Secure password

Cybersecurity courses

Students Teachers Employees

A password proves our identity in the online environment. It is therefore one of the most important elements of our cybersecurity. Therefore, it is necessary to create unique secure passwords, not lose them, and treat them in a way that keeps them truly safe. Once anyone else obtains our passwords, they gain access to our innermost recesses - they become us. In this module, we will learn how the basic principle of password security works, how passwords are cracked, and how to create a proper and strong password.

How to create a good password
Password crackability
Multi-factor authentication
Password manager

How to create a good password

The art of creating secure (strong) passwords does not lie in using dozens of special characters and symbols that make our heads and tongues spin. The revolution in password creation is so-called passphrases. What are they? Passphrases consist of a combination of words that are memorable to us. For example, "ShoeDancesPolka" or "CorrectFrogsDoNotExercise" and cracking them would take up to several million years.

A passphrase can consist of part of a poem, a scene on the way to work, a childhood memory. Anything that we will remember well, will be long enough, but no one will associate it with us. Three to four words are enough, but overall we should use a passphrase longer than 12 characters. If you want to perfect the password, add placeholder characters (spaces, numbers, punctuation, symbols) at random places, for example, "picking.violets.B00M.with.dynamite".

When switching to a new passphrase, people tend to create it very creatively and complicatedly - and then forget it in a few days. It is better to repeat the new passphrase often at first until we get used to it. Or we can use a password manager, which you will read about shortly.

Password crackability

Simply put, there are two main ways to crack a password. Social engineering, where we somehow reveal our password to the attacker ourselves, or brute force attack. Below we will discuss the individual methods, the role of password complexity in them, and how to defend against them.

One of the methods to crack someone's password can be a combination of social engineering and the use of special devices. The attacker can get into the workplace, for example, by tailgating, discreetly get to our device, and connect a so-called keylogger between the computer and the keyboard, a small inconspicuous box that hides behind the computer and can record all the characters we type on the keyboard - including passwords.

Cracking by social engineering

This is a kind of manipulation that the attacker uses against us. A commonly used social engineering technique is sending a fake email with a link to a fraudulent login page. If we do not detect the fraud in time and fill in the password form, our password is in the attacker's hands. In the case of cracking a password by social engineering, the strength of our password does not matter. The password can have a trillion characters or be a textbook passphrase, but if we fill it in ourselves and voluntarily, it is useless. Finally, it should be noted that this method of cracking a password can take just a few minutes and depends only on our ability to recognize the attacker's fraudulent techniques.

The attacker does not need to have any great technical knowledge. The complexity of our password does not matter because we reveal it to the attacker ourselves. The only effective defense is recognizing social engineering techniques and healthy skepticism.

Brute-force attacks

These attacks are not about manipulating the user. If someone wants to try to brute force your password, they do not even need to know who you are. A good example is when someone does not want to pay for the internet and tries to crack our Wi-Fi password.

How does the attack itself proceed? There are several variants. For us, it is important that practically all of them work on the principle of somewhat random generation of characters in different positions. For this purpose, there are so-called bots that can try several thousand passwords in a few seconds.

Let's imagine this attack in a specific case. User Bořivoj has a PIN code set on his mobile device to unlock the phone. It is 2233. Using a brute force attack, a small handy device can be connected to his phone, which does its job very well. It starts logically filling in the positions on the PIN code according to the instructions of its creator. It starts with 1111, continues with 2222, and after some time it is at position 1122. How long will it take to get to Bořek's PIN code? The only thing that slows down this brute force attack is the fact that phones disable this option for a while after several unsuccessful attempts (for example, for 90 seconds). So, the attacker could get into the phone by brute force even in a matter of hours. So next time, when we forget or lose our phone somewhere, we should think about the fact that passwords are not a panacea and brute force attacks can be quite unpleasant in some cases.

The good news is that for most of our online accounts, such an attack would not work, for example, thanks to multi-factor authentication, which you will read about later. Simply put: in our case, the scenario would work so that even if the attackers guessed our password, before they could connect to the account, we would receive a verification request on the mobile device and we would know that something is wrong. In this case, it is necessary to deny this access and immediately change the password. Ideally, one that would take the attacker's program a few million years to crack!

Brute force attacks can occur completely without our knowledge or contact with the attacker. Their success depends entirely on the complexity of our password. Brute force attacks can be very effectively defended against by multi-factor authentication.

Multi-factor authentication

Attackers are constantly coming up with new and more sophisticated methods to get our login credentials and hack into our accounts. Using only passwords is not always enough. Therefore, to protect accounts with a high level of importance, we need to be one step ahead. Multi-factor authentication (MFA) helps us by adding another step to the login process. There can be multiple steps in the login process, but usually, one additional step is used - making it two steps in total, known as two-factor authentication (2FA).

Why is this extra step worth it every time we log in? Two-factor authentication provides an advanced layer of protection that is crucial for applications like online banking. Two-factor authentication adds another factor to verify the identity of the person logging in. The basic pillar of this verification is that the additional factor is very difficult for the attacker to obtain or duplicate, whether due to limited time or personal distance. Therefore, the attacker cannot proceed further in the login process, even if they manage to steal our password.

How we can use multi-factor authentication in practice

After entering and successfully verifying our username and password, we are prompted for another form of identity verification, such as a PIN from an authentication app or a fingerprint. After successfully verifying the additional required factor, we gain access to our account. This secondary verification can take many forms, and for simplicity, we divide them into three categories of factors:

Knowledge factor (something you know): typical for single-factor authentication, usually a combination of username and password, PIN, or security questions.
Possession factor (something you have): for example, a trusted device, phone, one-time password sent via SMS, payment card, key, or security hardware token.
Biometric factor (something you are): the most commonly used are fingerprint, retina scan, facial recognition, or voice recognition.

You have probably already encountered several of these verification mechanisms in everyday life. The knowledge factor, such as a password, is the most commonly used. As a second factor, one-time passwords sent via SMS or login confirmations through a mobile app are often used. Thanks to the capabilities of mobile devices, the biometric factor, such as a fingerprint, is increasingly used. The possession factor, such as confirmation on a second device, is also widespread. To provide the desired level of security, two-factor authentication must combine two different factors. Using two different ordinary passwords in succession is not considered two-factor authentication. It is also important to consider that some verification mechanisms are stronger than others.

Using any form of two-factor authentication puts us out of reach of most attacks. It only takes one extra step during login. Two-factor authentication can, of course, be broken, but the attacker has to put in much more effort than with a simple password. Additionally, setting up 2FA is easier than ever, so it's time to start using this security method.

Password manager

How many different accounts and passwords do we have on the internet? Try counting them sometime. Ideally, you should have a unique long password for each of them. Is it really feasible to remember them all? If you can manage that, you are a miracle of nature.

The solution exists in the form of a very convenient and secure tool called a password manager. What is its task? It is essentially a vault that securely stores our passwords in an encrypted form. It works like a database where we store our passwords. There are many password managers: they can be in the form of a browser extension, but they can also be an encrypted database on your computer. Most password managers even fill in the passwords for us during login, so we don't have to search for them tediously.

Saving a password in a browser (such as Google Chrome or Mozilla Firefox) is not the same as a real password manager. Not that browsers don't try to secure the stored passwords. However, password management is not the primary function of your browser, and you want to entrust your passwords to a tool that prioritizes this - it has refined encryption and other features. Moreover, if the passwords stored in the web browser are not protected by a master password (see below), they are stored in plain (unencrypted) text - anyone can easily read them in the browser settings.

All password managers have one thing in common: you log into all of them with one password, the so-called master password. From the moment you set up a password manager, it is the only password you need to remember. It is like a big golden key to your treasure chest. The password manager encrypts the password after saving it, so even if someone else gets to your database, they can't do anything without the master password. Therefore, the master password must be really strong.

You must never forget your master password. Otherwise, you won't be able to access your vault and your stored passwords. For those password managers that offer 2FA, we definitely recommend using this option.

Recommending a single password manager is not an easy task. They can be free or paid, they can work as a standalone program on your device (on-device) or in the cloud, and as a browser extension. Among the most used password managers (and among the most trusted according to current tests) are, for example, KeePassXC (on-device), Bitwarden (the free version does not offer 2FA) or the often used LastPass (the free version is available, and it allows some types of 2FA).

If a security incident has occurred or you suspect that your cybersecurity may have been compromised, please report it to us.

Author: CRP-Kyber, edited and translated by Jiří Krčmář | Date: 21.09.2024