Your password: separating the weak from the strong
(Last updated on July 29, 2019)
You are probably familiar with the basics of password security: Complexity is a necessity; and length equals strength. If you have a social media, or email account, chances are your password meets their minimum length and/or complexity requirements. But, with data breaches and security flaws a regular occurrence in our digital lives, doing the bare minimum isn’t good enough. So, like any cryptic-minded individual, you’ve spiced up your password, perhaps you have:
- Added a string of numbers to the end of your password?
- Created a super long password with a famous quote from your favourite movie?
- Substituted the characters from your favorite password – Pa$$w0rd? Surely, no one has thought of that one before.
Many passwords appear strong, but conform to predictable patterns. They may meet, and even exceed, the length and character type requirements of a strong password, yet their predictable patterns have landed them in password dictionaries, making them easy targets for hackers.
A dictionary attack is a method of breaking into a system by entering every word, from a database of commonly used words, as a password. Since a computer is used to systematically enter each word, the attack can go very quickly. The dictionary is not necessarily limited to common names and words. Attackers can use different dictionaries, such as foreign words, phonetic patterns, in addition to lists from data breaches such as LinkedIn, Gawker, and Adobe. This means that even if you created a super complex password, such as WYH@19950329$wyh, the password will not be secure if it appears on a password list, which in this case, it does.
With the right tools, your IT department can reject the use of passwords found on such lists. Specops Password Policy allows administrators to create their own list, import an online dictionary list, or use a Specops provided list including Gawker (over 180,000 passwords), LinkedIn (6.5 million password hashes), and Adobe (top 100 passwords). In response to recent data breaches, Microsoft is also clamping down on common passwords, banning their use within Microsoft Accounts and Azure AD services.