- Brute-force attacks to obtain passwords have moved from CPUs to GPUs, improving their effectiveness by checking more than a million keys per second.
- Passwords now need new requirements to be truly secure: a minimum number of 12 characters, the use of upper and lower case letters, numbers and special characters.
Every year, on the first Thursday in May, World Password Day is commemorated, a perfect setting in which Check Point Software Technologies the opportunity to send a reminder about the importance of dedicating special care to passwords, as they are one of the main barriers against cyber criminals.
Passwords are used by billions of users around the world, but despite their enormous importance, there is still a high number of bad practices when it comes to managing and creating them. In 2019, the UK’s National Cyber Security Centre revealed that 23 million people worldwide continue to use insecure passwords such as “123456”, evidencing that many users are still unaware of the potential dangers.
But this is not the only problem we face. Relentless technological advances are not only benefiting users, but also providing cybercriminals with new tools to carry out their attacks. What once were considered secure passwords are now becoming outdated, creating new vulnerabilities.
The advent of new graphics cards with virtual memory (VRAM) has opened the door for these hardware devices to process high-speed data, the same way it is used in cryptocurrency mining. However, they can also be used in brute-force cyberattacks to obtain passwords, being the newest models able to perform more than a million checks in just one second, way faster than the previously achieved by central processing units (CPU). This means that if we have a password with less than 12 characters based exclusively on the use of letters and numbers, it could be breached in just a few days.
According to the latest report from Hive Systems, which shared the approximate times in which cybercriminals could “crack” our passwords, range from minimal effort and almost instantaneous times for the most insecure passwords, to 438 trillion years for the most robust keys. In a matter of just one year, these same figures have seen their possible vulnerability times cut by up to 90% that, with the entry of new agents such as cloud services or artificial intelligence, could be even more reduced in the coming years.
The goal and the reasons are clear, but what does a password need in order to be secure and strong? Check Point Software gives the definitive keys to achieving it:
- The longer and more varied, the better: it should be at least 14-16 characters long and consist of different letters, combining upper and lower case letters, symbols and numbers. However, it has been noted that by simply increasing the password to up to 18 characters combined, a completely unbreakable key can be constructed. This belief is based on the number of attempts brute-force practice requires where the total number of combinations is equal to the number of characters multiplied by their length.
- Easy to remember, complex to guess: it should be a combination that only the user knows, so it is advisable not to use personal details such as dates of anniversaries or birthdays, or the names of family members, as these can be easier to figure out. A simple way to create passwords that anyone can remember is to use complete sentences, either using common or absurd scenarios, with examples such as ‘meryhadalittlelamb’, or its even safer equivalent with different characters ‘#M3ryHad@L1ttleL4m8’.
- Unique and unrepeatable: create a new password each time a service is accessed and avoid using the same password for different platforms and applications. This ensures that in the event of a password being breached, the damage will be minimal and more easily and quickly repairable. According to a Google survey, at least 65% of respondents reuse their passwords across multiple accounts and web services, which increases the chances of multiple platforms or applications being breached.
- Always private: a premise that may seem basic but is important to remember. A password should not be shared with anyone, and it is especially advisable not to write it down anywhere near the computer or even in a file on it. For this task, you can use tools such as password managers, which do the same job, but in a more secure way.
- Real security is just ‘two steps’ away: in addition to having a strong and secure password, updating your critical apps to require two-factor authentication (2FA) is a major security enhancement. This way, every time an attacker or an unauthorized person wants to access someone else’s account, the account owner will receive a notification on their mobile phone to grant or deny access.
- Change it periodically: sometimes, even after following all these practices, incidents beyond our reach occur such as leaks of company databases. Therefore, it is advisable to periodically check whether an email has been the victim of a vulnerability to a third party, as well as to try to trace the accounts that may have been compromised. To do this, there are public access tools such as the Have I Been Pwned website, which try to gather basic information on these leaks in order to offer support and help to users. Similarly, even if they have not been breached, it is always recommended to update passwords every few months.
Every day, cybercriminals create new attacks aimed at stealing user passwords. Techniques such as phishing have managed to breach thousands of services by stealing credentials. This risk can be easily remedied by establishing secure passwords, making it much more difficult for cybercriminals to guess these combinations, ensuring the highest level of security for our devices.