Semperis comments on World Password Day

​​​​​​​​​​

World Password Day lands on Thursday 7 May, putting the spotlight on a simple truth: weak passwords are still one of the easiest ways for cybercriminals to break in—and one of the easiest problems to fix.  We talk to Tomer Bar, Semperis, Associate VP of Security Research, Semperis on why “Strong” Passwords Still Fail (and What to Do Instead)

“We’ve been using passwords to prove who we are since the very first multi-user computers.  Decades later, they’re still with us – and still causing trouble.  Passwords have a terrible reputation, but that’s not really the password’s fault.  It’s ours.  Most of the risk comes from human limitations and predictable behaviour, not from the mathematics behind “guessing every possible combination”.”

“On World Password Day, let’s look at why “strong” passwords can be weaker than you think, what advanced attackers do and how to choose passwords that are hard to crack.  When people create long passwords, they often choose memorable options like reused patterns, small variations of old passwords, predictable phrases, or popular lyrics, quotes, and memes rather than random strings.  Attackers take advantage of this by using large dictionaries built from leaked password databases and applying rule-based tweaks – such as adding the current year, swapping letters for symbols, or tacking on punctuation to guess these “memorable” passwords efficiently.”

“They also build rainbow tables: precomputed tables of password hashes.  Because most systems store only hashes, not raw passwords, a rainbow table allows an attacker to reverse a hash back to the original password, if that password is in the table.  These tables can be downloaded from public sites.”

“Are passwords useful today?  Yes, but they’re no longer enough on their own.  Multi-factor authentication (MFA) should be enabled wherever possible because it makes stolen or guessed passwords far less valuable.”

“If you keep using passwords, the best practice is to stop letting humans design them.  Use a password manager to generate and store long, truly random passwords (20+ characters) and never reuse them; turn on MFA wherever possible so stolen passwords are far less useful; and for the few passwords you must remember, use long, unique passphrases made of random words instead of lyrics, quotes or clever patterns.  The goal isn’t perfect, it’s to make attacking you so difficult and unprofitable that attackers move on to easier targets.”