Passwords are the weakest and most popular factor of authentication to access websites and systems. Now a day all systems demand specific criteria to set the password, for example, the password complexity which it should include capital letters, small letters, special characters, and numbers. Also, it should be expired after a specific period of time for example 60 or 90 days. Moreover, using the password history to avoid using password already used. And more criteria that make the user life difficult with passwords.
These rules and restrictions make the users abusing the password. For example, by using the same password in all accounts belong to them. Writing the password somewhere so they can come back for it when they need it. In that way, they make the job of the attacker much easier to hack their accounts and by hacking one password they will have access to all your accounts.
How to hack the password? different techniques available. The most effective technique used currently is Social Engineering which is trying to hack the user him self by sending phishing email or trying to shoulder surf the user to see the password while they typing it. Another technique is by using brute force which is trying all possibilities of the password until the correct password match. For example, If the password used for your wifi router at home is 11223344 it requires to break it a couple of minutes and the password will be available for the attacker he can enjoy using your internet access for free !!!
One of the best solutions for this issue is to use a long password or passphrase. But, this will raise a problem for the user because it will be hard for them to remember all of these passwords (Password management).
So, how to make a long password for all the systems that you have access on without writing it somewhere and make it vulnerable to hacking ??? Using Password Family technique which I will explain in this article and I hope that this concept will solve a big problem facing wide area of users.
As we explained previously passwords should include capital letters, small letters, numbers, and special characters. So, we should work on one password contain two parts. Fix part which will include long and complex passphrase then attach to it the variable part that will help you to differentiate between each account password access you have.
The fix the part in the password family technique can be at the beginning of the password or in middle or at the end and the same for the variable part.
We will explain the concept through an example.
The first step is to work on a fixed part for your password family. Here we chose this phrase to be the fixed part of the password family: HeLL0#AhM3d_@4_. As you mention it is long phrase contain 15 Characters and include all complexity requirements. By checking the strength of this password it is 100% strong refer to the site The Password Meter to check the strength. It will need 16 Billion years to crack it. Refer to How strong is my password? site to check it.
The fix part you need to memories it always and don't forget it because it will be the basis of your password family. DON'T share it with anybody or write it anywhere. It should be in your mind only. If it is compromised you have to reinitiate your password family again. And change all your passwords used with in this password family.
The second step is to decide where to use the fixed part. Either at the beginning of the password or in the middle or at the end. In this example, we chose to be at the beginning.
Now you need to create an account in Gmail and you need to enter your password. hence, use the fixed part of your password and add to it the variable part which you need to decide what is it at the time of creating the account and try to choose a phrase related to that account. In this example it is Gmail. therefore, the variable part can be gMail (Note I chose the second char to be capital letter just to add more strength in the password. It can be all small letter). Consequently, your Gmail account password will be:
gMailHeLL0#AhM3d_@4_
The final password needs 43 QUINTILLION YEARS to crack it. Which is what we need...
In this way, you can create all your passwords and you need only to memories the fixed part of your password.
We will create another password to clarify the concept more. You want to create an account on Netflix and you need to create a new password. Your fix part is ready with you and already you memorize it. So, we need to work on the variable part which is, in this case, can be: neTflix.
your password for Netflix account is:
neTflixHeLL0#AhM3d_@4_
This password needs 252 SEXTILLION YEARS to crack it.
To overcome the problem of password expires add an extension to the password like _1.
And so on you can build your password family. And create strong password without the need to write it down and expose it to hackers.
By Abdulla Abusaif, CISSP, PMP, CEH