This is the second in a series coming out of the Comstor Federal Summit (#ComstorFS17). Bryant G. Tow spoke to Cisco leaders, Comstor partners and value-added resellers (VARs) about the two primary cybersecurity threats for the federal government: Password security and Ransomware. This post focuses on Tow’s remarks about changes in password security.
Password security is at the forefront of cybersecurity efforts for federal agencies because tools and hardware used by cybercriminals to hack and create passwords have gotten dramatically better, according to Bryant G. Tow, Managing Partner of CyberRisk Solutions LLC.
“Now, you can run millions of potential passwords in a much shorter period. What was taking days or weeks, is now taking hours,” he said.
This improved capability allows hackers to create passwords based on the entire dictionary in a matter of hours. Given the fact that most people use common strings of characters or common words for passwords, it is more than easy for cyber criminals to recreate them.
“Most people use common words and then add the numbers 123 or 123!,” Tow said. “Cyber criminals know that. Their crawlers take every dictionary word and put 123 or 123! behind it and try them. It doesn’t take very long using artificial intelligence, analytics and password guessing for cybercriminals to create caches of potential passwords.
“When a new Star Wars or Harry Potter movie comes out, for example, they create passwords based on primary characters,” he continued. “When books come out, you will see the names or places from them show up in top hits for fake credentials. You also see people using those names and places with an exclamation point or 123 after the word. They think this is a ‘good’ password, but the truth is that if we are coming up with these passwords, so are cyber criminals.”
As he noted, a password may meet all of the all of the requirements for a “strong” password and it may seem clever enough to be secure, but due to the intelligence and analytics available today, these aren’t strong at all.
“People use passwords they don’t realize are common. An interesting one is zaq1zaq1, which is created by going up the keys on the left side of a keyboard,” Tow explained. “Another common mistake is using the word ‘password,’ but typing the number 0 instead of the letter o.”
“We all do this type of thing, because we all have a little cypher in our heads where an o becomes a zero and an L becomes a 1,” he continued. “If we think of these, then guess what? The cyber criminals already know all of these.”
Combining the capability to quickly generate millions upon millions of passwords with the fact that at least 3.5 billion credentials were stolen in 2016, it is no surprise that eight out of every 10 login attempts at federal and banking systems with public-facing sites were from a robot.
“Think about the volume,” Tow said. “The robots are ‘farming’ these credentials. They take stolen password from places like Netflix or Spotify and put them in the crawlers to see if a person has used the same password on more than one site.”
A solution that agencies are already using is to require a pass “phrase” instead of a password.
“Some agencies are requiring a minimum of 12 characters up to 15 characters, and that length-of-character requirement does eliminate most dictionary words,” Tow explained. “They also eliminate the number and the special character.”
“That length requirement takes away the bulk of common dictionary words, and it forces the human to come up with a phrase like “seethedogrun” or “Timebaldsquirrel,” which is actually a pretty strong password. By requiring a phrase, you eliminate not only most of the dictionary words, but also the common words a person would usually choose – their kid’s name, their street name, etc. – because it is highly unlikely that any one of those names would be 15 characters.”