Last line of defence in the field of cybersecurity: Passwords

Passwords have been around for a long time. Military organizations, secret societies, and other legal or not-so-legal organizations have been employing passwords to secure access to certain information or unique places only to a few individuals. People have been fascinated with secrecy for different reasons, but nowadays, the digitalization of our daily routines has opened the door for broader applications of passwords. It is for safeguarding privacy or keeping the competition in the dark. The Internet offers many advantages for personal use, such as online banking, online shopping, online learning, and online entertainment. Businesses also depend on Internet technologies to adapt and succeed in the digital market. Last but not least, governments and militaries worldwide still rely on various flavors of secrecy to preserve National security, safeguard crucial information from spies, gain political leverage, and many more different reasons involving spending the taxpayer's money.

At the early age of the Internet, only a few important virtual places on the web required an actual account, which involved establishing a username and password for access. So, it was easy, with no overwhelming password requirements, and only a few important places had such requirements. But then, that changed, and now, almost every website on the net requires some level of user credentials. Passwords are no longer permitted, or at least not recommended to be simple, easy to memorize, associative, and friendly. The Internet has become a trigger to a new type of criminal individuals that don’t harm physically but virtually, and that is even worse. They created a variety of malware that targets users’ passwords by using dictionaries and the computational power to probe for that secret word. This forced many virtual entities that valued the users’ privacy to incline them to provide more complicated, longer, and hard-to-guess passwords. In addition, all trustworthy websites upgraded their secure connections with security certificates that offer encryption of the exchanged information, hashing of the credentials, and other security measures. That’s a layer of security that repels most of the cybercrooks, at least for a while. Hackers are young (mostly), smart individuals who have a passion for knowledge and skills to do some magical tricks on the keyboard. Their curiosity and creativity are why digital technology keeps evolving and complicating. This knowledge enables power that soon is monetized, and the owner starts to feel invincible to the law and often overestimates his intellectual level as above average. The hacker needs information to access resources to get paid and happy. Methods for achieving this are creative and innovative, such as using password generators that generate trillions of symbol combinations per second in a targeted account or so-called brute force attacks. Others find weak spots in targets' networks, crawl inside, and, like every good neighbor, tap into the traffic, listening to each byte that passes along, hoping to get the right ones to fulfill its destiny, or in other words – man-in-the-middle situation. Another focus that has imminent success is to send luring and often impersonated emails to as many users as possible that contain links for clicking. Those links do what they are supposed to do – trigger an event or chain of events so that the user sees only what is expected (most of the time) by redirecting to some fake but very convincing-looking web page (bank, online shopping portal, etc.), but what the victim doesn’t see is how their identity and privacy is taken away and sold to the highest bidder in the Dark web. Some links don’t even bother to take you on a journey to a different virtual reality – just hijack the victim’s computer, encrypt the entire hard drive, and then pop up a message asking for cryptocurrency if the user wants to reaccess his files. That email offer is known as phishing; the links inside it are clickbait. It attempts to fool the recipient and trick him into entering security-sensitive information on a false online platform. Another cute trick that can steal passwords, credit card numbers, etc., is a very special coding productivity that silently enters the victim's computer and starts recording each keystroke the user makes on the keyboard. Then, it sends the recorded information back to its creator, who will try to extract all viable information that may bless his efforts. That is what the keylogger does. Besides the keylogger, the hackers developed many other malicious codes that can inflict damage and steal passwords, identity, privacy, wellness, good sleep, and so many more. Also, I must not forget to mention a few words about the “Rainbow tables” – a poetic definition of a crown jewel in every hacker’s arsenal. As mentioned in this text above, websites take cyber security very seriously and do wonders to safeguard users’ sensitive information – like hashing their passwords. Hashing is a one-way function that takes any input length, digests it, and generates a fixed-length hexadecimal response. What is important here is that the result is forever associated with just one input. There is a slight change in the input, but the result is somewhat different. So, if a hacker breaches a database that collects all hashed values, they are useless to them because of the one-way street of the digesting process. This is wonderful, but the shady people are creative and very patient. They collect such data as hashes and keep guessing the inputs until they get a match. This goes into the “rainbow tables” (which I wonder about their relation to the rainbow) distributed on some not-so-safe virtual corners. It takes the collective efforts of many individuals to populate and enrich this database. It seems that their attempts have some significant level of success due to innovations that render hackers' attempts infeasible for computations – like “salting” and “peppering” the passwords as additional layers of security, which complicates enough the already built “rainbow tables.” It is unclear when and where this ends. Still, technology is evolving faster than before, the computer calculation power increases in shorter intervals, and the new and sophisticated algorithms for AI, Machine Learning, Neural Networks, etc. all suggest that the war is far from over. Quantum-based computers are about to enter the game, and how this will tip the balance is hard to predict.

Let's say a few words about “How Big Is Your Haystack?”. I found this web resource quite helpful and funny. I have reservations about the calculations it provides based on my personal experience, but I still think it is a good educational tool. I tried different combinations, and the results were as expected. Single words (the length of the words matters very little) are the easiest to crack and for a fraction of a second. Single words concatenated with some digits – very similar results. Then, enter a single word, concatenated with a special symbol (~! @#$%^&*), concatenated with numbers – well, it showed promising results as time for cracking. Then, I tried the last combination, but the number of used symbols went up to 83, and the application displayed impossible time intervals in this Universe. My previous entry was a combination of Latin letters (Upper and Lowercase), special symbols randomly entered, numbers, and Cyrillic alphabet letters (ртрЯБфдДВЕВЛЙАСадвиуншщч) also Uppercase and Lowercase – even better results displayed in eons. One disadvantage of this application is that it doesn’t consider the continuous evolution of technology. Also, the most promising results were associated with combinations with very few possible applications or none. Many web platforms have requirements for password length, types of symbols, notable symbol limitations, and use of numbers. Still, I haven’t yet seen an opportunity to use a combination of different alphabets.

Instead of a conclusion, I will share my experience that I had 13 years ago with “strong” passwords. I used to have my web platform, which was created for business purposes. I have used an outside hosting provider with built-in dashboard tools to maintain, edit, backup, secure, etc., and password-protected general access to all site resources. After a few months of the official start of the website, everything was just fine – no incidents, constant availability, the traffic gradually increased, and Google’s robot indexers, “Spyders,” finally crawled over it. I was happy because that website started appearing in the results when the search function was performed. So far, so good. One morning, I opened my browser and tried to load my creation. Well, tough luck; instead of my logo on the screen, I saw some Chinese text that stated that they hacked my resource. That is it! It's good for me that I did regular backups. Open the dashboard on the hosting provider, restored the content, and then changed my password to something significantly longer, complicated, and impossible to memorize. I thought that I was out of the woods. Well, not yet! That history repeated itself two days later – my content is gone, Chinese symbols instead. I changed the password to a more complicated, longer (more than 350 symbols), and virtually unbreakable one. That same thing happened more than 15 times in different intervals, and it seemed nothing helped. One day, they left me alone so I could focus on the real goals I had been aiming for. The takeout of the story is that nothing lasts forever and is not granted by default. The password can be indefinitely longer and impossibly complicated and could still be breached.

?

References:

[1] SSH (n.d.). Types of Password Attacks and How to Prevent Them. https://www.ssh.com. Retrieved March 21, 2024, from https://www.ssh.com/academy/secrets-management/how-to-prevent-password-attacks

[2] Cybriant (n.d.). Here’s How Hackers Steal Passwords. https://cybriant.com. Retrieved March 21, 2024, from https://cybriant.com/heres-how-hackers-steal-passwords/

[3] Drennan, G. (2023, July 25). How Do Hackers Steal Passwords? https://info.cybertecsecurity.com. Retrieved March 21, 2024, from https://info.cybertecsecurity.com/how-do-hackers-steal-passwords

[4] Fortinet, Inc. (n.d.). Types of Cyber Attacks. https://www.fortinet.com. Retrieved March 21, 2024, from https://www.fortinet.com/resources/cyberglossary/types-of-cyber-attacks

[5] SailPoint Technologies, Inc. (2023, November 7). 8 Password Attacks. https://www.sailpoint.com. Retrieved March 21, 2024, from https://www.sailpoint.com/identity-library/8-types-of-password-attacks/

[6] Walker, D. (2023, August 25). How do hackers get your passwords? https://www.itpro.com. Retrieved March 21, 2024, from https://www.itpro.com/security/34616/the-top-password-cracking-techniques-used-by-hackers