DON'T take passwords lightly.

Posted: December 6th, 2016

By Jeremy Sonntag

Your user name and password is like the front entrance to your personal data. How do you lock the door to your home? Or to your car? Well, your home and car are only accessible by the limited number of people who physically pass buy it. Your computer and other various accounts interface with the whole world via the web. The world population is about 7.4 billion, and about 3.5 billion are online, steadily growing. So perhaps it's a good idea to reconsider your password strategy.

Internet Live Stats

Massive security breaches are breaking news almost weekly it seems. Late 2014, Sony was compromised and suffered major damages. Home Depot and Target were also victims. This year (2016) 500 million Yahoo accounts were stolen. Last week, I heard about an instance of "ransomware" via brute forcing a terminal server and a weak password was the failure point.

NY Times Yahoo Breach Article

CNN Yahoo Breach Article

I think the first method of defense is understanding some of the usual techniques used to by attackers.

Methods of attack

"Brute Force". It's exactly what it sounds like. Attackers will use a program to try a dictionary of passwords against a user name. This can be time consuming but when executed strategically, it is effective. Often, these attacks will target generic accounts like admin, accountant, intern and so on. Typically, though public facing logins have lockout policies so this method is not very effective as long as your password isn't "password". However, a virus can target the user / password database and upload it to a remote server. The passwords in that database are often encrypted, but at this point the attackers can make as many attempts as they like without being locked out. Brute force software running on a fast computer can check 100's of millions of passwords per second. Think yours is safe?

Simple or default passwords

Brute force isn't needed when your password is 12345. Even the strongest systems have at least 5 attempts before a lock-out occurs. Most systems accept quite a bit more attempts. An attacker has a handful of educated guesses they might try. This could be a targeted attack where they learn something about you via various social media, company website posts, news articles, etc. How many of you use your dog's name as your password? And how many pictures of your best friend are posted on Facebook tagged with "Brutus"or "Sparky". The attempts could be a completely automated using custom software guessing simple, "easy to remember" passwords like "Password1". Lastly, on the "simple passwords" rant, don't leave your password default. Often preconfigured systems are preconfigured because that makes them easy to start using immediately however, they must have something in place for authentication that the provider expects you to change! YET! Too often the recipient of such a user friendly product or service neglects to change this default password, leaving the front door wide open. Just type into Google "Netgear default password" or some competing brand, and you will see that these defaults are well documented all over the web.

Other compromised accounts

Is the password to your bank or email account the same as some subscription account you created, or an old email account you don't use any more? It's rather common for people to use the same password across all of their accounts whether they're important or completely irrelevant. Then some inconsequential account (the 2016 yahoo breech) is compromised, your commonly used password is exposed to someone who is interested. Actually, these hacked password databases are usually sold off multiple times to interested parties, and for a very good reason. Because it is VERY common to reuse passwords, even for your "junk" account that you don't care about, yet, this might reveal precious access to your bank or work account if the passwords match. Be conscious of this! This is an exceedingly common vector of attack. Take a visit to this website to find out if some old account of yours is subject to a known database infiltration.

Password Recovery Email

Another method of attack is gaining access to the email account used for your password recovery. When you forget your password there is typically a method for you to recover and reset your password. The most common practice is to email you a recovery link so that you can reset your password. Suppose that email account has been compromised. Well, the attacker can easily review the email in that account for notifications from Facebook, Wells Fargo or other accounts in order to find what accounts you have attached to this email so that they can then begin resetting passwords to each of these accounts one by one.

A new Android based malware called "googlian" has gained access to over 1 million Gmail accounts. Check your Gmail account here.

As mentioned previously, if you have a Yahoo account, you should just consider it to be publically accessible by any hacker until you change your password.

The Verge Article on googlian virus

Check your Gmail account Here

Internal / local / ad accounts (still vulnerable to viruses)

You might say "all these attacks are on internet accessible accounts so why should I worry about my internal network passwords?" Think about what those passwords are protecting. Company data? Customer data? Then tell me this; have you ever had a virus on your computer? A virus is simply a computer program that carries out its authors wishes. Some of the things viruses have been known to do is look for databases, password lists, account information, as well as recording what you type on your keyboard. It then sends this data back to the author. Do you think the data in your local network is safe with "password123" ?

Methods of protection / prevention

Now that you are sufficiently aware that passwords should indeed be something of concern, your next question might be "what should I do?" The reason most people have these weak password management techniques is because of convenience. Everyone is familiar with the old idiom "time is money". Maintaining a different complex password for each account you have is time consuming and ostensibly unreasonable. Security is often at war with convenience. When the demands of security impose too much of an inconvenience, security is discarded, so it is important to find a balance or compromise. A very difficult task to be sure. Something that will be custom to each individual or company. I'll cover the basic principles so you can decide what steps to take to keep yourself secure.

Password complexity

Password complexity is the most obvious and first step to take. It is also the most ignored. If you purchase the most advanced and expensive safe available then set your combo to 12345 how safe is your stuff?

"Keyspace" is a notable term in cryptography which describes how many possible combinations are available within a given space. Suppose your password is digits only (0-9) and is 8 characters long, then your keyspace is 111,111,110. Meaning it would take that many guesses to find your password if ever guess was wrong until the last one. That might seem like a lot but for a computer, it would take about 0.00111 seconds. An Ideal password should have a mix of upper and lower case, numbers, 2 symbols and be 12+ characters. Maybe this seems excessive. Visit this keyspace calculator to find out how long it will take a computer to crack your password. After you try your password, Try this one "$%egq68HbvqG".

Change your password periodically

Over a period of time it is possible your password has been exposed to others, whether it was part of a breach, or you wrote it down for someone to notice, or you told someone. There are many scenarios where someone might have been exposed to your password. That being so, it is smart to change your password periodically. How frequently depends on how vulnerable your password might be or how valuable your data is, but password rotation is a smart choice.

Password management

I have now given you all of these reasons to manage your passwords and make them secure and I realize this heavily compromises your convenience. So where do we go from here? Unfortunately, I don't have a guaranteed solution, however I have some suggestions.


Spreadsheets or lists of passwords are generally not a good idea unless you are able to keep them in a very secure and encrypted location. If your account automatically has access to this data without authentication, then any virus accessing your computer does as well. Use this method only if you are confident in its execution.

Under keyboard / sticky notes

Because of password complexity and rotation, it is fairly common for users to write their password down and tape it to the bottom of their keyboard. The metaphorical key under the doormat. This is actually more secure than having a password like "12345". With a secure password, this brings potential access from worldwide to physical access. But for obvious reasons, still not a good idea. Access for anyone walking by is just too easy.


Managing passwords is difficult, and if you are like me, you have many many online accounts and subscriptions which is nearly impossible to do safely and securely in the fashion that has been discussed so far. What is needed is a secure method to store and access your set of complex passwords. I use a software which I have complete trust in after a great amount of research. It's called Lastpass. Lastpass.com With this software, I can have very complex (high entropy) passwords, different for every account, and it is not terribly inconvenient. Using Lastpass, I setup 1 very secure password that I CAN remember to access the Lastpass account, then assign the rest of my accounts with auto generated random passwords that I will never remember. Lastpass can securely store and enter those passwords for me when I need them whether on my computer, tablet or smart phone. Android phones are even able to use your fingerprint to authenticate you. What's even better, you can set it so that your computer / device does not have access to that password database unless you authenticate it when needed with your Lastpass credentials.