username and password

There is no longer any validity to the belief that you can “set-and-forget” anything, especially usernames and passwords.  When the New York Times broke the story of a Russian crime syndicate that collected 1.2 billion username and password combination by hacking websites worldwide, it put us on alert that each time we execute a transaction, we are potentially revealing our credentials.

The breach also underscores the need for stronger personal password management and confirms that we should be cautious about trusting a web browser or any other web-based password manager to store our passwords.

In July of this year, a UC Berkeley web-based password manager study found critical vulnerabilities with popular password managers LassPass, RoboForm, My1Login, PasswordBox and NeedMyPassword.  The study begins with: “It is a truth universally acknowledged that password-based authentication on the web is insecure,” and ends with a warning that web-based “password managers have flaws in their implementations that critically undermine their security.”

User authentication relies on at least one of the following, but more than one is better:

Something You Know – Password or PIN

Something You Have – Smart Card or Token

Something You Are – Finger print or Retina

The Department of Defense requires 2-factor authentication to access military networks using a physical token and a PIN.  Physical tokens are electronic keys which are inserted into the machine, much like a key for a safe deposit box residing in a safe at the bank.  Don’t forget about WEBsites.  Limiting information on a landing page, and requiring 2-factor authentication to access website sub-links is a method DoD has used to harden WEB applications with tremendous success.

If your situation requires username and password combinations for authentication, there are a couple of rules that can help make your password a challenge for even the most effective password cracker tool.

Never use anything in your password that resembles a word you can find in the dictionary.

Don’t use meaningful dates like birthdays, anniversaries, or graduation dates.  Hackers can use social media to collect this type of information.

Don’t use any common names like surnames, company names, and team names.  If your Facebook page is full of comments and photos related to your favorite sports team, and your passphrase is connected to that team, you’ve given hackers a head start.

Don’t use any common phrases found in music, movies or literature.  Again, social media may not be your friend if hackers can link your page to your passphrase.

Follow your company password policy with respect to password length and password changes!

Two methods for constructing strong passphrases that you may want to consider are what I call the “acronym” method and the “mixed up mess method,” lacking an official term for either.

 The Acronym Method

Create a phrase that is meaningful to you, and easy to remember

My daughter’s 12 and loves to play soccer for her school

Create an acronym based upon the phrase

mdi12altpsfhs

Substitute upper case letter, numbers, and characters

Md!i2@l2P54hS

The Mixed Up Mess Method

Create a phrase that is meaningful to you, and easy to remember

My daughter’s 12 and loves to play soccer for her school

Substitute uppercase letters, numbers, characters, and misspellings

M1 d0ddr’5 !2 n luv5 5*c3r

Now put it all together

M1d0ddr’5 !2nluv55oc3r

User authentication continues to be a challenge for companies and we see in the the news that adversaries are not being stopped by current defenses.  Multi-factor authentication is even more of a challenge for businesses.

Gartner security analyst Avivah Litan told the New York Times that “Companies that rely on usernames and passwords have to develop a sense of urgency about changing this.  Until they do, criminals will just keep stockpiling peoples’ credentials.”

Knowing a little something about effective authentication, what will you say to your company IT Team if they don’t rigorously enforce password policy?  Will you bank online with a financial institution that makes account access easy for the customer?  Do you trust web based password management applications with the keys to your kingdom?


Mike Walls is Managing Director, Security and Operations and Analysis at EdgeWave. While on active duty, Mike served as Commander Task Force 1030 reporting directly to the Navy’s Fleet Cyber Command, and was responsible for Cyber readiness of over 400,000 people, 300 ships, and 4,000 aircraft.