Your New Password Is Too Weak Please Try Again Craigslist

A 6 letter password can be guessed past a computer in 1 second (if information technology's a discussion from the dictionary). An nine letter lowercase word (like 'spaghetti') takes just under 32 minutes. And when I way guessed, I don't meant a pocket-sized chance. I mean 100% certainty that your password can exist cracked, using what's known as a 'Dictionary Attack'.

This is just ane of the many techniques a hacker has at his disposal to proceeds unauthorized access to your account. And what if y'all use the same password on multiple accounts? What if the hacker gains access to your primary e-mail account, and from their can reset the password to whatsoever of your other accounts!

The damage would be massive, and perhaps irreparable.

We're talking possible loss of coin, permanent loss of business relationship admission, identity theft, public defamation, exposure of sensitive personal or financial information. Trust me, it would be bad.

Now that I accept your attention, let me prove you how insecure your passwords really are (and the absolute best practices for protecting the security of online and offline accounts).

In this commodity, you lot'll learn:

1. iv quick tips for stronger passwords (merely you'll learn alot more than if you read the whole article)
2. How passwords are cracked (an introduction)
3. Lexicon Attacks
4. Rainbow Tables
5. Password Security
   1. Anatomy of a strong countersign
   2. Password Best Practices (unique passwords, two gene authentication, etc)
   3. How to retrieve/store your strong passwords
6. Password Vaults (cloud and self-hosted options)
7. 2-Factor Hallmark (you need this. Today.)
8. Summary and Boosted Resources

4 Rules for Potent Passwords

Hither are my quick and dirty height tips for maximizing your password and account security in the shortest amount of time. These tips are a good starting point, only if you have the time you'll learn alot more than by reading the unabridged article.

#1 – Utilize Strong Passwords

This seems similar a no-brainer, merely most people don't know what 'stiff' ways. Here'southward a cheatsheat:

1. Strong – Employ minimum three out of iv (uppercase, lowercase, numbers, symbols)
2. Long – eleven+ characters minimum. 16 or longer if you lot ignore rule #i
3. Random – It is manner easier to break a countersign containing existent words ('Donkey1975')

#2 – Use multiple unique passwords

If a site has a data alienation and your login/password is stolen (I guarantee this has already happened at least one time) how many other sites will the hacker be able to access with your credentials? Ideally you want that that number to be – Cipher.

In reality, almost people would have to answer somewhere between "A few" and "Most all of them…"

Never ever EVER reuse passwords for extremely important websites such as:

1. Bank accounts
2. 401k/Stock accounts
3. E-mail

#3 – Use a Password Vault (to remember your passwords)

The problem with potent passwords is it'southward impossible to remember them all. Fortunately, there are multiple 'Password Vault' and cloud password solutions that tin generate and think all of your strong passwords for every website. All you need to do is remember i single 'Main Countersign'.

My personally recommendations:

• Lastpass – Cloud solution, accessible everywhere. Browser extension and mobile support.
• Keepass – Self hosted, encrypted password locker. Stored on your own device.

#four – Enable two factor authentication

Two-gene hallmark adds a 2nd layer of security to the login process. A countersign lone is non enough. You need both the countersign and access to the authentication device (which is usually your mobile phone which receives verification requests via text or button notifications).

It's not about equally much of a hassle as it sounds similar, and many 2FA systems merely have to verify you in one case, unless you try to log in later from an unknown device.

The two nearly important accounts for 2FA:

1. Your Password Vault (otherwise if someone steals your master password, they can admission any business relationship).
2. Your Email (A hacker with access to your email tin easily reset passwords to other accounts).

Lastpass has multiple (complimentary) options to add 2 gene authentication to your business relationship. As far as e-mail providers go, most have been deadening to adopt 2FA applied science. The notable exception is Google, which has had 2 factor authentication on gmail for years.

How Passwords are Cracked

This section will give you a solid introduction into the diverse ways your password tin exist compromised (threat vectors). We'll also hash out the methods used past websites to securely (or sometimes insecurely) store your login credentials.

You lot'll as well larn how hackers can contrary engineer encrypted countersign databases (and how to protect yourself).

At that place are 2 main ways your password tin can be croaky:

1. Password guessing/brute force attacks
2. Reverse applied science passwords stolen from hacked sites.

Password Guessing attacks

These attacks work (both online and offline) by trying multiple different passwords for the same username in rapid succession. A fast computer can try thousands (or even millions) of combinations per 2nd. Guessing attacks piece of work much faster in offline scenarios (cracking an Os or file countersign).

Guessing attacks against websites volition be slower, considering the web server will limit how quickly a user tin endeavour a new password combination.

Common guessing attacks:

1. Brute force – Trying every possible character combination
2. Dictionary Assault – Judge the near common words/passwords

Brute Force Attacks

This is the simplest course of countersign guessing assault. The hacker uses software to endeavor every possible combination of characters in each countersign length, until the correct one is found.

Since the password requirements of specific websites are publicly known (such as 'must contain at least i number') the rules of the brute force attack tin can exist tailored to the websites' minimum password requirements.

There are multiple sites that can estimate the amount of time information technology would take to cleft different passwords with 100% certainty by brute strength. You can fifty-fifty see the time differential for a personal PC vs. a botnet or supercomputer.

Sites to gauge your password strength:

• Kapersky secure password check
• Countersign Meter
• How long to hack my password

Exercise you recall 12 lowercase characters constitutes a potent password? Think again. Here are the brute force results for the password 'vpnuniversity' using the Kapersky password tool:

Password 'vpnuniversity' croaky in 25 minutes by a 2012 Macbook laptop

That's correct. A teenage hacker with a 4 twelvemonth old Macbook tin can crack a 12 character lowercase password in less time than it takes to scout an episode of 'Seinfeld'. And a botnet could practice it in a single second.

Later in this article (in the password security department) nosotros'll compare this effect to a randomly generated 12 character countersign containing all 4 grapheme types. Hint: It's much MUCH stronger.

Dictionary Attack

A Dictionary attack is a brute-forcing shortcut that makes is able to estimate passwords much more efficiently by making a specific assumption about your password. Specifically, that your password contains identifiable words and/or common password phrases.

Past limiting the password assault to only password combinations including known words (or other common not-word passwords like '123123') an assailant tin brand a animal-forcefulness attack much more efficient. The reason? Only a tiny fraction (less than 0.i%) of all random character combinations will actually contain known words of 4 characters or more than.

Advantages: Assuming y'all use a password that is vulnerable to a dictionary assault, your password could exist cracked in less than i/1000 of the time it would accept for a computer to try random character combinations until a match was found. As a result, the vast majority of online guessing attacks are lexicon attacks.

Disadvantages: It is impossible for a dictionary attack to correctly guess a password consisting of purely random characters, numbers and symbols. If the password doesn't contain a word, a lucifer volition never be establish, fifty-fifty if the attack runs for an infinite time period.

Data Hacks, Password Encryption & Decryption

While password guessing attacks target merely ane user at a fourth dimension, data breaches can expose the login credentials for thousands or even millions of users at a time. There have been multiple MASSIVE data breaches in the by iv years, including Target, Ashley Madison, and Adobe.

This section will look at the techniques websites practice (or don't) use to securely store your passwords, also as the most common techniques (like Rainbow Tables) hackers use to reverse engineer encrypted password databases.

How websites store passwords

Most websites that store user data take precautions to store passwords in encrypted form. If properly implimented, even if the user database is stolen during a hack, it will be difficult or impossible decrypt the passwords into plaintext.

Websites shop passwords using a technique called 'Hashing'.

What is Hashing?

At it'due south simplest form, a Cryptographic Hash Part or 'Hash'  algorithm is a set of mathematical rules that transforms any text snippet into a string of random characters of a fixed length (no thing how long the inputted text, the outputted hash will always be the aforementioned number of characters).

The mathematics behind hashing is extremely complex, and in that location are multiple hashing algorithms to choose from, but they all share ane thing in mutual, which is at the core of why hashes are a good way to store passwords…

A Cryptographic Hash Function is a one-way function.Which ways, information technology'southward easy to compute the hash of a text snippet, just mathematically very difficult (essentially impossible) to mathematically convert a hash back into the original text.

There are also 3 important properties of CHF'due south:

1. A given text string similar 'password' will always result in the same hash output
2. Irresolute 1 character of the input ('passwordy') volition dramatically alter the hash ouput
3. It is very unlikely for two different input text strings to generate the aforementioned hash output.

There are many complimentary sites where yous can calculate hashes yourself to see how the process works. Hither are a couple:

• http://world wide web.sha1-online.com – uses the SHA1 hash function.
• MD5 Generator – Uses the MD5 hashing function (no longer considered secure)

For example, performing the SHA1 hash algorithm on the word 'password' results in this:

SHA-1 hash of the word 'password'

How websites employ hashing for password encryption

When you create a username/password on a combo, the website doesn't actually store your password in it'south database. Instead, they store the Hash of your password. When y'all endeavor to log in, the site will calculate the hash of the text you lot enter in the 'password' field, and compare that result to the hash stored in the database. If they match, your login will be successful.

Then in reality, the website doesn't actually know what your password is (which is why yous can usually only reset your password, you lot can't actually call up it if you forget).

The advantage of this is obvious: If the site's user database is stolen, the hackers won't actually take your countersign, they'll only know the hash of the password, which isn't sufficient to log into your account.

Expect, why can't the hacker merely login using the hash they stole?

Considering when they try to login, the website will calculate the hash of whatever is input in the 'countersign' field. If the hacker just tries to use the hash they stole as the password, the website volition actually calculate the hash of the hash which won't match the login credentials in the database, and their login will be denied.

For example. We already calculated the hash of the give-and-take 'password' but what if you calculate the hash of the hash? You get this…

Hash of the hash of 'countersign'

And then while they've stolen the encrypted hash of your countersign, they still don't know what your password actually is. Merely Mr. Hacker still has a play a trick on upwards his sleeve. It's called a Rainbow Table and he might be able to decrypt your password nonetheless…

Rainbow Tables

By definition, a Hash function is mathematically impossible to invert (you can't calculate the original text based on the outputted hash) then hackers decided to come at the trouble from a different management. The solution? Rainbow tables.

This novel arroyo is really more like a brute strength method. The hacker wants to decrypt a database of hashed passwords, and then he actually uses software to calculate the hash of millions (or fifty-fifty billions) of password combinations. These calculated hashes are stored in a database configuration known as a 'Rainbow Table'.

Once he has a rainbow table, the hacker can simply compare his database of stolen hashes, to his rainbow tabular array of calculated hashes. Every time the software finds a match, the hacker can easily deduce the password, because the rainbow table maps each plaintext countersign to information technology'south hash.

How feasible is a Rainbow Table Assail?

Very, as the Ashley Madison alienation proved. Using rainbow tables, the hackers were able to decrypt more than 11 1000000 of the xxx million passwords stolen in the alienation, because some of the early users' accounts were hashed with the insecure algorithm MD5.

Getting admission to rainbow tables is surprisingly easy. Believe it or non, you can generate rainbow tables yourself on a dwelling house figurer using free software like Rainbow Crack. In that location are besides free databases available for purchase, or even for free on torrent sites and hacking forums. At that place are even free websites that check hashes against tables of precalculated values.

Not surprisingly, hashes of common one-word passwords can be decrypted nearly instantly using a free online database (which is much smaller than a real rainbow table).

Were y'all thinking of making your password your favorite (American) football game team? Think again…

Brusque i word passwords are easily reversed

Rainbow Table Weaknesses and Defense force

Rainbow tables have one major weakness: there'south a limit to how much data they can shop before they become slow, unwieldy or too large to store. A portable rainbow tabular array can simply store hashes for all password combinations up to 12 characters in length before it starts to become increasingly unfeasible from a time and price perspective (that level of processing power isn't costless).

These limits tin can be stretched a bit if the rainbow table doesn't include all random character combinations, only instead focuses on known word combinations (like a dictionary assail).

In that location are two primary techniques to accept reward of this limitation and proceed your passwords secure:

1. Salting (implemented by the website when hashing your password)
2. Stronger passwords (this one's on you bro.)

Password Salting

Salting is by far the #one defence confronting rainbow tables, and proper use of password salting can brand the attack almost completely impractical, considering it forces the hacker to generate a unique (and big) rainbow table for each individual password they want to crack.

In simple terms, a Salt is a string of random characters that is added to the cease of your countersign before information technology is hashed for storage in the site'south database. The database stores both the hash, besides as the table salt value and then that it tin correctly calculate the hash each fourth dimension yous log in.

Because each user account users a different common salt value when their password is created, any rainbow table created using a known salt (stolen from the database) volition just work for contrary-engineering the password of that one user (assuming the salt makes the countersign+common salt length far to long to be stored in a rainbow table).

In order for the same rainbow table to be used to decrypt all hashes in the database, it would accept to be larger enough to contain all input combinations the password length + the salt length. Past making the salt big enough (even 16 characters would exist plenty) calculating the hash of all possible combinations would be beyond infeasible.

Using a different salt value for each user also means that fifty-fifty if two users have the aforementioned countersign, the hash stored in the database will exist dissimilar for each (because the unique salt is appended to the password earlier hashing, thus irresolute the output.

Ashley Madison didn't properly salt their passwords, which is why it was so easy to decrypt the MD5 hashes stolen in the alienation.

Long Passwords

Most companies will follow proper security procedures and use a large salt before hashing your password for storage. By some don't, either through laziness or ignorance. This is just another reason you should take it upon yourself to make your password equally stiff every bit possible.

Past making your countersign 16+ characters, using all 4 character types, you can make a rainbow table attack impractical even confronting unsalted hashes.

The hackers will be content to reverse the 90% of weak passwords by users that don't know any meliorate, and your data should hopefully remain prophylactic and secure.

Strong Passwords (Everything y'all need to know)

If you follow these recommended all-time practices for countersign selection and storage, yous will dramatically reduce you risk exposure in the issue of a data alienation. Nobody tin guarantee absolute security (certainly I can't) only these principles are a massive step in the right direction.

What constitutes a stiff password?

A adept password should ideally be as long every bit possible, as random (or at least seemingly random) as possible, and comprise every bit many character types as possible:

The iv graphic symbol types are:

• capital letter letters
• lowercase messages
• numbers
• symbols

To illustrate how of import it is to add together as many of these four character types as possible when you lot create a password, let's consider the difficulty of breaking your countersign via brute forcefulness:

There are 26 lowercase messages (in the English alphabet) so an eight grapheme all-lowercase countersign has 268 unique combinations.

If you add capital messages, numbers 0-9, and 10 symbols (the x available past pressing SHIFT + [a number 0-9]) you get 72 unique grapheme choices. In an 8 character password, this yields 728 unique combinations.

Do yous want to estimate how many more possible combinations in that location are when you use 72 characters for your password?

Permit's do the math:

26^viii = 208,827,064,576

728 = 722,204,136,308,736

728 / 268 = 3458 (rounded to the nearest integer).

In other words, if it took 1 day to crack the showtime countersign, it would accept nigh ten years to crack the 2nd.

When you go to 12 characters, the departure is even more dramatic:

72¹² / 26¹² = 203,381 times every bit potent.

The rules for a proficient password:

• Strong (multiple grapheme types)
• Long (11 character minimum, thirteen+ is better)
• Random (Avoid using common words vulnerable to dictionary attacks).

Password Best Practices (Will minimize your exposure after a information breach).

Follow these uncomplicated rules to minimize the damage (if any) that could upshot if hackers stole a database containing one of your passwords.

Rule #1 – Apply Unique Passwords (Especially for important accounts).

Nigh people use the same countersign over and over for different accounts. The problem with this is obvious. If a hacker steals your password, he now tin can access any account that uses that login/password combination.

If you use a unique password for every account, the theft of ane password doesn't make any of your other accounts vulnerable. Countersign vaults like Lastpass have a built in random password generator then tin help you pick a unique strong password for every site.

There's no reason someone should be able to admission your banking concern business relationship just because they hacked your twitter account (and if yous believe celebrities, Twitter gets hacked all the time). Use unique passwords.

Rule #ii – Enable 2-factor authentication  for your important accounts

If you lot aren't using 2FA yet, you should be. It very difficult for someone else to take command of your account, fifty-fifty if they have the correct login/password combination. It's easy to implement, available on many sites, and usually free.

What is Ii-Factor Authentication

2FA (sometimes likewise called 2-cistron verification) is a security measure that requires users to complete 2 separate steps before accessing an account. The nearly mutual 2FA combination is:

1. Something you know (login/password combination)
2. Something yous have (Smartphone, security token, wink drive, etc…)

Subsequently you lot blazon in your login/countersign, yous employ the your physical verification device to complete the login. Ofttimes this will be in the form of a text message or push button notification being sent to your smartphone, which contains a unique (and temporary) verification code.

Fifty-fifty if a hacker does manage to decrypt your password, it's highly unlikely that he'll be able to go his easily on your hallmark device (unless he's actually motivated).

Where to employ 2FA?

While many websites do offering ii-factor hallmark, the bulk don't. It also adds a small amount of fourth dimension to the login procedure, so it's usually just worthwhile for the near of import websites.

There are 3 main categories of sites for which nosotros STRONGLY recommend enabling 2FA:

1. Your master e-mail account
2. Your countersign deject vault (if you use 1)
3. Depository financial institution/Brokerage accounts

Why these account types?

Bank/Brokerage/Retirement accounts – These accounts are obvious choices for 2FA, because an account breach would exist devastating. The majority of your net worth (outside your firm if yous own one) is basically but digits in a reckoner database. If a hacker gained access to your business relationship, he could transfer your life savings to another account, and y'all'd be, every bit nosotros say, Shit Outta Luck.

Electronic mail/Password vault accounts – In many ways, these accounts are actually the most important, because their gateway accounts. If a hacker can access your email, he tin can reset your passwords for any website that uses that e-mail accost. A password vault is even more unsafe, and if compromised, the hacker could literally download all your login combinations is plain text. Yikes.

At that place's a flake of bad news, however. Very few Electronic mail providers have deemed 2FA worth the effort. Fortunately, google continues to be on the cutting border of personal security. Enabling ii-cistron authentication for Gmail is quick and piece of cake.

Why yous need a password manager

The trouble with stiff, unique passwords is that they're impossible to remember. Literally.

That'due south why millions (maybe billions) of users have turned to password direction services like Lastpass, Keepass, Dashlane, and 1Password. All you demand to remember is 1 single 'Master Password' and the password managing director does all the heavy lifting and storage of your online credentials.

Virtually of these services are 'cloud-based', meaning your password vault is bachelor from any location with an net connectedness. Your passwords volition exist stored in an encrypted database, using the same technology as professional hard drive encryption (which should even so protect your data even if the database is hacked).

There are ii types of password managers:

1. Self-hosted (offline) solutions.
2. Deject (online) solutions

Both cloud and cocky-hosted password managers attain the aforementioned thing (storing and remembering all your passwords in encrypted form) but each has it'due south own pros and cons.

Self Hosted vs. Deject-based password managers

The majority of password management services are now cloud-based considering the cloud allows users to sync their password across all devices and access their passwords from any device with an internet connection. While this convenience is a huge benefit, there are also two caveats:

1. You take to trust your password management company not to lose (or even steal) your passwords.
2. You take to trust their power to encrypt and protect your passwords from theft past others.

Lesser Line: Every bit long equally yous're sticking to the virtually trusted names password management, your data should be secure and you can trust that your passwords are being protected using industry-standard best practices similar:

• Naught-knowledge encryption (Only yous have the encryption key)
• HTTPS encrypted information transfer of passwords to/from your vault
• Salting of hashed passwords (then they're difficult to reverse engineer even if your vault is breached).

Our 3 favorite password managers

Our 3 favorite password managers (non in order) are:

• Lastpass (deject only)
• Dashlane (cloud and local sync)
• Keepass (local vault with sync selection)

Each has it's own advantages, and which one you lot should choose will depend on your budget, privacy preferences, and whether you prioritize convenience more than security.

Lasspass (Deject | Freemium)

Lasspass is a cloud-only password manager that makes your login details hands accessible from any device.

They operate on a freemium pricing model, where the PC browser extensions or gratis but y'all have to pay to admission your lastpass vault from your mobile device.

Lastpass firefox extension

How Lastpass Works

Yous employ Lastpass by installing their extension for your favorite web browser (all major browsers are supported). Y'all sign into your lastpass account with a single 'Chief Password' which so gives you access to your full Lastpass 'vault'.

Lastpass will automatically pre-populate login/countersign fields for saved sites (or fifty-fifty autologin if you adopt).

All your usernames/passwords are encrypted locally before sending them to the lastpass deject using AES 256-bit encryption. Lastpass doesn't even know your Master Password (they just store a salted hash of it for login verification). It'southward a true null-noesis countersign manger.

Is LastPass secure?

Very. Your entire database is stored in encrypted class, so fifty-fifty if data is stolen from their cloud servers, it'due south extremely unlikely hackers could intermission the encryption protecting your passwords.

Lastpass was actually hacked in 2015 but the intruders weren't able to compromise user accounts thanks to the multiple redundant security measures Lastpass implements.

Two-Factor Authentication

Make your Lastpass vault fifty-fifty more secure past enabling 2-factor authentication (they offer multiple options, many of which are gratis). This makes it nearly impossible for a hacker to access your account, fifty-fifty if they have your main password.

Pricing

Lastpass is a 'Freemium' service. Basically it's totally gratis to use the lastpass in your favorite web browser but yous take to upgrade to sync passwords to your smartphone or other mobile device. Premium is merely $12 annually.

Dashlane (Local + Deject Sync | Freemium)

Dashlane is another Freemium password manager similar Lastpass. They have fifty-fifty more than features but the free version simply works on a unmarried device. To get the most out of Dashlane, y'all'll need to upgrade to their premium plan which costs $39.99/year.

Dashlane syncs your strong passwords on all devices

How Dashlane Works

At it's core, Dashlane is very similar to Lastpass. Your countersign database is encrypted locally using a master password that but yous know. You can easily access your passwords with the Dashlane browser extension (all major browsers) or the Dashlane app on your smartphone/tablet.

Features

• 256-chip AES Encryption (Zero-Knowledge)
• Securely sync your passwords to the cloud
• Access your passwords from any device
• Change all your passwords in 1 click (over 250 sites supported).
• 'Strong' password generator
• Securely store your credit menu information
• 2-factor authentication (optional)

By far the virtually unique features is the 1-click password modify, which tin can instantly modify all of your passwords at over 250 of the earth's almost popular websites similar Evernote, Amazon, Spotify and more…

Pricing

Dashlane is free on any 1 device or you can upgrade for $39.99/year to support multiple devices.

Keepass (Local Database westward/ sync selection | Free)

Keepass is a completely free password manager that stores your logins/passwords in an encrypted database on your ain device. There are 3rd-party projects that add support for mobile devices as well.

Keepass local password database

How it works

Usernames/Passwords are all stored in a local database (on your own car) which can be encrypted with your choice of cipher algorithm including: AES, Blowfish, or Twofish.

The database is encrypted using a 'master countersign' with the selection to add a 'cardinal file' if you prefer. Keyfiles are a form of ii-cistron verification which allows y'all to use any file on your estimator as a secondary 'key' required in add-on to the password.

Y'all can drag and drib login/passwords from keepass to your web browser, or use i of the many free extensions to automobile-fill up password fields direct from keepass.

Mobile Support

Keepass was originally developed merely for Mac and Windows machines, but information technology has besides been ported to iOS and Android by 3rd-political party developers. You can use 1 of the following apps to sync your Keepass vault to your mobile device:

• KeepassDroid (Android)
• Keepass2Android (Android)
• MiniKeePass (iOS)

Wrapup

Now that yous know why your 6-ix character lowercase passwords are so unsafe, make sure to have the steps to do something nearly it. The only person looking out for you online security is you.

It's inevitable that hackers will steal a database containing your login/details (in all likelihood, information technology's already happened whether you lot realize it or not).

By using strong, unique passwords you can minimize the chance of a hacker reverse-applied science your password (assuming the site followed proper 'hashing' practices). And by never using the aforementioned password twice, yous don't have to worry about a stolen countersign being used to log into multiple sites.

Store all your strong passwords in a password manager (like lastpass) and upgrade your security with 2-gene hallmark.

Hackers mostly get afterward the low-hanging fruit (pregnant people with short, easy passwords). By following these simple rules, you'll make yourself a much less attractive target. Get to it.

whitneypubset.blogspot.com

Source: https://www.vpnuniversity.com/learn/strong-passwords

Share this post