For this reason, we now interrupt our usual "broadcast" to point out that you should probably also audit yourself from time to time. For one, the Hasso Plattner Institute (HPI) recently announced the top 10 most used German passwords at the end of last year, while, at the same time, the story currently in the news about the publication of the personal data of members of the Bundestag and celebrities (source in German) on Twitter has spurred discussion of the need for greater security. So what steps can I actually take to "audit" my accounts and ensure my data is more secure?
Let's take a look at the top 10 most used passwords in Germany in 2018 according to HPI (source in German, English translations of passwords provided in brackets):
- ficken (fuck)
- hallo123 (hello123)
- hallo (hello)
- passwort (password)
The ranking reveals that the Germans are not particularly creative when it comes to choosing their passwords. As in the previous year 2017, the extremely weak number sequence "123456" took first place. In total, 5 weak digit sequences are represented in the top 10.
Do you feel like you’ve been caught red-handed?
Then I don't need to continue to write anything more at this point.
But why are these passwords so insecure? Apart from the fact that they are well-known and are the first thing to be put to the test by hackers, there is a very simple mathematical problem with passwords:
They are too easy to crack by trial and error.
Simply trying out passwords is called a brute force attack. In this article I have already explained how SAP passwords can be cracked with the help of a program called "Hashcat". In the article I also mentioned that my computer was able to "try out" 30 - 50 million passwords per second.
So let's take a look at the number of possible passwords that consist purely of numbers.
There are 10 digits:
1, 2, 3, 4, 5, 6, 7, 8, 9, 0
For each digit in a six-digit password, e.g. "123456", each digit must be tried out once. This results in a sum total as follows:
10*10*10*10*10*10*10 = 106 possibilities = 1 million
Did I mention my computer can handle 30 million a second?
If we add all the lower case letters (excluding ä, ö, ü, ß in German) together, we get 36 possibilities per digit in the password. With a six-character password, this means that the password is also six characters long:
36*36*36*36*36*36*36 = 366 possibilities = Approx. 2 billion
My computer would need about 72 seconds to cover that many tries.
I think that should probably be sufficient to make the principle pretty clear.
As the complexity and length of the password increases, so does the time spent trying out passwords.
But what concrete recommendations are there for us to follow, you may be asking yourself now?
The HPI also provides clear tips on password selection:
- Long passwords (> 15 characters)
- Use all character classes (upper case, lower case, numbers, special characters)
- No words from the dictionary
- No re-use of the same or similar passwords for different services
- Use of password managers
- Change of password in the event of security incidents and for passwords that do not comply with the above rules
- Activate two-factor authentication
The first four points should be clear. For the fifth point, I can recommend either the Norton Password Manager or KeePass. Both store passwords securely and include a password generator so you no longer have to worry about what password to use where.
When secure passwords don't help either
In point 6 of the tips, however, even the most secure passwords do not always help, because, in this case, it depends on how the service provider stores the passwords internally. But, as a rule, this is not something we usually know anything about. For this reason, the password for the corresponding service should always be changed after a security incident becomes known. Of course, not everyone reads about the latest security incidents on a daily basis, so it makes sense to do a regular check with the website “haveibeenpwned.com” created by Troy Hunt, a Microsoft Regional Director. The online check verifies, for example, whether your Yahoo e-mail account was affected by the major hack in 2014 (500 million data records) or your Dropbox Account (68 million data records) by that in 2012. You can also set up a notification to be alerted if your email / account is compromised in a future data breach.
Point 7: What is two-factor authentication?
Not every service offers it, although it makes a lot of sense to do so: two-factor authentication. According to the German Green politicians Konstantin von Notz and Malte Spitz, however, the use should be made standard and Federal Justice Minister Katarina Barley has also called for testing to establish stricter security requirements for platform operators (source in German). This consists of using another method in addition to just a password for authentication. This is usually a six-digit numeric code, which can be obtained either, upon providing a verified mobile phone number, by SMS or voice call, or by using services such as Google Authenticator. Then, it is only possible to login in to a service if:
- you enter the password correctly AND
- the correct six-digit code has been entered
Each code can only be used once and usually loses its validity after a certain period of time (often 30 seconds). Unfortunately, this method is not free from its problems either, as discussed here.
In conclusion, it has to be said that quite clearly there is never any absolute protection on the Internet, but regular self-auditing is already half the battle.
Have you ever audited yourself? Tell us in the comments below!