Docs Information Security

Become a Password Pro

Image Description
Taube, Dan Published on Apr 08, 2020 

A few changes can add a lot of protection

Account compromise is one of the top risks to users and organizations. It can cause data exposure, account lockout, and disruption of daily activities. With a few simple changes, you can reduce the chances of it happening to you.

Cyber attackers and threat actors are relentless. They are a persistent threat that can quickly adapt to technical protections. With a few changes to how you handle your passwords, you can greatly reduce their ability to cause harm.

The following guidance was summarized in our Staying Secure While Off Campus post. Here we dive in on a few of the most important suggestions.

When a data breach happens, attackers can gain access to usernames and passwords. Once they have this data, assuming that it is encrypted and unreadable, they will attempt to "crack" the password. If they are successful, they will then attempt to use that information to login to other popular services. If the same username and password was used, they will likely gain access to those services with little effort.

What is password cracking?

In general, password cracking is the process by which an attacker can determine what your password is. There are several simple techniques that can be used to achieve this goal. Depending on how simple your password is, this can be accomplished in a short amount of time. They just need to obtain a copy of your encrypted password to try and crack it.

By using a different password for each service, you can protect yourself against this type of attack.

The following image is from xkcd.com, a popular webcomic that covers a wide range of topics including technology. It highlights one of the greatest failures to occur within the information security industry. It also offers an example of an easier approach that is in fact more secure.

xkcd webcomic 936

Simply put, complex passwords are not necessarily secure passwords.

Length is Key

As mentioned in the previous section, passwords can be cracked. It does require some entry-level knowledge and freely available software, but it can be done fairly easily. The only real protection against password cracking is to increase the length of your password. However, that does not mean it needs to be more difficult to remember or use.

Use a Sentence Instead

As demonstrated in the webcomic above, a random assortment of words can result in a passphrase (correct horse battery staple) that would take multiple lifetimes to crack. For the a seemingly complex password (Tr0ub4dor&3), it would only take a matter of days. With continued advancements in computing power, password length will be the only real defense to password cracking attempts.

Password Policies

Even with a more secure passphrase, you will still need to meet password policy requirements. The University default standard requires at least one uppercase letter and one number.

Examples

Never use examples

Never use these examples or others you find as your actual password. Password cracking software will attempt to crack your password with "correct horse battery staple" just as much as it would try "password".

The following are a few examples of randomly generated passphrases that are more secure than a more complex, but shorter password:

  • blast delay exterior riverbank
  • sanitary cheddar deception baggie
  • nectar context tattoo phoniness
  • broom rinsing monk strongman

Longer Complex Passwords

While longer, randomly generated passwords are just as secure, they are rarely memorable. Further, they are often a pain to enter by hand.

For example, Lf9Z$Iibs79m&n is secure, but it would likely be a regular frustration for a user typing it in.

A secure password is only good if it is kept private. Keep reading to learn about phishing emails and how they can be so effective.

Phishing emails continue to be the preferred attack method for threat actors. They are lost cost and can be mostly automated. The only real defense against them is awareness and diligence.

IT Help has a great set of articles linked in their Overview of Phishing.

A brief history of phishing

Early phishing emails used generic language and were mostly text. On occasion, that text would include the name of the organization to increase trust. Users were simply asked to reply to the sender with their username and password.

As technical teams became more aware of the issue, they were able to respond and take action rather quickly. Technology was eventually developed that could detect such messages and block them before they reached anyone. However, this just began a type of cat-and-mouse game between IT and the phishers. That "game" continues today and can be rather advanced.

A few examples of phishing emails

In addition to learning How to Recognize Phishing Emails, seeing actual examples can help users better recognize when they receive one. The following are real phishing emails received by the Information Security Office in the past year.

Example 1

In this example, the attackers are leveraging a common experience where you are asked to log into another service to access a message. This is normally seen with financial institutions such as your bank. In this case, the Read Message link takes users to a hacked website that had a username and password field.

Example 2

In this example, the attackers take a simpler approach. They are attempted to create concern in the recipient by saying their email address has expired. The link in the message takes users to a hacked website asking for their username and password.

Example 3

In this example, the attackers combined both of the above attacks. They first create concern and urgency by indicating there are messages being held pending release. Then it provides an instruction that the messages must be released to the inbox by clicking a link. Again, the link takes users to a hacked website that looks similar to login pages you might normally see.

Send to abuse@ilstu.edu for confirmation

We know that some of these messages can be very convincing. If something seems suspicious or you just want an extra eye, you can email abuse@ilstu.edu and we will evaluate the message.