Reinforcing the Fundamentals

Password Policies

1. Password Length: The longer the password, the harder it is to crack. Aim for at least 12 characters. Every extra character makes the attacker’s job harder, extending the time needed for brute force attacks from days to centuries.
2. Password Complexity: Complexity matters. A strong password combines uppercase and lowercase letters, numbers, and symbols. Avoid predictable patterns like “Summer2023!” because attackers know them too well.
3. Password Expiry: Regular password updates reduce the window of opportunity for attackers. Stale passwords are like an open door to your systems. While frequent changes can be inconvenient, they limit the damage from leaked or compromised credentials.

Password Storage

1. Hash: Passwords must never be stored in plaintext. Hashing transforms passwords into a fixed-length string of characters, rendering them unreadable. If the database is breached, hashed passwords are significantly harder for attackers to exploit.
2. Salt: Salting adds a unique value to each password before hashing. This ensures that even if two users have the same password, their hashed values differ, protecting against precomputed attacks like rainbow tables.
3. Slow: Use hashing algorithms like bcrypt to slow down brute-force attempts. Slow hashing buys critical time against cracking efforts.

Password Selection

Words for Length

• Combine unrelated words to create a passphrase. For example, "SunflowerFjordMangosteen" is memorable and far stronger than "123456."
• Use words from different languages, such as “GirasolFlodMangosteen,” to add an extra layer of complexity.
• Include uncommon words like "Quokka" or "Fjord" that are less likely to appear in common dictionaries used by attackers.

First Character for Randomness

Derive passwords from the first letters of a meaningful phrase. For example, the phrase “I would love to share my thoughts with you” becomes “Iwltsmtwy.”

Emerging Password Challenges

Cloud

1. Easy Cracking: The cloud has democratized access to high-performance computing. Attackers can deploy powerful servers on-demand, significantly reducing the effort and expertise required to crack passwords.
2. Cheap Cracking: A single p3.16xlarge instance, costing just $5/hour, comes equipped with 8 Tesla V100 GPUs capable of performing immense computational tasks. For attackers, cracking passwords has become a budget-friendly operation.
3. Powerful Cracking: Consider the raw power of cloud instances: one p3.16xlarge server delivers 450 GH/s for MD5 cracking. Scale that to 280 servers, and you’re looking at 126 TH/s—enough to try 10 quintillion passwords daily.

Blockchain

1. Dedicated Hashing Hardware: ASICs, originally built for Bitcoin mining, have found a new purpose in password cracking. These devices are optimized for hashing algorithms like SHA256, making them faster than traditional CPUs or GPUs.
2. Affordable Hashing Power: Renting SHA256 hashing power costs as little as $50 for enough computational power to test 90 quintillion password combinations in just 15 seconds.
3. Exponential Growth in Resources: The Bitcoin network currently delivers over 100,000 PH/s in hashing power, and platforms like NiceHash contribute an additional 100 PH/s.

Innovative Password Solutions

Password Manager: Uniqueness and Randomness

Uniqueness

• Even the strongest passwords can fall victim to phishing, keyloggers, or cross-site scripting. Once compromised, reused passwords create a domino effect across all accounts.
• Password managers generate unique passwords for every account, breaking this chain of vulnerability. They also store these passwords securely, so you don’t have to remember them.

Randomness

• Humans are predictable. Passwords like “P@ssword123!” or “January2024!” are far too common. Attackers know the patterns we rely on.
• Password managers generate truly random strings, such as “8@fT$1r2%zL!3Q.” High entropy makes these passwords virtually impossible to guess, even with advanced cracking techniques.

Passwordless with SSO, MFA, or Federation

• Simplifying Security: Reducing password dependency reduces risk. Passwordless solutions, such as biometric authentication or hardware tokens, eliminate the need for traditional credentials.
• Strengthening Access: Multi-Factor Authentication (MFA) adds a second layer of security, requiring users to verify their identity with something they know (a password) and something they have (a code or biometric).

• Centralized Management: Single Sign-On (SSO) and Identity Federation simplify access across systems with a single set of credentials. Integrating these solutions with password managers provides convenience without compromising security.

Call to Action

The password landscape is evolving, and so are the threats. Weaknesses in selection, storage, or policy create easy targets for attackers leveraging cloud and blockchain technologies. But with tools like password managers, SSO, and MFA, you can stay ahead of the curve.

Are your defenses ready? Start rethinking how you secure and manage passwords today.