“The faster I type my password, the more secret-agenty I feel”

March 27, 2013

Jacqui Henderson

Our new password cracking service…

Securus Global recently implemented a new offline password cracking service that allows us to identify which user accounts have easily ‘crackable’ or guessed passwords. Identifying these accounts is key to an organization’s security, as accounts with weak passwords are an easy way for an attacker to gain a foothold into an organisation’s network. This capability has long been available to malicious hackers, and is now available to our customers as well.

Popular weak passwords:

For an attacker, one of the most trivial ways to get into user accounts is to attempt to log in with known usernames, using easily-guessed passwords, either manually or using an automated “brute-force” password guessing tool. User accounts with weak passwords make this process significantly easier for an attacker.

Here are the top 25 worst passwords of 2012 (from Tech Time*)

1. password                       2. 123456                       3. 12345678
4. abc123                           5. qwerty                        6. monkey
7. letmein                           8. dragon                       9. 111111
10. baseball                       11. iloveyou                   12. trustno1
13. 1234567                       14. sunshine                 15. master
16. 123123                         17. welcome                  18. shadow
19. ashley                           20. football                    21. jesus
22. michael                         23. ninja                        24. mustang
25. password1

Now, if any of your passwords resemble the ones above, there’s no need to panic, however you certainly shouldn’t be feeling calm at this point either – for anyone trying to break into your system, these passwords (and permutations of them) are often some of the first that they will try.

Similarly, obvious base words such a family or pets name, birthday or favourite sporting teams, are also considered weak password choices. With so much personal information being published on social media sites nowadays, it is becoming far easier for hackers to guess your passwords using publically available information.

Here are some tips on what you should do to make the process of guessing your password more challenging.

Password Recommendations:

  • A password doesn’t just have to be a word; Instead try;
    • Using a series of words – a passphrase (recommended)
    • Drawing ASCII art with your password (e.g. “**o/o/**”)
    • Embracing punctuation and symbols, as well as numbers and characters
    • Ensuring your password is at least 8 characters long (the longer the better)
    • Don’t use the same password for every online application
    • Change your passwords regularly
    • Be creative. For example;
      • Spell common words backwards; e.g. buddy2007 becomes 7002yddub
      • Take each of the first letters from a sentence. E.g. ‘I drive a 1963 green mustang! Becomes IDA63GM!
      • Remove vowels from words. E.g. ‘French Fries’ becomes ‘FrnchFrs’
      • Use two-step verification where it is supported, where you’ll receive a text message containing a code that you will have to enter in order to log in.

Note that the more complex your passwords are, the more difficult it becomes for a hacker to solve. By incorporating some of the above tips and tricks you will help reduce your chances of having your password compromised. After all, if someone is going to hack into your account, the least you can do is make them work for it.

How to remember your password:

  • You should never write your passwords down, however you can leave clues as to what they might be, such as in your notes section of your phone or notebook.
  • Alternatively, you can put all your passwords on an excel spreadsheet which itself is password protected and then carry the spreadsheet with you on a portable USB.**

In general, a good rule of thumb to ensure password security is to treat your password like your toothbrush- don’t let anybody else use it, and get a new one every 3 to 4 months.

* http://techland.time.com/2012/10/25/these-are-the-25-worst-passwords-of-2012/#ixzz2NCfwNTay

** http://community.securusglobal.com/2013/03/05/online-frauds-and-scams-how-safe-are-you-online/

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *