We use cookies on this site to enhance your experience.
By selecting “Accept” and continuing to use this website, you consent to the use of cookies.
Every day, the Laurier community uses a wide variety of online services, most of which require accounts with a separate username and password for each. Cybercriminals are aware of this and dedicate their time to discovering and "cracking" passwords in an attempt to gain access to your personal, professional, and financial data. Continuous advances in computing power mean that password cracking is becoming cheaper and easier for threat actors.
Passwords are most commonly stored by cloud services/websites as "hashes", which are encoded versions of a password – if you know a password, you can determine the corresponding hash, but not vice-versa.
When you enter a password in a login form, the website converts the password to a hash and checks against the hash that it previously stored for you. If the two hashes match, you're granted access to your account. Though passwords can also be stolen via phishing attempts or installing malware, cybercriminals commonly obtain lists of hashes by breaching websites and then attempt to "crack" the hashes by automatically testing long lists of password combinations against them.
Here's a chart with some typical password lengths/complexities (i.e. "all lowercase" vs. "uppercase, lowercase, number") and the amount of time it'll take a threat actor to compute the proper password:
Source: hivesystems.com ("Are Your Passwords In The Green"), 2023. Assumes MD5 password hashing, Nvidia RTX 4090 (12 GPUs) for cracking.
While a password can be cracked by comparing it to countless combinations of characters, many hackers can also speed up their attempts by using wordlists filled with common password combinations such as "qwerty", "123456", or "Spring2024". This makes it even more important to avoid simpler passwords such as those using common names, dates, or places.
Though opinions vary on how strong a password should be, Microsoft recommends 14 characters of all types (uppercase/lowercase/number/punctuation). Other institutions recommend passphrases (full sentences that may include numbers and punctuation), as they can be easier to remember and type while still being longer than a traditional password.
However, not all websites support acceptable levels of password strength, let alone supporting entire passphrases, and very few of us will want to memorize a 15-character password for each of our 10 accounts. So how do we keep these accounts safe? By using:
While phishing messages are tricky enough on their own, checking the validity of links used in email messages can be an even more difficult task on a mobile device like a phone or tablet. It's not possible to hold a mouse cursor over a link, and the smaller screens used by these devices mean less room for displaying on-screen content by default, meaning many mobile mail apps don't include this information on screen at all times.
However, in the Android and iOS versions of Microsoft Outlook, you can instead check the address associated with a link by *tapping and holding* the link (be careful not to tap and let go immediately, as this will open the page to which the link points). If you're still in doubt, forward the message to reportspam@wlu.ca to ensure it's safe to proceed.
What sort of security topics would you like to read about in future newsletters? Send your suggestions to cyberhawk@wlu.ca.