World Password Day – The last of its kind?

M.Sc. Chris Wojzechowski

World Password Day – The last of its kind?

The correct handling of passwords is very important, as attacks such as phishing or identity theft are increasingly successful. On the 1st Thursday in May, World Password Day, we will show you what you need to consider when dealing with passwords and why the password could soon be abolished!

Secure password – How do I create it?

There are several approaches to guessing a password. Three classic methods of guessing passwords are as follows

  • the dictionary attack
  • the creation of a personalized password list
  • the brute force method

As a user, we should choose a password that can withstand all 3 attacks. On World Password Day we’ll show you how to do that – and why it’s time to slowly separate from the relic.

language known? Then a dictionary attack can be successful!

In a dictionary attack, the attacker uses the entire dictionary and tries each word as a password. Once the complete dictionary has been tried out, the dictionary can be supplemented or modified with numbers or variants.

Attackers thus increase the probability of finding what they are looking for in the next run. Passwords like Martin0815, 0688Abschleppsein or Donaudampfschifffahrtskapitän3 can be guessed so quickly. As users, we should consider a password that does not appear in any dictionary.

Dog, cat, mouse – the personalized password list

In this attack, the attacker creates his own password list for a specific victim. Unlike a dictionary attack, the attacker does not use a general list, but adapts a list of information that the victim has disclosed about himself. Popular information is, for example, the names of children, pets, or favorite teams.

The source for this is often professional and private social networks. As users we should not include any personal reference in our passwords, because otherwise an attacker could come upon our password after thorough research.

With brute force – the brute force method

This simple attack consists of trying out all the possibilities. It does not follow any particular systematics. It offers itself to begin with the alphabet or the 0 and to try out combinations. This procedure is very time-consuming because it takes a lot of time. Offline password attacks, e.g. on encrypted documents, are quickly successful with this approach, since many millions of passwords can be tried out, sometimes per second.

Stolen data? Then the most secure password does not help!

Another possibility is to search for data that has already been stolen. Meanwhile more than 7.500.000.000 records have been stolen. The probability that the target is a victim increases from data theft to data theft. If the data has been stolen in plain text, a 40-digit password will not help even at the end of the day.

Anyone can check whether their own data has already been stolen. The Identity Leak Checker from the Hasso-Plattner-Institute in Potsdam enables a check. For this reason alone, different passwords should be used for several platforms different passwords.

Creation of a good, secure password!

So a good password has:

    • enough characters to make a brute force attack as tedious as possible
    • is not a word from the dictionary and

is not a word from the dictionary

  • has no personal reference.

But how to create such a password and how to remember it? To create a good password, you can take a sentence that you can easily remember. You should change this sentence now. E.g. you delete all letters except the last one in every word. If you also insert numbers and special characters and work with replacements, you get a password that can withstand all the above attacks. The BSI has also published a Guide for creating passwords.

On World Password Day we explain how a secure password must look like
Develop secure passwords with the help of mnemonic bridges and reminders. Source: BSI

In order to remember all the passwords you have created in this way, it is recommended to use a password manager. A possible free software is e.g. KeePassXC or KeePass. The software can also create secure passwords – but this requires the necessary trust.

The ultimate security – does it even exist?

There will never be a 100% security regarding passwords, because the attacker with luck can always get the password. As a user of various services, however, you are more secure if you create passwords according to the above rules. The allocation and administration of secret phrases is quite a challenge. The XignSys GmbH from Gelsenkirchen wants to solve this problem in society – and is thus also on the best way.

Under the motto “World password day – The last of its kind” the company shows which future possibilities it can give and why the password has served its time!

Photo of author

M.Sc. Chris Wojzechowski

My name is Chris Wojzechowski and I studied my Master in Internet Security in Gelsenkirchen a few years ago. I am one of two managing directors of AWARE7 GmbH and a trained IT Risk Manager, IT-Grundschutz practitioner (TÜV) and possess the test procedure competence for § 8a BSIG. Our bread and butter business is performing penetration testing. We are also committed to promoting a broad understanding of IT security in Europe, which is why we offer the majority of our products free of charge.
AWARE7 GmbH - Logo

+49 (0) 209 - 8830 6760

info@aware7.de

Google Plus Code F4X5+M2

Company

AWARE7 GmbH
Munscheidstr. 14
45886 Gelsenkirchen
Imprint | Privacy

About us
Open positions

Resources

Free e-learning
Downloads
Projects