Cyber Security Newsletter - April 2024: Will Your Password Crack Under Pressure?
Every day, the Laurier community uses a wide variety of online services, most of which require accounts with a separate username and password for each. Cybercriminals are aware of this and dedicate their time to discovering and "cracking" passwords in an attempt to gain access to your personal, professional, and financial data. Continuous advances in computing power mean that password cracking is becoming cheaper and easier for threat actors.
HOW ARE PASSWORDS CRACKED?
Passwords are most commonly stored by cloud services/websites as "hashes", which are encoded versions of a password – if you know a password, you can determine the corresponding hash, but not vice-versa.
When you enter a password in a login form, the website converts the password to a hash and checks against the hash that it previously stored for you. If the two hashes match, you're granted access to your account. Though passwords can also be stolen via phishing attempts or installing malware, cybercriminals commonly obtain lists of hashes by breaching websites and then attempt to "crack" the hashes by automatically testing long lists of password combinations against them.
SO... HOW EASY IS IT FOR A CYBERCRIMINAL TO CRACK AN ACCOUNT PASSWORD?
Here's a chart with some typical password lengths/complexities (i.e. "all lowercase" vs. "uppercase, lowercase, number") and the amount of time it'll take a threat actor to compute the proper password:
Source: hivesystems.com ("Are Your Passwords In The Green"), 2023. Assumes MD5 password hashing, Nvidia RTX 4090 (12 GPUs) for cracking.
WORDLISTS
While a password can be cracked by comparing it to countless combinations of characters, many hackers can also speed up their attempts by using wordlists filled with common password combinations such as "qwerty", "123456", or "Spring2024". This makes it even more important to avoid simpler passwords such as those using common names, dates, or places.
HOW DO I STRENGTHEN MY PASSWORD AND ACCOUNT SECURITY?
Though opinions vary on how strong a password should be, Microsoft recommends 14 characters of all types (uppercase/lowercase/number/punctuation). Other institutions recommend passphrases (full sentences that may include numbers and punctuation), as they can be easier to remember and type while still being longer than a traditional password.
However, not all websites support acceptable levels of password strength, let alone supporting entire passphrases, and very few of us will want to memorize a 15-character password for each of our 10 accounts. So how do we keep these accounts safe? By using:
- Multi-Factor Authentication (MFA) – Many financial services like online banking now make MFA mandatory to prevent account intrusion due to guessed or stolen passwords. If your bank or credit card company doesn't require this practice, you should still enable it for your account and choose a suitable MFA method (Authenticator apps are ideal, but text-message MFA is still better than no MFA at all).
- Password Managers – Password managers securely store passwords used for your accounts and make it easier to use a strong, unique password for each account you own. You only have to remember one strong "master" password to let you access the password manager, then use the password manager to retrieve harder-to-guess passwords like "iE2Js+?1p!" for your other accounts.
- "Suspicious Login" Notifications – Laurier automatically sends you an email notification when a suspicious login is detected, but other sites may require you to enable this option manually. Make sure this option is turned on, and keep an eye out for these messages, but refrain from clicking links in the messages unless you're 100% certain of the source (as phishing attempts can also sometimes imitate them).
BONUS TIP: HOW TO CHECK FOR PHISHING LINKS IN MICROSOFT OUTLOOK ON YOUR MOBILE DEVICE
While phishing messages are tricky enough on their own, checking the validity of links used in email messages can be an even more difficult task on a mobile device like a phone or tablet. It's not possible to hold a mouse cursor over a link, and the smaller screens used by these devices mean less room for displaying on-screen content by default, meaning many mobile mail apps don't include this information on screen at all times.
However, in the Android and iOS versions of Microsoft Outlook, you can instead check the address associated with a link by *tapping and holding* the link (be careful not to tap and let go immediately, as this will open the page to which the link points). If you're still in doubt, forward the message to reportspam@wlu.ca to ensure it's safe to proceed.
What sort of security topics would you like to read about in future newsletters? Send your suggestions to cyberhawk@wlu.ca.