February 1st is Change your Password Day

Access Granted. Welcome.

Today I want to go into a somehow foreign topic to this blog; Password Security. As everybody that read the title now knows, today is Change your Password Day and you would probably think I knew about this, well I didn't, first day I've ever heard of it. But no worries, as it looks like, the Change your Password Day is in its 4th year going and is aimed at all those lazy sons of biscuit eaters that use the same two passwords on every possible website, and I am guilty of that as well. Let us have a look into what everybody should do right now to secure their online accounts.


First of all, if your password gets stolen with a pair of tweezers then that's your own darn fault, and second, as I said, today is the first time I hear about this being an official thing, and there's even a World Password Day in May every year. But who cares? You have used the same password for your e-mail account for the last 8 years and nothing happened right? You are just asking for the tweezers army to get you, while you sleep, defenseless against a .5s long dictionary attack that will get your password in less than a heart beat because you used Summer15 as your damn password.

I don't think I need to tell you how important strong passwords are, I mean computers and the internet aren't that new anymore. Everyone uses it, and everyone has an account somewhere. What I want is to show you how easy it is to screw you over by finding out only one of your passwords, tweezers style. So, I want to have access to your data or accounts, what's the first thing I need? Your E-Mail password. I can be sure that 95% of your online accounts run on one or two of your e-mail addresses, so if I can gain access to them, I can log in to every other account, work through the "password lost" process, change the passwords and even take ownership of your Youtube account, Facebook, order on Amazon because you saved your payment information, etc. etc. And that only because your e-mail is secured with the password "Summer15".

I know I know, you have heard this a thousand times already and I am not telling you anything new and blah blah but, I bet you still use the same passwords everywhere. I mean this is like backing up your data, at first you never care, why should you, the PC works perfectly, until it happens. You only lose your data once, it happened to me as well, lost a year worth of programming work and I nearly died when I noticed. Don't wait until it's too late, hah! New slogan.

Now, let me show you how easy it is to find out your password. First, the classic brute-force attack. It works by calculating every possible combination that could make up a password and testing it to see if it is the correct combo. As the password’s length increases, the amount of time, on average, to find the correct password increases exponentially. This means short passwords can usually be discovered quite quickly, but longer passwords may take decades. Should you use a whole sentence then, since longer passwords seem harder to discover? Well, no, because here comes the dictionary attack. A dictionary attack is based on trying all the strings in a pre-arranged listing, typically derived from a list of words such as in a dictionary (hence the phrase dictionary attack). In contrast to a brute force attack, where a large proportion of the key space is searched systematically, a dictionary attack tries only those possibilities which are deemed most likely to succeed. These two attacks can absolutely wreck your Summer in no time.

Damn I love these stock photos, I also put on gloves for that extra stealth while typing in my basement. Okay now the next danger are Key Loggers. Once one of these key loggers gets installed on your computer, every stroke of your keyboard gets registered and saved in a text file, someone interested in that data just has to filter through the files until he finds the point where you typed in your password. These are the three easiest ways to get to your password as long as there's no encryption involved. I won't go over all the existing methods in full detail because what I want to show is how easy it is to "guess" your password, but even with a strong password you can still be victim of phishing, eavesdropping or malware that searches your computer for stored credentials.

Change all your passwords

"But I have like a 100 different accounts, how am I supposed to memorize all the passwords?". That's the same lazy ass question you hear every time when mentioning this topic. I was one of them, I had one password in three different variants and a stronger password I had been using for everything over the last eight years. Even my two e-mail addresses were protected by a 8 number digit and one letter. An absolute no-no.

The first thing I tried was to come up with a system, how could I create a very strong and page specific password and be able to remember the password a year later without having to write it down. For a strong password we are going to need AT LEAST eight digits long and be formed out of upper and lower case letters, numbers and special characters. With the system I had in mind, lets create a password for this site, Blogger.

The first thing is, I'm going to use the websites name in my password, that's how I make a unique code for each account. You can use your imagination here, but in this case I am going to change every letter in the word Blogger for the next letter in the dictionary:


Now this isn't very safe yet, nobody won't ever guess it but it's still peanuts for a brute force attack. In that first version I've already added a second upper case letter to the password. Now we need some numbers, and for that you have to think of one, this will be the secret key to remember your password. For the sake of the example I'm going to use the year of my birth, 1989, but we all know that you really shouldn't use that in passwords. Now, I'm not going to use this number, but you now can do something like, multiply it by the number of letters the website has in it's name, in this case 7, giving you the number 13923. Now you can decide how you want to implement them, you are creating a system here so there's no right or wrong here. I'm going to always put the two first digits in front of the letters, the rest after. So now we have this:


Okay okay, it's not looking that bad, but we still need some symbols. I'm going with a hash tag in front of the first letter and an exclamation mark at the end:


So, there it is, we just forged a system for creating an easy and pretty safe password for every site, considering that a brute force attack program would have to try 257 septillion (257000000000000000000000000 or 257 1024) combinations before cracking that password.

If you now think this system is over-complicated, please read it again. The only thing you need is to memorize two rules and your secret number, without it you can't replicate any of your passwords and it's safe as long as you don't tell it to anybody. This is how a bunch of passwords would look like using the system explained above:

    • Google:       11#HpphmF934!
    • Twitter:        13#BnbapO923!
    • Facebook:   15#GbdfcppL912!

Of course you could add more rules to increase the difficulty, for example if the number of letters in the websites name is even, you divide instead of multiplying your secret number but that's up to you.

"But I don't like to think..."


Ok, so for those of you that don't want to think about passwords all day but still care enough to know how important they are, this may help you. While searching the internet for information about this password day, I stumbled upon this Lastpass tool. This is a password vault service that has you covered on all your devices, since it comes as a browser extension as well as an app for android and apple. Your master password is locally encrypted and never sent to the Lastpass servers, 3D authentication is also available and strongly recommended. I have personally never used this Service, but from what I have read the last ten minutes it sounds very promising. You can go ahead and check it for yourself using this LINK.

My solution to this whole security issue is called Keepass, a small program that encrypts your credentials database with SHA-256 you only need one master password. Once you created that database you can store and manage all your credentials with a file so small it could fit on a floppy disk. Personally I don't really need my passwords when I'm away from my PC, but you can carry your Database around on a USB Stick on your key chain or whatever, and without previous installation access your credentials on every Windows PC. Click this LINK for a list of all its features.

"My passwords are safe the way they are now"

That's your choice, and I'm sure that you're responsible enough no to leave this to chance. With this short article I wanted to bring you a little bit closer to what can happen to your password, and possible ways to avoid a worst case scenario. If you already knew about all this, be safe and stay frosty around the interwebs, and if all of this is completely new to you, please take a few more minutes and check out the two password managers I just talked about and maybe google this topic for a bit. Don't wait until it's too late ;-)




Popular posts from this blog

Strategy [Rocket League]

Project 90 [FN P90]