VPNCity Blog
POPULAR
  • Transparency Report
No Result
View All Result
  • Pricing
  • Servers
  • What is a VPN?
  • Download VPN
    • Windows
    • Android
    • MacOS
    • iOS
    • Android TV
    • Fire TV Stick
    • Chrome Extension
    • Firefox Extension
    • ShadowSocks
  • Blog
  • Setup Guides
    • Windows
    • MacOS
    • Linux
    • Android
    • iOS
    • Gaming Consoles
    • Raspberry Pi
  • Login
VPNCity Blog
  • Pricing
  • Servers
  • What is a VPN?
  • Download VPN
    • Windows
    • Android
    • MacOS
    • iOS
    • Android TV
    • Fire TV Stick
    • Chrome Extension
    • Firefox Extension
    • ShadowSocks
  • Blog
  • Setup Guides
    • Windows
    • MacOS
    • Linux
    • Android
    • iOS
    • Gaming Consoles
    • Raspberry Pi
  • Login
No Result
View All Result
VPNCity Blog
No Result
View All Result

Best Practices: Passwords

05/04/2022
in How To
5 min read
0
Best Practices: Passwords

This is part of the VPNCity Best Practices articles where we will explain along the way the “What”, “How” and “Why” the best practices will improve your security and privacy in your day-to-day life while helping you understand the technology, dispel the myths and give you the tools to understand why your personal privacy and security is in your hands. This part concentrates on passwords, the magic behind them and how to make them secure.

Passwords are one of the easiest ways to breach a persons digital security. A lot of websites opt for a minimum of 8 characters with at least one uppercase, at least one lowercase, at least one number and at least one special character. Using this system, it would mean a password would look something like ‘Pas$w0rd’. This is based on NIST guidelines from 2011.

Unfortunately, a large number of websites do not opt to update password policies to newer NIST guidelines. Passwords are often broken through either guessing (social engineering), malware (keylogging), brute force or by using a pre-existing list of known username and passwords (obtained in previous data breaches and published online).

There are 6.63 quadrillion different possible 8 character passwords and at the Passwords^12 convention in 2012, Jeremi Gosney demonstrated a machine that broke all 6.63 quadrillion passwords in 5.5 hours. That equates to 350 billion password guesses per second. Password cracking has significantly improved since 2012.

Password security can always be broken. Always. It simply all depends on how long and how much effort it would take. For example, most people’s router username and password is still admin/password. That would take about 4 seconds to enter with next to no effort.

Password strength is called password entropy and entropy is based on the character set used (uppercase, lowercase, numbers and symbols) as well as length. Password entropy predicts how hard a password is to crack using guesses, brute force methods, dictionary attacks or other methods.

If a password uses numbers (0-9), uppercase (A-Z), lowercase (a-z) and special characters (!ӣ etc), there are 95 possible choices for a one character password. If the password is two characters long there are 9,025 possible choices and for three characters there are 857,375 possible choices (and so on with the equation being expressed as 95^n (with n being the number of characters in the password)).

As a species, humans make terrible choices for passwords. Even if a person chooses a ‘random’ password, we have a bias towards certain letters and numbers. This is called letter frequency and can easily be seen in the game Scrabble. There are more letter E (12) then Q (1). Nobody wants to get the Q or the Z. In addition, humans are notoriously bad at remembering random strings of letters and numbers, so we either write it down (which is a very bad idea for a password) or we make it easy to remember.

  • “Pas$w0rd” is a bad password as it’s easy to guess.
  • “0ZhY3S6Q” is a password less susceptible to guessing, however has the same entropy and is hard to remember

Both example passwords have the same amount of entropy but it would take less than 6 hours to guess either password with Gosney’s machine. As such, neither password is secure.

Securing your Password

Because you can’t change the option of accepted characters, you can secure your password through the amount of characters used on your password. This is where the 95^n comes in and that means 95 multiplied by itself however many characters are in your password. That means the password entropy on an (8) eight character password is worked out by;

  • 95 x 95 x 95 x 95 x 95 x 95 x 95 x 95 (and is written as 95^8)

This equates to 6.63 quadrillion different possible passwords. A more secure password would be at least 20 characters long (95^20) and would equate to 10.24 decillion possible different passwords. For reference:

  • 6,630,000,000,000,000 = 6.63 Quadrillion
  • 10,240,000,000,000,000,000,000,000,000,000,000 = 10.24 Decillion

Using Gosney’s machine on a twenty character password could potentially take up to 9,277,379,140 years to crack a single password. Unfortunately the speed at which passwords can be cracked is increased over time, meaning less secure passwords are cracked faster and faster.

As time develops, new tools are also being created to highlight how secure a password is. Tools such as How Secure Is My Password and ZXCVBN which demonstrate how secure a password is and how long it will break.

Password Managers

Using a 20 digit password, would have taken over 9 billion years for someone to crack a single password using Gosney’s machine from 2012. However, it’s not the only issue. a chain is only as strong as the weakest link. Hackers were able to access the Equifax database in 2017 because the username and password to the data base was Admin according to court filings. Industry practice states to have a different password for every site. However, due to human nature, it is difficult to remember a single twenty character password, let alone a different twenty character for every single site.

Luckily there is software which nullifies this issue: Password Managers.

A password manager is software which stores all the secure passwords in an encrypted database which can only be accessed with the correct password (which should still be at least twenty characters, but more is better). This may seem like a weak part of the plan having all the secure passwords stored in a single place secured with a single password, however this can be further overcome with the addition of Two-Factor Authentication (2FA). Various methods exist for 2FA, but for security, a hardware method is preferred. This is where a hardware device is used to authenticate that you are the correct holder of the account and you’re authorised access (such as a Yubikey).

This ensures that all your passwords are secure, encrypted and still easy for you to access. Granted even this isn’t 100% secure, but it a method to create random and long passwords which should be unique to each site you sign into.

The password manager needs to be secured by a master password however. My trick for a random master password that’s easy to remember? Get a dictionary and open it to a random page. Close your eyes and stick your finger on the page and the closest word is chosen. Do this 4 or 5 more times. This can be used as your master password. This method is explained in an excellent XKCD comic.

For transparency, I use Bitwarden as my password manager, as it is opensource and can be self hosted or cloud based. I utilise a Yubikey as my 2FA.

Related Posts

Best Practices: Encryption
How To

Best Practices: Encryption

26/04/2022
Best Practices: Deleting Files
How To

Best Practices: Deleting Files

12/04/2022
Best Practices: Browsers
How To

Best Practices: Browsers

12/04/2022
Best Practices: Two Factor Authentication (2FA)
How To

Best Practices: Two Factor Authentication (2FA)

12/04/2022
Best Practices: The Essential Toolbox to Online Life
How To

Best Practices: The Essential Toolbox to Online Life

12/04/2022
Best Practices: Biometrics
How To

Best Practices: Biometrics

12/04/2022
Load More
Next Post
Best Practices: Two Factor Authentication (2FA)

Best Practices: Two Factor Authentication (2FA)

Best Practices: Browsers

Best Practices: Browsers

Recommended

How to Connect to VPNCity via IKEv2 on Windows 10

11/07/2019
How to Use Netflix with VPNCity

How to Use Netflix with VPNCity

08/03/2022

Feb Update and a Gift

08/03/2022
person in hoodie with green binary code around, symbolizing a VPN

Should I Use a VPN or Tor?

10/03/2022

VPNCity

  • Home
  • Pricing
  • Server locations
  • What is a VPN?
  • Contact Us

Apps

  • Windows VPN
  • Android VPN
  • iOS VPN
  • Chrome VPN
  • Firefox VPN

Info

  • How-To Guides
  • Terms of Service
  • Privacy Policy
  • Warrant Canary
  • Reviews

Account

  • Login
  • Affiliates
  • Refer a friend
  • VPN for Business

Download our Apps

Copyright © 2012 – 2022 VPNCity, All rights reserved.

No Result
View All Result
  • Pricing
  • Servers
  • What is a VPN?
  • Download VPN
    • Windows
    • Android
    • MacOS
    • iOS
    • Android TV
    • Fire TV Stick
    • Chrome Extension
    • Firefox Extension
    • ShadowSocks
  • Blog
  • Setup Guides
    • Windows
    • MacOS
    • Linux
    • Android
    • iOS
    • Gaming Consoles
    • Raspberry Pi
  • Login