password security


2024-10-27

in this post, i will be discussing some basic password security protocols and relevant context to understand their purposes. in case you don't end up reading this all the way, here are the Cybersecurity & Infrastructure Security Agency's (CISA) guidelines for secure passwords:


on top of that, it's recommended for you to use multi-factor authentication (MFA or 2FA), a password manager (Apple Passwords, 1Password, etc), and, if applicable to the services you use, change all default log-in credentials. i have personally heard people bemoan having to authenticate with another device, not understanding how important MFA can be for your safety as a user of the internet. and you would be surprised how many businesses keep 'admin/admin' for their internal applications...


(quick note: i use password and passcode interchangeably in this post.)


let's bring into mind the classic 4 digit passcode that was the standard on many phones. that's 10000 possible passcodes. it would take a computer milliseconds to run through each of those values. this is an example of a brute force attack. as the name implies, there's nothing complex or nuanced about it, you just write a program that runs through each of the possible values and test each one until the device unlocks.


taking it a step further, what if instead of digits, we used letters? now our possible characters jump up to 52 (lower- and uppercase), taken to the 4th power for 4 digit-spaces. that's roughly 7.3 million possible passcodes! unfortunately for you, the brute force attack still takes less than 60 seconds to completely run through every possibility. even if you include special characters (now 78 million passcodes) or bump it up to an 8-character passcode (6 quadrillion passcodes), an attacker is still just running a simple for loop. it's a bit of an arms race in that sense -- one of the recommendations i'm spreading is a 16+ character minimum. but wouldn't that still be crackable?


yes. however, the idea is to exhibit a well-regarded security principle called "defense in depth". a 16-character password is crackable, but the amount of resources (computing power, time, etc) necessary is pretty intense. if that is in addition to requiring another factor of authentication, such as a biometrics (fingerprint, eye scan) or someone's mobile device, then breaking into your accounts becomes a much harder task. just like in the wild, a lion would much rather go after the weak and sickly looking gazelle, instead of wasting it's energy on harder-to-reach prey. make sure your security posture is not reminiscent of a weak and sickly looking gazelle, and you should be fine. in reality, there are entire lists of the most commonly used passcodes that attackers will load into a program to try on every website they can. if you're using "pass123", or using the same password for multiple accounts, consider yourself ill.


even one-time passcodes (OTPs) sent to your MFA device aren't 100% secure. the appeal of these OTPs is that they are unique and expire after a fixed amount of time, which does make them a fantastic tool to add to our security toolkit. however, there are methods to intercept SMS out there. again though -- it's most likely not worth it for the attacker to jump through this hoop, on top of the other ones you already set up. so adding in OTPs (and enabling MFA in general) to your layers of defense helps you immensely. it's like taking those hoops the attacker has to jump through, and setting them on fire!


admittedly, i was one of those people who slept on password security. i literally kept a list of my passwords in a plain-text file when i was in high school. and frankly, even if each password was "unique", they were still pretty similar... needless to say, i have squared away my practices, and now employ everything i am preaching in this post. i suggest you do to, and i hope you never have to learn first-hand how devastating insecure passwords can be.