Why You Need Random Passwords

I highly recommend having random passwords for every site you have a account on. If you can’t do that, then at least have different passwords for accounts that have payment related information in them. Why? If an attacker got access to your account,then they just got access to all your other accounts as well!

Below are two tips that I found online that don’t make complete sense to me and they highlight how random passwords are solution.

Once you have a strong base password, you can use it to create individual passwords for each of your online accounts. Simply add the first three letters of the service, e.g. “E1d_1D!4Y:)GMa” for your GMail account or “E1d_1D!4Y:)eBa” for eBay.

Assuming the attacker got access to one of your passwords, and they noticed the pattern, they can easily pivot to your other accounts using this password “strategy”.

Choose two short words and concatenate them together with a punctuation or symbol character between the words. eg. “seat%tree”

GPU based password cracking will breeze through this type of password. Sure it is easy to remember, but this password “strategy” gets you nowhere.

Minimum Password Length

Several websites state that having a password length of 8 is good enough, but that number was based off of current CPU technology at the time and the time required to to use those CPUs to break them. Graphic cards have been taking over the password cracking scene for a several years now, as password computations (for certain algorithms) are well suited for GPUs over CPUs which can result in several billion password computation/cracks per second!

So why did I recommend a minimum password length of 12 if permitted? Based upon the above information aren’t we screwed? I think it is good enough for now as it is much better than a length of 8 where an attacker can brute force that key space in a couple hours to days depending on the GPU and algorithm used for the password. And a required step to the above scenario is that they have your encrypted password, which would likely come from them hacking into a website and they downloaded all the customer data.

What are your thoughts on password lengths? Is it something you worry about? Do you have a better strategy?

For additional reading on password cracking, Dan Goodin from Ars Technica has a couple good articles on the subject:

How to Create a Strong Password

As passwords are your keys to many digital things, you probably want to ensure that it is reasonable secure and strong right? There is a lot of advice out there when it comes to creating a strong password, and while most of it is good, some of the recommendations should not be listened.

Part of my responsibilities as a penetration tester was to see if one could determine a user’s password through means like brute forcing. Through those experiences, I’ve gotten insight into what password strategies work against current techniques attackers use.

So how do you create a strong password? Here are four simple tips to secure your digital accounts.

  1. A minimum password length of 12 if permitted
  2. Have a mixture of uppercase and lowercase letters, numbers, and special characters
  3. Use a random password generator to generate the above
  4. Use a password manager to store all your strong passwords and make sure you use a strong password on your vault as well!

In the next post series, I will explain how I came up with these tips and why you should follow them.