CLOUDY podcast | #2 123456 or password as password is a sad truth
- News
I've learned that up to 85% of people have one password for multiple services. For example, to email or Facebook. And over 75% of people have weak passwords. What does it mean that I have a weak password?
Maybe first to why those people have one and the same password, with only slight variations.. it should be remembered that it is not entirely natural for us humans to remember sequences of characters, and what's more, these sequences should have good entropy, i.e. they should be random. Nowadays it is common for young people to have twenty or thirty accounts on social networks or banking apps, etc. And having 30 sequences of characters stored in your head like that is not a completely trivial matter. So we can't blame users for simplifying things.
Is it true that people still use passwords like 123456?
That's the sad truth. Every year a list of the most common passwords comes out, and regularly 123456 leads the way, with password coming in second, I think, etc. Attackers abuse such a list of the 10,000 most used passwords, and those top rungs hardly change. This is step zero for them, download this list and compare the passwords.
Do they do it by hand or is there a tool for that?
They certainly don't do it by hand. There are automated tools for that. There are actually two methods but the most common one is that I'll take the password and one by one I'll try it in a particular service, but that's the less sophisticated method.
The more sophisticated one is that I download that database of passwords and I try them one by one offline on some powerful machine, possibly in the cloud.
How can a hacker get the password? I have heard a long time ago that it is possible to do it by the imprints of the letters or numbers on the keyboard, I have even read that AI can do it by the sound of the keys.
If you take the microphones that are already in webcams or in those high quality laptops today, they are very sensitive and by how fast and how those keyboards actually sound, I can train an AI model to do that. It will very likely be able to tell just from the sound afterwards that what password the user actually tapped.
That's already a sophisticated method. After all, even those attackers want to have as much benefits as possible for a minimum of effort. It's a question of motivation. It's much easier to try to crack those weak passwords than to hack someone's computer and microphone and have a trained AI model.
When creating passwords now, it often writes that the password is weak. So what does it really mean that the password is weak?
The answer to this question of what is a strong and weak password is paradoxically quite simple. We have that entropy in a password, which we can measure quite well, and we can work out how quickly a password will break by brute force.
If I want the password to be unbreakable, or therefore very hard to break (because breaking a password is always just a matter of time and effort), then we know that it has to have at least twelve or more characters with good entropy, some combination of upper and lowercase letters, and so on.
A password that has 12 characters with upper and lower case letters, numbers, has special characters is a fairly complex password. But if I put 6 "A's" in a row, one "B", and an at sign (@) at the end, it will also be an easy password to guess.
It is the element of that entropy that is very important, i.e. how randomly those characters are generated there.
Do the passwords also have any trends that somehow this is progressing?
On the one hand, there's a list of passwords that stays the same year after year, then there are the specifics of that year: what song is a hit, who won what cup, etc. that users incorporate into the creation of the password.
It's not so much about the character set that's used and it's important, but the length of the password. I prefer to have a longer password, e.g. sixteen characters, and drop the special characters. It can be a sentence or two unrelated words where I alternate between upper and lower case.
Is it safe to store passwords in the browser? How do I remember them when I have more than one?
It's certainly safer than having them in some text file where they are unencrypted, or having one password everywhere. But I wouldn't put my bank account password in there.
There are so-called password managers that remember these passwords for us. They also work online, e.g. I have some browser plugin or a desktop app, or I can have them on my mobile phone. No need to worry here because the database is encrypted with our "master" password. It's like a vault to which I have the master key and I only need one strong password or biometrics.
What about multifactor authentication?
It's another additional element to security. Usually three factors are used. Either I use something I am, something I know or something I have.
Something I am is classic biometrics - face, fingerprint, etc. Something I have can be a hardware token, it used to be GRID cards. And something I know is a password. You need to use two of those three factors. That is, for example, a password and biometrics.
What you have to keep in mind is that those elements have to be independent. I can't have both a password and a hardware token remembered in a password manager.
This article was based on a podcast. You can listen (in Slovak) to the full podcast on SPOTIFY or watch it on YouTube.
