Human nature has shown that people reuse passwords, at least for accounts that do not work and do not require quarterly changes. How can it affect your current security, whether you are using an old password or a passphrase since 2012?
Surprisingly, a lot.
Hashed passwords and the plain text equivalent of the compromised site can be compared to your current username. Hackers have made lists of these pairs in the dictionary. Many websites use your email address as a username and your email addresses are virtually unchanged. The hacker has therefore obtained your e-mail address and your old password.
Hash algorithms have become more secure over the years and your current bank’s website will probably use a different hash algorithm for your password than MySpace 2016 or Dropbox 2012. However, they already have a dictionary with compiled usernames and previously used passwords – they don’t have to hack into security to try a few and see if it’s accepted.
Add a small script and they can try it out in a few milliseconds per program on sites they think you can access. Or the other way around, just try all the password combinations they have in the dictionary, on every website, and see if they’re lucky.
How do you use this phrase?
One option is to never use your password again. Some systems do not allow you to re-use an already used password, but it only works on this separate site for old passwords.
If you used the AOL password in 2008, thought it was so easy to remember and then forgot it, it may still be in the hacker’s dictionary. And after a long life online, do you still remember the passwords you used on all sites and systems?
NIST has recommended and defined complex passwords as a combination of upper and lower case letters, numbers and characters. Recently, however, they removed it (https://pages.nist.gov/800-63-3/sp800-63b.html) – a short and complex password that is relatively easy to find by a cracking computer program.
However, longer passwords exponentially extend the time it takes to crack your account – the processing power required to do so won’t be available to more advanced algorithms in less years or centuries. A long passphrase doesn’t mean it won’t be easy to enter – you can just link a set of words (plus a number and a symbol if the site needs another one).
Using the hash algorithm
Another tool for detecting password crackers is the use of a hash algorithm. The algorithm is one-sided (it cannot be deconstructed), while another property is that changing a character completely changes the result in a rather unpredictable way. The hash result for CorrectHorseBatteryStaple (https://xkcd.com/936/) is very different from CorrectHorseBatteryStable.
This means that for your personal websites where your passphrase doesn’t change often, you can use a long passphrase that probably won’t appear in a hacker dictionary, along with its preface with the website name – SocialMediaJenny8675309 vs WellsFargoJenny8675309. When hashes are processed, they are considered extremely unique and unrelated, but your memory allows you to reuse your WellsFargo passphrase for Facebook.
Pay attention: Do not use the above examples, the first lines of your favorite songs or anything from Shakespeare as key phrases. All these common examples are encoded in hacker dictionaries and can be considered cracked. However, the aforementioned XKCD cartoon inspired the creation of this random word generation, which could be useful to you: http://correcthorsebatterystaple.net/.
Also pay attention to the prefix you use for your accounts. People are not good in random situations and computers are good at pattern recognition. If your passphrase for a website appears in clear text in case of future violations, do not forget to give the hacker enough information to suspect that your passphrase will be found on another website.
Additional improvement if memoryis used.
Once you have your unique passphrase for each website, whether it is stored in memory as in the examples above or whether the computer has generated random letters, numbers and symbols, consider using one memory for all your passphrases rather than just relying on the memory.
Depending on your need for security versus comfort, you’ll need to be able to find the storage space that suits your situation – a password manager that allows you to share your work, a personal space that’s local to your computer (but with a backup!), or a family plan that synchronizes all your devices and has multiple accounts for different users. They are all available in encrypted form, and many are free or have a low subscription price.
Admit it, we all have too many sites to remember all passwords, and the repository allows you to remember a passphrase and access all sites from there. You must always remember to update your passphrase or create a new login. I also recommended that you keep the master set in a sealed envelope in a safe or physical safe.
Happy World Password Day!
Further lecture :
A password war: Compliance with NIST requirementspassword security best practices 2020,how to improve password security,password security tips,password do's and don ts,password security standards,password tips 2020,passwords not to use,which of the following should not be done while creating a password