How to choose a good password?


As cyberattacks increase, each of us can potentially be confronted with them. Of course, we all have our tricks for the passwords we use on our computers and laptops: hidden under a keyboard, written on a piece of paper or taken from the birthday of the youngest.

But how do you ensure that your password is truly in-cra-qua-ble?

Numerous studies find that a significant proportion of passwords do not sufficiently protect users: passwords are too weak and too often reused. For example, 51% of French people would use the same password for professional and personal use – a statistic that is found in the United States .

From a password, cybercriminals will be able to recover private information by connecting to our online accounts (messaging, social networks, etc.), in particular our bank or e-commerce accounts, but also to penetrate our computer. and encrypt its content for ransom.

The theft of a password can have financial consequences, but also psychological through practices such as “doxxing” (publishing information on the identity or private life of a person with the aim of harming him) or revenge porn. In the professional context, password leaks expose the company to attacks by blackmail, to “denial of service” (cyberattacks consisting in interrupting or mishandling the service provided by a third party), or even to economic espionage.

How does a fraudster recover passwords?

The two main approaches used by cybercriminals to recover passwords are social engineering and stealing credentials databases.

Social engineering consists for the cybercriminal in convincing his victim to reveal his password, typically by resorting to phishing  : the vast majority of attacks do not target a predefined victim and these mass attacks are intended to phish any victims. It is only then that the cybercriminal will concentrate his forces on the phished person.

As for the theft of credential databases, the attack generally involves hacking a website to steal the names and passwords of users in order to log into the victim’s account, to use them on other accounts ( for example, the fraudster will test his victim’s Google IDs on Twitter) or resell them on the dark web . The website “Have I been pwned?” » allows everyone to check if their password has leaked on the Internet; it currently lists nearly 12 billion accounts whose credentials have been leaked.

In the majority of cases, these databases of identifiers do not contain passwords, but fingerprints of passwords: the fingerprint is the result of a so-called “one-way” function which is applied to the password. By analogy, the fingerprint is to the password what the fingerprint is to the human: two different passwords have different fingerprints and given a fingerprint, we cannot identify the human. But given a footprint and a human, you can tell if the footprint is from that human. In the case of passwords, we cannot therefore find the password from its hash, but we can test a password to see if it corresponds to the hash: we then say that the password is “broken”.

Password crackers use different approaches to test the most likely passwords: first the shortest ones, then dictionary words and their variants (e.g. “Meal”, then “Meal”, “Meal”, “undermine”, “meal1”…) and strongly structured passwords (for example starting with a capital letter, then lowercase letters, numbers and finally special characters).

Modern breakers may also use advanced techniques based on artificial intelligence or algorithms .

Finally, all possible passwords are tested if other attempts have failed: this is called an exhaustive search, which generally has little hope of being successful in a reasonable time. In particular, attacks that consist of testing different passwords for a given user directly on a website until they succeed in logging in are impractical: they are very slow because of the web server’s response time and easily detectable.

What is a strong password?

To protect yourself effectively, you must use strong passwords, not use the same password for several uses and change passwords regularly.

For a password to be robust, it must be chosen randomly from a set of passwords having the same chance of being chosen: for example, a word present in the dictionary would be broken in a handful of seconds . Adding a capital letter or numbers at the end provides only illusory security.

In order to measure the robustness of a randomly chosen password (ideal case, rarely achieved without a password manager), we count the number of tests that a hacker will have to do in the worst case to break it. This value is generally calculated by the formula c _ where c is the length of the password and n is the size of all the elements from which to draw to compose the password. For example, in the case of a password of length 8 ( c =8), composed of lowercase letters only ( n =26), the attacker will have to test 26 8 passwords (i.e. 208 billion) in the worst case. Although the figure seems astronomical, a standard computer will take less than a second to crack it using the computing power of its graphics card.

The National Information Systems Security Agency (ANSSI) defines the strength of a password by the size of the space in which it is randomly chosen , and distinguishes four categories.

The robustness of a password according to ANSSI

A random password, constructed from an alphabet made up of letters, numbers and 8 special characters, must therefore contain at least 17 characters (for example, “b!sDzf5w,5+W2s3k”) to be considered as strong according to ANSSI, and it will be considered as very weak if it is less than or equal to 10 characters (“b!sDzf5w,5”). Even very weak, the password will be difficult to memorize… especially since you have to memorize dozens of them!

To facilitate the memorization of passwords, an increasingly recommended technique consists in using “passphrases” , that is to say sequences of words chosen at random. A passphrase of seven words chosen from a dictionary of 60,000 words could thus be “buttress fatally sole signified distance revegetates foraging”, easier to memorize than “b!sDzf5w,5+W2s3k” for equivalent security.

But it is difficult for a human to randomly choose words from a large enough set, because we only use a few hundred words every day. It is therefore advisable to add lowercase, uppercase and special characters in the passphrase.

Should I use a password manager?

A password manager is an application that securely stores all of the user’s passwords so they don’t need to remember them. He only needs to remember a single password, the master password, which must be as strong as possible while remaining memorable. The use of a password manager, for example KeyPass, is recommended by major cybersecurity players such as ANSSI , its German counterpart, BSI or the European agency ENISA , as well as by organizations such as Reporters Without Borders. Some password managers are stored in the cloud, for example Bitwarden (free and open source), 1Password (paid), DashLane (paid), or LastPass (paid, but there is a fairly advanced free version) which is the the most used manager but also the most attacked.

Note that managers built into browsers (which do not require installation) are not recommended for security reasons, as the German BSI points out .

In the case where the manager stores the passwords in the cloud, it is essential that the master passwords are strong, as defined by ANSSI. Otherwise, a provider with access to the cloud could break them and thus access all the passwords they protect. This is a serious threat to be taken into account by companies, in a world where economic espionage is legion. Recommending that companies host their employees’ password managers themselves is certainly not an overstatement.

Finally, the use of two-factor authentication (for example receiving a code by email) is strongly recommended… even if you shouldn’t let your guard down.

Author Bios: Diane Leblanc-Albarel is a PhD student in Cybersecurity and Gildas Oats is a Professor in Cybersecurity both at INSA Rennes