Thursday, May 30, 2024
banner

Passwords are something we deal with every day. They were invented many years ago, and we still rely on them without alternatives. But honestly, relying solely on passwords isn’t the most secure way to protect your account.

Over time, developers have come up with a bunch of additional stuff to strengthen password security. For example, limiting access by IP (meaning, only allowing access from certain locations), multi-factor authentication (when you need not only a password but also something else, like a code from your phone), user behavior analysis (a system that monitors how you usually behave and warns or blocks the account if something seems off), as well as encrypting messages from the client to the server (so that nobody can intercept and decrypt the messages).

The process of storing passwords and authentication typically involves several steps:

User Registration:

  1. The user creates an account by providing their details, including the chosen password.
  2. The password may be transmitted over a secure connection (e.g., HTTPS) to prevent interception.

Password Hashing:

  1. The user-entered password is hashed using a cryptographic hash function, transforming the password into a fixed-length string.
  2. The hashed password is stored in the database instead of the actual password, maintaining the confidentiality of the password even in case of a database breach.

User Authentication:

    • When attempting to log in, the user provides their credentials (username and password).

    • The entered password is hashed and compared to the hash stored in the database for that user.

    • If the hashes match, the user is successfully authenticated, and access to the system is granted.

    • After successful authentication, the system may offer additional verification methods, such as multi-factor authentication (MFA). 

This is a general process that various systems may use for storing passwords and authenticating users. It’s important that all information is transmitted and stored in an encrypted (and hashed) manner to ensure the security of user credentials.

Hashing: In hashing, the password is transformed into a fixed set of characters (a hash) using a hash function. This process is irreversible, meaning the original password cannot be recovered from the hash. During authentication, the user inputs their password, which is then hashed and compared to the hash stored in the database. If the hashes match, the user is successfully authenticated.

Encryption: In encryption, the password is transformed into an unreadable form (cipher) that can be decrypted back into the original text using a key. Unlike hashing, the encryption process is reversible, and the encrypted text can be restored back to its original state with the correct key.

Many sources offer golden advice on how to create a secure password and how to operate with it, but they often overlook crucial tips and fail to explain the reasons behind certain steps. In our list, we aim to address this.

 This is the most important rule!

Pay close attention to where you enter your password. Hackers can redirect you to fake websites through social engineering or phishing attempts. When typing the name of an application into the address bar or search engine, ensure that you are navigating to the correct website. For example, if you want to visit paypal.com, these sites are unrelated to your payment account, and at best, they might lead you to advertisements, while at worst, they could open a clone of the payment system and steal your password.

paypal.systd-6721.com

paypal2024.com

paypalll.com

paypal.givemeyourmoney.com

Make sure the HTTPS protocol is being used, and on the left side of your browser’s address bar, there should be an icon like on this image ->

password via https

Top Rules for Creating a Hacker-Resistant Password

  1. Please don’t share your passwords with others. Nobody needs to know your login and password, even the IT department. If someone is asking for your password, it’s a scam.
    Furthermore, refrain from sharing the length and composition of your password with anyone to avoid facilitating a malicious actor in configuring a password-cracking program.
  2. Avoid using dictionary words.  These passwords are easy for hackers to figure out using an electronic dictionary. Avoid single words, or a word preceded or followed by a single number (e.g. Password1, 123456, or qwerty). Hackers will use dictionaries of words and commonly used passwords to guess your password.
  3. Don’t use personal information.  Any part of your name, birthday, Social Security number, or similar information for your loved ones is a bad password choice. A brute force attack can be targeted towards a specific user, with the dictionary compiled from the private information of the particular victim: their birth dates and names of relatives, information from social networks, and other public and non-public data. If your friends can find it, so will hackers.
  4. Avoid common sequences, such as numbers or letters in sequential order or repetitive numbers or letters.
  5. Use different passwords for different accounts. That way, if one password is breached, your other accounts won’t be put at risk too.
  6. Control Password Length: Stick with passwords that are at least 8 characters in length. The longer a password is, the better. Use at least 16 characters whenever possible.
  7. Take care of Password Complexity: Your password should contain at least one character from each of the following groups.

Lower case letter: abcdefghijklmnopqrstuvwxyz

Upper case letter: ABCDEFGHIJKLMNOPQRSTUVWXYZ

Numbers: 0123456789

Special Characters: `~!@#$%^&*()-_=+[{]}|;:'”,<.>/?

Additional tips

To help you easily remember your password, consider using the first letter from each word in a sentence, a phrase, a poem, or a song title as a password. Be sure to add in numbers and/or special characters.

If you find it difficult to remember, there’s another option, which I don’t recommend: writing down passwords and storing them in a secure place. Never leave them on sticky notes on your monitor, in your address book, in your desk drawer, under your keyboard, or mouse pad. If you choose this method, in any case, do not write down the complete password… store passwords in this format:

[something]GhrtR!dsKIwsa^89!2

G%Uhjgsdf0!kln&s[something]

GHY6e363[something]#5Hk1

where [something] is a short code that you remember well and no one else will guess what it is

Use a password manager. Password management tools, or password vaults, are a great way to organize your passwords. They store your passwords securely, and many provide a way to back-up your passwords and synchronize them across multiple systems. Here are some examples of popular password managers:

It’s important to remember that password managers ask you to set a master password, which is used to access all the websites or services managed by this tool. This master password is extremely important as it creates a single point of failure. If a user loses their master password or other identifying information, they could lose access to all their passwords at once. Similarly, if your master password falls into the wrong hands, it would allow a malicious actor to gain access to any account saved in the password manager.

Use multi-factor authentication (MFA). Even the best passwords have limits. Multi-factor authentication adds another layer of protection in addition to your username and password. Generally, the additional factor is a token or a mobile phone app that you would use to confirm that you really are trying to log in. Learn more about MFA.

Key Points:

  1. Password Security Measures: Passwords are the most common form of authentication, but they are not the most secure method on their own. Additional security measures include limiting access by IP, multi-factor authentication (MFA), user behavior analysis, and encrypting messages.

  2. Process of Storing Passwords: The process involves user registration, password hashing, and user authentication. Passwords are hashed using cryptographic hash functions before storing them in the database. 

  3. Golden Rules for Creating Secure Passwords: Tips include not sharing passwords, avoiding dictionary words and personal information, avoiding common sequences, controlling password length and complexity, using different passwords for different accounts, and considering mnemonic devices for password creation.

  4. Avoiding Phishing Attempts: Users should pay attention to the URLs they enter passwords into, ensuring they are on the correct website and using HTTPS protocol. Phishing attempts can lead users to fake websites designed to steal passwords.

  5. Secure Password Storage: If users choose to write down passwords, they should store them securely, using a format that includes a memorable code along with the password.

Conclusion:

While passwords remain a ubiquitous form of authentication, relying solely on them for security is not sufficient. Implementing additional security measures like multi-factor authentication and user behavior analysis enhances protection against unauthorized access. Users must also adhere to best practices for creating and managing passwords, such as avoiding common words and sequences, using different passwords for different accounts, and being vigilant against phishing attempts. Additionally, secure password storage methods, such as mnemonic devices or encrypted formats, help mitigate the risk of password compromise.

banner
Choose your TOTP token

Newsletter

Subscribe our Newsletter for new blog posts & tips. Let's stay updated!

banner

Leave a Comment

editor

John McHacker

John was a computer programmer and hacker known for his expertise in breaking into secure computer systems. He developed a reputation as a master of computer security and was often hired by companies to test the strength of their cybersecurity measures.

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept