Since it’s Thanksgiving, WhiteHat wondered, what are hackers giving thanks for? The simplest answers are Google, gigabit internet speeds, and an endless supply of caffeine. But the number one thing that hackers are overwhelmingly grateful for is DATA, especially passwords stored in plain or cleartext.
Unfortunately, people are horrible at creating strong passwords. In fact, each year someone publishes a list of the worst passwords used during the prior 12 months. The top two worst passwords have a place of honor because they have remained unchanged since 2016! They are “123456” & “password.” To make matters worse, most people are still using the same familiar passwords for multiple websites. As if a person would use the same key to unlock their car, their home and their place of work. This isn’t common practice for physical security, and it shouldn’t be for cybersecurity either. Just like people use separate keys for their car, home and office, so too, should they use separate and strong passwords for social media, banking, and email accounts.
When creating a password, the best advice is to avoid using dictionary words, sequences, or personal information that can be mined from other sources. Password strength is a measure of the effectiveness of a password against cracking. So, try to create a strong password that is long, unique, and includes special characters that are difficult to guess. One technique is to use the first letter of each word from your favorite literary quote.
For example, “To be, or not to be: that is the question.” (William Shakespeare’s Hamlet, Act 3) The resulting password can be: 2boN2bT!t??
Whatever method is used to create the password, it is also important to maintain good password hygiene to avoid compromise. This includes not sharing passwords, not writing them down and proactively changing them every few months. After all, hackers have a significant tool chest to draw upon, to crack passwords, with the most common being rainbow tables, or a precomputed table for reversing cryptographic hash functions; phishing scams that use the guise of maintaining account security, to trick users into clicking links and entering valid credentials; brute force, which is a trial and error method used by application programs to decode encrypted data; and dictionary attacks, an attempted illegal entry to a computer system that uses a dictionary headword list to generate possible passwords.
Of course, for those who are interested in improving password cracking skills, there are free password ‘recovery’ programs available for download, such as: John the Ripper, Ophcrack, and Aircrack-ng Suite. But in reality, hackers don’t need to go through the trouble of downloading a program, completing a detecting (sniffing) process, and trying to crack a password when they can just find the information on the dark web, available in plain or cleartext.
Plaintext specifically refers to input data that is intended for encryption and the resulting output data is called cipher text. In contrast, cleartext is data that is simply transmitted or stored without encryption (i.e. in the clear). Regardless of the intent, the plain and cleartext information can be viewed or used without requiring a decryption device.
Surprisingly, some of the most popular social platforms still struggle to properly safeguard user passwords – a boon to hackers, who can use these vulnerabilities to their malicious advantage. In May, Twitter encouraged more than 330 million users to immediately change their passwords because of an encryption process flaw. Not following the company’s usual masking process, the bug stored plaintext passwords in an internal log before completing the hashing process. And most recently, Instagram’s Download Your Data tool exposed user passwords in cleartext as part of the URL, and that was then stored on Facebook servers.
As Theodore Roosevelt once said, “Let us remember that, as much has been given us, much will be expected from us, and that true homage comes from the heart as well as from the lips, and shows itself in deeds.” The same holds true for the safe storage and encryption of passwords!
So this Thanksgiving, let’s be thankful for our knowledge of security and password best practices and squash hackers’ infiltration attempts where we can.