Passwords – Please Stop It… Use a Pass Phrase!
It has been a long two weeks and there is a lot to document but I am taking a few minutes out to have a quick word about passwords. First lets just set out the definition of a password. A password is a basic security mechanism that consists of a secret passphrase created using alphabetic, numeric, alphanumeric and symbolic characters, or a combination. A password is used to restrict access to a system, application or service to only those users who have memorized or stored and/or are authorized to use it.
Our most excellent National Cyber Security Centre has some great advice on passwords. For example, something I have been shouting about for 12 years, USE THREE RANDOM WORDS. Here is a link to the article they wrote: https://www.ncsc.gov.uk/blog-post/three-random-words-or-thinkrandom-0
So why am I writing this? Well, on my current test I dumped the password hashes and here are the passwords we got in under a half second:
Hang on a moment, is that first one blank? Oh yes, it most certainly is.
Let us take a moment to look at why any of this is important. As the attacker, I have a really good chance at guessing the passwords now. Take any one, make the first letter uppercase and add an ‘!’ to the end. It will probably work.
Please take care with your passwords. Make it slightly harder for us by using a 12 character passphrase.