Password Security and Management

Dylan Pantell
Hiral Merchant

Introduction
Password security is a serious problem for major companies as well as regular users.
Without proper password security, anybody can obtain access to the private information of a
company or another user. To understand the difference between a secure or insecure password we
must first understand exactly what a password is.
A password is simply a series of characters that a user needs in order to gain access to
their account or files. The purpose of a password is to act as a layer of security between the
public and important information. A password by itself is not very secure, especially if it is not
maintained or handled properly. What makes a password secure is how it is created, stored, and
entered into a system. The purpose of this document is to inform users about common ways that
passwords can be stolen and teach users methods that can be used to prevent stolen passwords.

1. How are passwords stolen?

Guessing
The simplest way a password can be stolen is through guessing. If an attacker is
trying to gain access to someones account, guessing their password is an easy way to go
about it. This is not a very common cause of stolen passwords, but it is definitely possible
if the attacker is given enough information about the user. Publicly available information
such as a birthday, name, favorite band, or anything that the attacker can find will
potentially lead them toward the right direction of guessing the correct password for the
account.
Brute Force Attack
A brute force attack is a computer program that automatically guesses and
attempts different passwords for an account in rapid succession. A brute force attack is
initiated by the attacker and the program will continue running for an indefinite amount
of time. A brute force attack works by trying every combination of letters and symbols
until it matches the correct password for the account. The time that the program takes to
find the correct password depends on how strong the password is. Unsecure or very
simple passwords can be quickly found through this method.

 Trojans and Viruses

Malware such as Trojans and computer viruses are common causes of stolen
passwords. A virus is a computer program with the purpose of get inside the targets
system and executing malicious code on their machine. Viruses can perform various
actions such as installing unwanted software and snooping through the users files. In
terms of password security, if a Trojan or virus is able to get into a targets system
undetected, the program can simply record the keystrokes and mouse movements of the
user. This recorded information is sent back to the attacker and allows the attacker to see
what is typed into the keyboard when the victim logs into their accounts.

A Security Breach Within a Company

When a user enters their account information into a website or server, the
company that maintains these accounts needs to verify that the correct password has been
entered. Each company handles password information differently and their methods will
determine how easily the passwords can be stolen. When there a security problem within
the company, their entire database of account information for all of their users are
potentially exposed to the attacker. Any user that had used the companys services will
have their information stolen and used for the hackers purposes.
Figure 1: In 2014, a group of hackers stole data on 5.6 million patients from 206 hospitals
across the United States.[1]

How can passwords be protected from theft?

Avoid Using Patterns or Repeating a Password.
In the event that a users account is stolen, if this account shares the same
password with other accounts then these accounts are at a high risk of being stolen. The
same principle applies if the passwords are similar or follow a distinct pattern. For
example, a mistake that people often make is using the websites name or their accounts
name as a part of their password. This is dangerous because it makes it easier for an
attacker to steal multiple accounts at once. It is for this reason that passwords should be
different across all accounts, where none of the passwords should hint what the other
passwords may look like. This way if a password or account gets stolen, then the other
accounts are still protected by each of their own unique passwords.
Avoid Using Personal Information.
Personal information is very easy to find especially due to the popularity of social
media websites and applications. Just by searching someones name, one can find a lot of
information such as where they live, what school they went to, how old they are, where
they used to live, who are their family members, and more. Because of this, passwords
should never be based on personal information, as this makes finding passwords much
easier for the attacker. Passwords should instead be based on something random or
something very private.
Use Stronger Passwords.
A strong password is one that is not easily guessed and is not easily found via a
brute force attack. An example of a bad password would be to use a single word
consisting of only letters. While this password may be tough for someone to guess, a
brute force algorithm will have no problem figuring out the correct word. Although, if a
user uses complex symbols and undecipherable words as their password, their password
is still vulnerable to a brute force attack! A brute force attack is best defended against not
just by more complex characters, but mostly by having longer passwords.
A study by LockDown, a website dedicated to security information, shows exactly
how fast different types of passwords can be cracked through different brute force attacks
[2]. The following image demonstrates the security of the worst kind of password which
uses only numbers up to a length of 9. This kind of password is easily cracked across all
levels (A-F) of brute force algorithms.

Figure 2: The security of short, numerical passwords.[2]

This next image shows how powerful the length of a password can be. A password only
using uppercase and lowercase letters is considered to be very secure at high lengths.
Lengths 15 and 20 are great examples of a secure password.
Figure 3: The security of short to long alphabetical passwords.[2]

Lastly, here is an example of two passwords that both use lowercase letters, uppercase
letters, and symbols, but have different password lengths.

Figure 4: A comparison between two complex passwords of different lengths.[2]

Use A Password Manager.

A password manager is a piece of software that creates and holds a database of
passwords for the user. The user is required to memorize a single master password in
order to gain access to this database. The master password should be a very strong
password, meaning it has a length of about 15 or higher and uses a variety of symbols,
numbers, and letters.
The password manager will automatically generate strong random passwords for
the user to use and encrypts the password using complex encryption algorithms. What
gets stored in the managers database are actually encrypted passwords, not the
passwords themselves. It is done this way because if the users computer is stolen or
broken into, the attacker will only be able to see the encrypted versions of the passwords
which is useless unless you know the master password.
Here is an example demonstrating what an encrypted password might look like.
This random line of text is what the password manager stores. And only the password
manager knows how to convert the random text back to the original password.
Figure 5: A password in its encrypted form compared to its unencrypted form.[3]

 Use Two-Factor or Multifactor Authentication.

Two factor authentication is a type of security that is applied to a lot of security
practices, not just password management. Two-factor refers to using two types of security
in order to gain access to one thing. A credit card is an example of a two-factor security
system, which requires, first, having the card itself and, second, knowing the pin number
of the credit card. A person needs both the credit card and the pin number to have access
to the bank account.
Two-factor password authentication systems are very similar. When using twofactor authentication, the users password is paired with a separate code. This separate
code is independent of the password itself and can be thought of as a password for the
password. Some websites have two-factor authentication options built in, which requires
the user to use an application on their phone. The phone application will randomly
generate a short 5-8 character long code every 10 or so minutes. When the user wants to
log into their account, they not only have to use their password, but they have to use the
currently generated code as well. This means that if someone were to steal the users
username and password, their account would still be safe as long as the attacker does not
have their phone as well.
Figure 6: A Visual Example of a Two-Factor System.[4]

authentication
three types of

Multifactor
comprises of
security [5]:

1. Something that the user knows.

Ex. A password or PIN number.
2. Something that the user has.
Ex. A phone, a card, or a piece of hardware.
3. Something that the user is.
Ex. DNA, fingerprints, speech recognition.
As the number of methods used to protect a password increases, the more secure the
password is. Of course, there comes a point where the number of methods being used is
impractical. The amount of security that the password or data requires depends on how much the
user values that data. In an ideal world, all user data would be protected by several of these
methods.

Summary
Computers are getting faster at cracking passwords and are forcing users to make their
passwords longer and more complex. It turns out that a password on its own is no longer
sufficient enough to guarantee decent security. Hackers will go to great lengths in order to get the
information that they want, and without proper password maintenance users risk becoming
victims of stolen accounts. A user needs to make sure that their password is not based on
personal information so that their password is not easy to guess. A user should also use different
passwords for each of their accounts, or else they can all be stolen at once. A password needs to
contain numbers, letters, and symbols, but more importantly a password needs to be long. If a
password is not strong, then the password can easily be cracked through methods such as a brute
force attack. A password manager is not essential but it is a very convenient tool for securing lots
of passwords at once. A password manager can generate strong passwords as well an encrypt
passwords into a protected and unreadable form. This adds another layer of security against
people trying to steal the users password. Finally, the last method of securing a password is
using a two-factor or multi factor authentication system. Multi-factor authentication gives
additional requirements for being able to log into an account. It uses factors that are out of reach
of potential attackers on the web, such as a code on the users phone or speech recognition.

Conclusion

Every time a user creates or logs into an account on the internet, there is a chance that
their information is being tracked. Hackers are devious; they have many tools to get into a users
account and steal their information. By following the guidelines above anybody can create a
defense against these hackers and make cracking your password less feasible.
Recommendations
It is recommended that the every user does the following: make sure all passwords for all
accounts are converted into strong passwords, find and install a password manager, and enable
two-factor or multifactor authentication with the password manager. There are two different
ways to handle password management, either through a browser or locally on the desktop. For
browsers, it is recommended that users use LastPass which is very easy for beginners and has
many tutorials. If however, a local desktop password manager is preferred, then KeyPass is a
great choice and is open source. LastPass has native two-factor support and KeyPass has plugins
to enable such features if needed. With these three elements combined, a users password is
extraordinarily safe and the user has significantly reduced their risk of having their password or
account stolen.

References
1. Hospital Chs Hack. Digital image. cnn.com. CNN, 18 Aug. 2014. Web. 13 Mar. 2015.
<http://money.cnn.com/2014/08/18/technology/security/hospital-chs-hack/>
2.

Password Cracking Speeds. Digital image. Lockdown. N.p., 10 July 2009. Web. 11 Mar. 2015.
<http://www.lockdown.co.uk/?pg=combi&s=articles>

3. Test Encryption Routine. Digital image. Tony Marston's Web Site. Tony Marston, 10 July 2000.
Web. 12 Mar. 2015. <http://www.tonymarston.net/uniface/tip05.html>.
4. Access Control System. Digital image. Understanding Multi-Factor Authentication in
EmpowerID. N.p., 2013. Web. 15 Mar. 2015.
<https://empowerid.atlassian.net/wiki/display/EIDAG2013/Understanding+MultiFactor+Authentication+in+EmpowerID>.
5. Schneider, Fred. "Something You Know, Have, or Are." Cornell.edu. Web. 11 Mar. 2015.
<https://www.cs.cornell.edu/courses/cs513/2005fa/nnlauthpeople.html>.