby and his team!