Password Management – A Daunting Task

Published on: 09 Jun, 2020
Password Management – A Daunting Task
Cyberattacks are not going to fade away anytime soon. Organizations and individuals are equally threatened due to the widespread target base and attack vectors. While making use of various applications on the internet, the end user is primarily guarded against cyberattacks by a password. 2-factor authentication is not yet a common feature on the internet as it is limited to financial websites mostly.

Internet users come across many websites where they have to logon with their credentials. Many websites offer a single sign on/federated identity service where the user is offered a chance to logon through some other popular social media account. In that case, the user profile information from the social media account is shared with the new site asking for sign up.  Keeping in mind the prevalence of hacking activities by state and non-state actors, the user has no certainty of the safety of his/her credentials and profile information whatsoever.

Password Insecurities
Let’s have a quick overview of common password insecurities.

Guessable Passwords
Overly simplistic passwords like ‘Password.123’ can be easily guessed by anyone with little effort.

Dictionary Attacks
Seasoned hackers can even break difficult passwords through automated dictionary attacks. Hackers may also use rainbow tables which contain pre-calculated hashes of passwords.

Use of Same Password on More than One Website
As one has to sign up at a number of websites, for ease of remembering passwords, people tend to use a single or a few passwords at all of the websites they use. In the case of a compromise of password at one such website, sign-in at the rest of the websites also becomes vulnerable. The user cannot be sure as to how a website treats his/her credentials and some website admins are not cautious enough to keep user credentials safe. Therefore, it is not uncommon that websites lose user credentials to hackers. Hackers know well that credentials at one website with information of low or no value can be used at other high-valued websites, with reasonably good probability.

Password Recovery Features
Almost all of the websites asking for individuals to sign-up also offer password recovery features for their customers as it quite common for people to forget their credentials. This is yet another weak area with regards to password security. Anyone can use a recovery option on someone else’s behalf; all the hacker needs to do is answer some recovery questions. Answers to such questions can be acquired through the victim’s social media posts/profile or other means. The answers can even be acquired through institutions.  Some websites double check the authenticity of the user activating a password recovery option by confirming through SMS or email. However, naïve users can still be tricked to forward such confirmation codes to the hackers.

Writing or Storing the Passwords
Some people keep a copy of their passwords for various websites in a (presumably) safe place due to fear of forgetting them. Losing this copy is a possibility and could compromise password security.

Unchanged Password for Long Periods
Even strong passwords are liable to a compromise if they are in use for a time as long as a year.

Password Sharing
Sharing passwords with your colleagues or family members reduces its strength and increases the probability of a compromise. Moreover, if the same password is being used at many websites, then the scope of compromise would also increase.

Malware, Spyware and Key Loggers Attack
Infected systems make passwords more vulnerable. Passwords may be leaked online through malware, spyware, or key loggers.

Leaving Logged on System Unattended
A logged on computer or a smart phone might be accessed by someone with malicious intent. Stored passwords or signed-in applications are vulnerable to a password compromise.

Man in the Middle Attack on Insecure Channels
When user credentials are passed on to websites which accept unencrypted traffic (sites with URLs starting with http or whose https security certificates are not authentic or expired), the credentials can be subjected to interception by malicious actors. One should also refrain from using public WiFi connections.

Shoulder Surfing
Entering passwords in the proximity of others might enable them to learn the password.

Conflicting Needs
The worst part of password insecurities mentioned above is that some of them conflict with each other and are therefore more difficult to handle. For example, if one tends to have a strong password, it becomes more difficult to remember and one tends to write it down somewhere. Similarly, as strong passwords are difficult to remember, it is next to impossible to create different strong passwords for every site and to remember them without writing them down.

Creating Strong Passwords (memorable but not guessable)
Here we elaborate a crude way of creating strong passwords which can be learned by heart but are not guessable by others.
A suggested way is to keep two sets of passwords. Set-1 should have a few strong and difficult to guess passwords and Set-2 should have a few mildly complex and easier to remember passwords. The number of passwords in each set may vary from person to person depending upon his/her working pattern. Set-1 passwords should be reserved for sites which need high security like financial sites, social media accounts, and official accounts, etc. Whereas Set-2 passwords may be used for sites which are less critical like a blog site being accessed for reading pleasure only. The passwords in the sets should be changed at least once every three months.

Passwords in Set-1 – Strong Passwords
The next question is how to create a strong password which is not guessable but still can be remembered. One way is to pick a phrase which is not associated with anything in your public profile. For example a phrase from an old song which is not popular these days but one that you still remember. For example, a phrase like “please forgive me I don’t know what to do”. Make a word by combining first letters of each word of the phrase as “pfmidkwtd”. This word may even be reversed. Now you have to add numbers and other alphanumeric characters. For that, you should think of a date plus a month or a year that you remember due to some reason that is not publicly mentioned in your profile anywhere. For example, that may be the date when you were admitted to school or when you first time visited Charleston. The date plus month combination can be 2nd February so it will become 0202, and the year can be 1985. Any or both of these four digits can be used in the phrase “pfmidkwtd” to make it “p0f2m0i2d1k9w8t5d”. Now you can replace any two of the characters from “p0f2m0i2d1k9w8t5d” to add other alphanumeric characters. For example ‘1’ can be replaced with ‘!’ or ‘d’ can be replaced with ‘$’. Finally, you should change one or a couple of letters to uppercase. So the final password may look like “P0f2M0i2$!k9w8t5$”. This is a 17-digit password, but one may go for 10-12 digit password like this for reasonable security and convenience.

Passwords in Set-2 – Mildly Complex Passwords
These passwords may be created by concatenating (instead of mixing as above) the phrase with the number and then replacing some letters with alphanumeric characters and their uppercase variants. For example, the phrase “come on Barbie lets go party” would give “coblgp”. Combining it with some memorable year of your life such as 1987 would give “coblgp1987”. And replacements as mentioned earlier can lead to “coblgP!987”.

About the Author
Abdul B. Subhani, is the founder and President/CEO of Centex Technologies, an IT consulting company with offices in Central Texas, Dallas, and Atlanta. He is also an adjunct faculty member of the Texas A&M University - Central Texas computer information systems department. Abdul is a Certified Ethical Hacker, a Certified Fraud Examiner, Certified in Risk and Information Systems Control, a Texas Licensed Private Investigator, member of FBI Infragard, member of Forbes Technology Council and the recipient of multiple other advanced IT credentials.

He has been recently recognized as one of the 40 under 40 by The Armed Forces Communications and Electronics Association for his significant contributions in the field of science, technology, engineering and math (STEM).
Abdul has been a frequent keynote speaker, moderator, and panelist at leading international technology conferences, and he has given speeches to thousands of students at colleges and universities.