Recently, I learned of a significant – and honestly quite brilliantly executed – security breach of a major company. The breach infiltrated a sophisticated system secured with some great security equipment. This company invested large sums of money to make their system very secure, and they accomplished that. But the brilliant hackers thought outside the box. So how did they do it?
The hackers followed a high-ranking employee to their home, hacked the employee’s poorly secured home WiFi, and infected that employee’s laptop. The laptop returned to the office and connected to the company network, and voila, the hackers had a device they could control that was already past the otherwise great security measures.
This story got me thinking. What is the best way to mitigate such a brilliant attack?
Sure, companies could mandate that all employees who take a device home which also connects to the company network must always use a VPN when not using the company network. but that would be expensive, and in most cases, cost prohibitive. Then I thought about how this attack actually succeeded. The catalyst to the whole thing was weak home WiFi security.
The employee in this story had a weak password implemented on their home WiFi. Obviously, we can’t all use WPA2 Enterprise with 802.1x authentication. Even if the average user knew how to implement such security, most home wireless routers don’t have that option anyway. But home wireless routers do typically allow WPA2 Personal which comes with the option to use a PSK (Pre-Shared Key). That can be secure if implemented properly. Its level of security hinges greatly on the strength of that PSK.
In my career, I have seen thousands of passwords. These passwords are used for everything from accessing a corporate firewall to home WiFi, or a meaningless test laptop. Far too many of these passwords just aren’t very strong at all. A relatively quick dictionary attack could crack the vast majority them. Heck, it’s easy to find evidence that the most common passwords are still some variation of 123456. In 2017!
So what are some ways to come up with a great password that you can actually remember?
You can certainly use a combination of numbers, uppercase letters, lowercase letters, and special characters. But better than all of that, use length! A password like “R3dD3v!ls” looks secure – and it is far more secure than 12345678 – but you can easily do better.
Here is a short exercise that illustrates this point. This exercise is validated using a password strength checker that I like (which can be found here: http://rumkin.com/tools/password/passchk.php).
Let’s look at 5 different passwords, and how variations impact strength. Entropy is really the key parameter here. Entropy can be very complicated, but there are some good summaries out there (one good one is here: https://ritcyberselfdefense.wordpress.com/2011/09/24/how-to-calculate-password-entropy/). In short, entropy determines a password’s true randomness. So entropy indicates how difficult a password is to crack.
Note: estimated crack time is based on the average time a cracker that could attempt 1 billion passwords/second would take. Some cracking software is stronger.
12345678 – Strength: Very Weak – Entropy: 13.6 bits – Est. crack time: <1 second
Terrible. Please make it stop.
RedDevils – Strength: Reasonable – Entropy: 37.7 bits – Est. crack time: <2 minutes
Not great at all.
R3dD3v!ls – Strength: Reasonable – Entropy: 43.9 bits – Est. crack time: about 2 hours
While it looks much more secure than “RedDevils” it barely is. This isn’t nearly enough time to deter a hacker.
Switzerland – Strength: Reasonable – Entropy: 46.8 bits – Est. crack time: 17 hours
By simply using a longer word with only its correct spelling, we’ve achieved a better password than “R3dD3v!ls”.
Sw!tz3rl@nd – Strength: Reasonable – Entropy: 56 bits – Est. crack time: 1 year, 51 days
Now changing that longer password by using l33tspeak has added some significant security.
bluedonkeytuesdaybeandip – Strength: Strong – Entropy: 94.2 bits – Est. crack time: 360.7 B years
Look at that. Just four random things strung together can create a password that is very secure. This password could take many, many lifetimes to crack. And it isn’t difficult to remember.
Surely we can all come up with a few random things that we can remember to put together.
Finally, don’t forget to change those passwords with some regularity. Whether it is every month, every quarter, or whatever. Just change them on a regular schedule.