+19109200350
info@tpidg.us

Why Does My Password Matter? | NSC #68

passwords

Encryption

Whether it be full disk encryption, PGP, Veracrypt containers, or any other way to encrypt a file or a message, you need a good password to protect it. This is especially important when protecting sensitive information. Without a good password, you don’t have good encryption, period.

Let’s take AES-256 for instance, a 256 bit key is absolutely massive. How massive? Well, the way to calculate this is to bring 2 to the 256th power (try to do that in your head). This number is absolutely massive. Calculated out, this number looks like this:

115,792,089,237,316,195,423,570,985,008,687,907,853,269,984,665,640,564,
039,457,584,007,913,129,639,936

If you’re not a nerd, this means nothing to you, so let’s bring it back down to human level. You have that many possible combinations in an encryption key, which is an obnoxious amount, but the password you use for it becomes the weak point. It is very uncommon for anyone to attack the encryption cypher itself, because it is so massive, rather they use dictionary lists to go after passwords. A dictionary list is simply a list of the most common passwords, that an attacker uses against whatever it is that you are trying to protect.

What’s in a Password?

Let’s take the most commonly hacked passwords of 2017 as compiled by SplashData:

password list

On this list, we have common names, number sequences and trending topics. These or any permutations of these passwords are going to get hacked in less than an hour. Compare this list to the top 100 passwords in the most used dictionary list in the world: rockyou.txt and you will see many similarities.

123456
12345
123456789
password
iloveyou
princess
1234567
rockyou
12345678
abc123
nicole
daniel
babygirl
monkey
lovely
jessica
654321

michael
ashley
qwerty
111111
iloveu
000000
michelle
tigger
sunshine
chocolate
password1
soccer
anthony
friends
butterfly
purple
angel

jordan
liverpool
justin
loveme
fuckyou
123123
football
secret
andrea
carlos
jennifer
joshua
bubbles
1234567890
superman
hannah
amanda

amanda
loveyou
pretty
basketball
andrew
angels
tweety
flower
playboy
hello
elizabeth
hottie
tinkerbell
charlie
samantha
barbie
chelsea

lovers
teamo
jasmine
brandon
666666
shadow
melissa
eminem
matthew
robert
danielle
forever
family
johnathon
987654321
computer
whatever

whatever
dragon
vanessa
cookie
naruto
summer
sweety
spongebob
joseph
junior
softball
taylor
yellow
daniela
lauren
mickey
princesa

If you compare these lists, you see that they intersect in many places. If an attacker was using this list to break a common password, it would take him less than a second to get through the first few hundred (depending on hardware, type of hash, software used, etc.).

The Solution to Your Terrible Password

So what’s the solution to this? A password manager is a perfect first step for both organization of passwords and generation of secure, hard to crack passwords. We’ve talked about password managers a lot in the past, so there’s no need to reiterate. Check out our past articles. Another solution is to invest in something like the OnlyKey, a hardware password manager, more details on that here.


Questions, Comments, Concerns?

Let us know what you think below!

 

Leave a Reply

Your email address will not be published. Required fields are marked *