I attended the Swedish annual ITSMF Expo conference in September 2022, and one seminar was about password security. The seminar was held by David Jacoby, a famous Swedish White-Hat hacker. He recently participated in a Swedish TV series (“Hackad”), where he and his team were challenged to find ways to break into and identify vulnerabilities in various systems. If you wonder what on earth the picture of the horse above has to do with password security, then read on!
He started by sharing how well-organised the hackers are. Some aspects of hacking have evolved into an industry, and hackers have established an entire value chain. The ones stealing passwords and credit cards are not necessarily the same as those who realise their value. A stolen credit card number with details may be worth $2 on the secondary market. The Russian mafia systematically uses these cards to get relatively small amounts from each card.
The danger of all internet-connected devices
Nowadays, we fill our homes with all kinds of devices connected to the Internet, and we rarely upgrade their firmware.
In many cases, firmware updates are not even released. A hacked internet-connected device can be used with a credit card to prevent the bank or payment gateway from detecting any suspicious transactions. The advantage of this arrangement is that the hackers can realise a higher amount than if they tried from elsewhere. In many countries, banks use one-time password (OTP) codes via SMS. However, that is not required for all smaller international transactions.
When discussing devices, USB memories must be mentioned. If you have not done so already, ensure that your Anti-Virus software does not allow any USB drives or external disks other than those you have certified for backup use. And Macintosh owners, don’t assume you are safe. Many Macintosh owners believe they are safe, but that is false safety. Macintosh is also vulnerable to hacking!
Ransomware, another major threat, is no longer just about encrypting data, but also about threatening to release it, which often has a much higher value for the affected companies. Since they typically have backups. Everyone has something to hide, and keeping it hidden is worth the money for hackers. This is now a proper industry! The easiest way to keep them out is to improve our password security. David Jacoby gave some excellent tips on how to improve password security, which I wanted to share.
How poor is your password security?
According to one source, the ten most commonly used passwords are “Password” (believe it or not), 123456, 123456789, 12345678, 1234567, Password1, 12345, 1234567890, 1234, Qwerty123. Other common passwords include dictionary words followed by a digit or a year and a character, such as “Birmingham1997!“ Many people who realise this is too easy to hack use their pet names, maiden names, animal names, emotions, and food items. However, essentially, all of these are easily guessed or hacked.
In addition, if you use the same password for multiple services, it means that if that service has a data leak, the entire hacking community would have access to your password and attempt to use it on all other services. The same applies if you use Facebook, Twitter, Google, or similar to log in to other services.
Cryptic passwords
Most of us believe that a password such as h#tRe7JwQ2pO is safe because it is complex and doesn’t mean anything to anyone. And well, it is reasonably secure. It would take 34 thousand years for a computer to hack it. This password has what is called high entropy. It has a lot of information compared to a dictionary word. What is concerning is that it is also challenging to remember. It becomes a nightmare if you need to remember one such complex password for every single service you log in to. Therefore, we typically write it down and store it in a Word document or a vault. However, the safety of our passwords depends on the security of this storage location. An article describing the NIST password guidelines and best practices lists many good things to maintain safety.
How to improve password security while still remembering them
However, David Jacoby gave us much more practical advice than relying on vaults and complex cryptic passwords. He suggested that we use what humans are good at to beat hackers. Rather than using a vault, we can learn to construct passwords that are easy to remember. First, come up with a few words that are not connected. Let’s say Grass, Horse, Birds, and Sun. While these words are unrelated, it is not hard to visualise them together. Look at the picture above. We have the Grass, Horse, and Birds, and I just noted that I missed the sun! But you would not be able to see the rest if the sun were not up. So that’s ok!
Now you have the first part of all your passwords – GrassHorseBirdsSun.
It is long, and since the words are not connected, it is also safe, even if it is difficult for humans to remember. Although it comprises four different unconnected words, the entropy, in proportion to the number of characters, is undoubtedly lower than the cryptic password mentioned earlier. With the present processing speed, it will take a computer approximately six trillion years to break it. Apart from that, it is easier to remember, and it is also much easier to type. Just ensure you don’t use words that are easily connected to yourself. Hackers are skilled at conducting thorough research. With the development of Artificial Intelligence, we can assume that soon it will be easier to guess what kind of words you like.
How do you manage password security for different services?
That solves half our problem. Here comes the rest of the solution to make passwords easy to remember:
Since it is difficult to remember a unique password for every type of service, the following is a trick to use unique passwords for each service with a minimum amount of memorisation. The trick is to use the same long password which you can remember and then add a keyword for each service:
Here are some examples
| Password | Service |
| GrassHorseBirdsSun@myface | |
| GrassHorseBirdsSun@mylinkedind | |
| GrassHorseBirdsSun@companymails | Company mailbox |
| GrassHorseBirdsSun@msteams | Microsoft Teams |
Some mailboxes may also demand a digit; then you add that, but use the same so you remember it. Note that I did not use the service’s name itself. I modified it slightly, not to make it too obvious.
You may still want to store your passwords in a vault, but you may never need to look them up, and you can easily remember them.
What about services we rarely use?
You can create a temporary password for services you rarely use, and as long as you give your email address, you can happily forget it after you use it. Next time you use it, you can use “Forgot my password” instead to reuse the account. It doesn’t make sense to remember all passwords. However, avoid using trivial passwords. If you use this method, you will still need to remember one password. Your mailbox password!
Multifactor Authentication
Multifactor Authentication protected by biometric identification is the gold standard, and it is primarily considered very safe when these methods are based on an app (and not SMS). But there are challenges there as
well. Would any of your family members have access to your mobile phone? In such cases, it is not considered safe. However, even for this, there is often a need for a password, and the idea shared here may help you remember them more easily by heart.
How to remember numbers?
There are effective techniques to memorise numbers if you need to recall them. If you convert each digit to the letter in the alphabet, 1 to A, 2 to B, etc., you think of a word that starts with that letter, which is easy to visualise. Let’s say you have a code, 4276, that you want to remember. The picture to the right is of Dolphins shaped like Bananas with Grapes and a Flamingo in the background
| Digit | Letter | Animal |
| 4 | D | Dolphin |
| 2 | B | Banana |
| 7 | G | Grapes |
| 6 | F | Flamingo |
Conclusions
Hackers are continually improving their hacking techniques, and thanks to the vast amount of raw computer power at their disposal, we are living in an era where security is no longer optional. This article offers a few tips on how the human brain remains superior to computers in specific ways. The most important tip is to construct passwords by combining unrelated words instead of cryptic characters that are easy to remember but hard to crack.
To make this even better for you, please refrain from using the kind of words I have suggested. You need to be innovative and build on these ideas. I have developed my twist on what I’ve shared, and what I’ve shared here is just the principle of how you can also improve your passwords. These methods can reduce the risk of being hacked, even by David Jacoby and his team!