The beginning of the year is a good time to change passwords on devices and applications for which we want to maintain a high level of security, or in any case to avoid using the same passwords, as always, as a precaution.
There are several methods by which computers can be attacked, regardless of whether the device is a mobile phone, tablet or computer.
- With dictionaries or word lists. An attacker program reads from a database or data dictionary and attempts to penetrate the system.
- With rules. This system is more sophisticated than the previous one, as the rule has to be discovered and programmed, but in the end you always get access.
- By brute force. This is the least sophisticated method, as it is a matter of testing and trial and error, requiring a lot of processing power.
- With a mixture of the above. Hybrid attack.
If we have a 4-digit password, the attacker will only need 10,000 attempts to break in. That may seem like a lot, but in less than a second it is achieved. We have to think that the attacker has enough technology to achieve his goal. We can repeat the process, but for lowercase letters (27) taken 4 by 4, 531,441 attempts will be needed, as we can see, that is a lot more, but only a few seconds for a computer.
If we increase to uppercase letters, lowercase letters and special characters we will have a total of 97 cases (numbers, letters and special characters) to choose from and, if we go back to 4 digits, the possibilities would be 88,529,281, as we can see the number of attempts increases by increasing the number of characters to choose from. Also, if we increase the length of the password from 4 to 10, the attacker would have to make 73,744,400,000,000,000,000,000,000 attempts.
Passwords follow the 20/60/20 rule. A 20% is easy, only numbers or letters and less than 7 characters long, a 60% of medium difficulty between 7 and 10 characters long and a 20% longer and more difficult.
The longer the passwords the better, combining numbers and letters, some of them upper or lower case and with some special character. This is all very well, but is it practical? We should think that simple 1234...or similar codes are easy to find. Keeping passwords on an Excel sheet, or a postit or paper, is risky because it can fall into the hands of someone to whom we certainly make everything easy.
Fleeing the keyboard walking
Therefore, we should shy away from extremely simple things or methods such as following a sequence on the keyboard (keyboard walking). An easy to remember sequence of numbers are dates in ddmmyyyy or similar format, we already have 8, if we add a phrase, name, surname that we remember and in some specific position in upper or lower case and intermingle a number, we begin to have something much more serious. If we also add special characters, we will have a system with little or no vulnerability.
There are applications that when you try to access them a finite and low number of times, let's say three, without success, automatically revoke the user and force you to change the password.
Finally, we can classify passwords into two large groups: those that are important to us, for data, access to banks or sensitive information. Or those that we use for certain queries or access, such as certain newspapers or other types that do not require complex passwords. The aim is that we have our own algorithm, which we can remember, which allows us to change it from time to time, avoiding unnecessary risks.
Manuel García Ramírez
Director at MGR IT and Security Consultants