• Jonah White

Creating Secure Passwords

There is a beautiful history when it comes to people creating a set of characters and numbers and special characters, from massive breaches to how crazy some CEOs claim their company takes security as their number one priority.


I laugh at this; I too have been lazy and dumbfounded when I see what type of passwords people still use today. With the rise in Quantum Computing, are we done using passwords? Now, I hope you do get a laugh, a mirror placed in front of you, and finally a way to avoid passwords together if the site or technology supports such a thing.


RockYou.com


Rockyou was the hit social media site that everyone was on in 2005, its main business model was widgets in various forms, such as voice mail, text and photo stylization, and games more importantly. Rockyou was the most successful widget provider in 2007 in terms of total installations. But with every major platform, it does go through its ups and downs. But this would break the company down a dark road that it would never recover from.


In December of 2009, after a little over a year from participating in Facebook’s launch of allowing third-party applications to operate on its platform, Rockyou suffered a breach that exposed all 32 million credentials it had stored on the company’s SQL database. They were exposed to a ten-year-old SQL vulnerability that allowed attackers to download all its password hashes and usernames. The passwords were exposed to the internet, but they were in plaintext. Meaning no encryption was used on the passwords, normally it would be encrypted with MD5 at the time or something way better like SHA-256.


This is just a quick history lesson in how passwords are used, starting with Rock You, this list of cleartext passwords is used widely by hackers, it’s the starting point and still is today for hackers to breach accounts on the internet. Password hacking is no dark art, anyone can get on their laptop, and download a couple of password-cracking tools like JohnTheRipper, or hashcat (my favorite), that can quickly break password hashes with the right rule sets and password lists. Even better is when hackers use your social media profiles against you and look for your favorite pets, video games, favorite movies or celebrities.


These things matter when sharing on the internet through social media or our purchases, letting people know more about you comes at a cost of allowing access to your accounts unless you follow these simple steps to create stronger, more secure passwords in 2022:


1. Use the following types of characters in your passwords:

· Numbers

· Lowercase letters

· Uppercase letters

· Special Characters

· Spaces (if applicable)

Passwords with the above combinations give great difficulty to hackers that want to guess those simple passwords found in Rockyou for instance, using spaces gives it even more complexity. To test out passwords, hop onto https://howsecureismypassword.net/

And you can even check to see if my email was in a breach here: https://haveibeenpwned.com/

More sites like these exist, recently I’ve learned that security.org has taken over the first link, but not to worry, they state on their site that the passwords are not stored in any form.

2. Do not use anything personally:

Any details about you or what you like can be used against what passwords you create by yourself, try using something completely different or unrelated to you and your internet life. For instance, if you like Star Wars go with something completely different that you never ever watch or play, Scooby-Doo or something.

3. 2FA


If you’re still worried at the end of the day whether you are susceptible to password attacks, enable 2FA, it’s a sure-fire way and the future practically of getting a second verification when logging into any of your accounts. Personally, I wouldn’t recommend using a 2FA code that’s texted to you, but instead using a 2FA app like Microsoft Authenticator or Google Authenticator, those have codes that change every thirty to sixty seconds. This prevents social engineering that hackers can use to get ahold of your phone number, called sim swapping.




Oh No! My password doesn’t exist…

Apple, Google, and Microsoft recently announced they want to move away from passwords altogether, paving a new way of being even more connected to our cellular devices and smartwatches. Using an Apple or Android device, users can instead opt into a Face scan, a 2FA App that approves of the login, no passwords won’t go completely away, but every day it’s becoming easier to sign into accounts without having to remember your password. Another way is using physical keys that plug into the device you log into through USB, allowing you to use a fingerprint.



Next time, we’ll talk about Quantum, and how we’re preparing for a Quantum “password cracking” world, how can we secure our data with an unstoppable force like a Quantum computer?

3 views