Cybersecurity Knowledgebase

‹ Back

Why is it important to have complexity to passwords? Aren’t we supposed to remember our passwords in order to log in? Of course, we should be able to know our passwords, but that doesn’t mean we are supposed to memorize them all, and have them all in our head. I can remember a time where we would have one password as a sort of ‘master key’, that gave access to everything, or sticky notes pasted around a monitor and on a desk to show all the passwords to different systems, or games. Those should be a thing of the past.

 

While having a monitor covered in sticky notes, or notepads on your desk at home with passwords in it doesn’t pose an immediate threat or risk, it’s still not a great practice. If someone broke into your home, or you had a guest over and they saw something they shouldn’t who knows what they might do with that information.

 

Over the years, threat actors and just genuinely bad people have created what is essentially databases of stolen and otherwise compromised passwords, from real people. These stolen credentials are then put in to what are called ‘word lists’, which are just text files consisting of thousands, or hundreds of thousands, or more passwords. Those word lists are used in automated tools to brute force or try to crack a password hash ( more on that in a little bit).

Password complexity check from onlinehashcrack.com

 

A common ‘temporary password’ is a variant of “winter2021”. It’s simple and easy to remember, and generally satisfies most websites and systems’ password requirement. As you can see in the above image, it’s wildly been compromised.

A variant of “winter2021” found in the RockYou password list.

 

Technology has advanced over the years, and now most systems do not store passwords in plain text, or as its actual form. Instead, it uses a hashing, which is a cryptographic function to turn one string of characters into another string of characters, making it very difficult to guess or crack the original password. This system provides a hardened layer of security to passwords, because even if you obtain the hash value, you would need to crack it to be able to use it, in most cases. Entering the hash value as the password would not work because the system would try to decrypt that hash value, and it would not yield the correct password in most cases.

Example of password hashing using MD5 Hash against “winter2021”.

 

Looking at the hash value for that password, we can assume that each time a wordlist with that password is run against an application or system, it’s checked the hashes for common passwords. If you use a common password, it will be cracked, and if you reuse a password it greatly increases the risk of the hash being obtained and cracked in the future.

With that, I feel it’s important to revisit the importance of complex and unique passwords. Each time you use the same password, you’re greatly increasing the chances of being compromised, due to the fact that you are putting that hash out there. There is a way to make this easier without having to memorize dozens or hundreds of complex and unique passwords. That solution is a Password Manager. There are a ton of different options available, I personally like 1password, they have a clean interface and nice family package available, but generally they all function the same. The important thing to consider is their security, and the ease of use for you integrating it into your life style. Many of them you will be able to import your browser password if you save them, or if you want to start fresh you can. You can also use many of these tools to create those complex and unique passwords, and then store them directly into the manager.

Example of using 1password to create a complex password for a login.

 

 

Some Resources:

https://1password.com

https://www.onlinehashcrack.com/tools-how-secure-is-password.php

https://haveibeenpwned.com