You Should Be Using a Password Manager

These types of passwords do not cut it anymore.

?

The evidence is clear and convincing. If you are not using a password manager already, you should. If you know people who do not use password managers, you should encourage them to use one. If you want to decrease human risk, promote password managers.

You (and everyone else) should be using phishing-resistant multifactor authentication (MFA) and/or other similar strong authentication solutions (e.g., FIDO passkey, etc.) where you can protect valuable data and information. But when you cannot and you must use a password, you should use a password manager, where possible.

Here is a graphical diagram flow of the recommended authentication policy based on the best evidence I know:

?

For most people, this means using MFA where they can, having a single strong password to unlock their device or laptop and/or to access their password manager, and then using the password manager nearly everywhere else.

Why?

Because password managers allow anyone to easily create and use very strong, perfectly random passwords that are unique for every site and service.

Most people who do not use password managers have far weaker passwords and share them among multiple sites and services. One or more of those sites or services will likely be compromised during a given time period (usually without the user or site being aware), the user’s password or password hashes stolen (which are then used to obtain the user’s plaintext password).

If you are not using a truly random password, then it is likely that the attacker can convert (i.e., crack) the stolen password hash to the plaintext-equivalent password and then use it on other sites and services where the user has also used it.

Password managers make it so that if a user’s password hash is compromised, the password hash cannot be cracked and even if it was, it cannot be used to compromise other additional sites and services. The damage is limited to just the one site or service that has already been compromised. There is no increase in risk beyond the one compromise.

Yes, a user’s password manager can be compromised by a hacker to reveal all the user’s passwords at once, but the access that it takes to do that, allows the hacker (with the use of a password stealing malware program) to get all the passwords a user actively uses anyway. The net risk to the user is about the same, with or without a password manager.

However, using a password manager allows users to create and easily use unique, truly random passwords. Many password managers also will not fall prey to phishing emails using look-alike domain names and appearances. And that decreases most of the risk of password use.

Why You Must Use a Password Manager

What led me to this conclusion is the fact that the vast majority of what you and everyone else might otherwise think are GREAT passwords, are easy to crack if their hash is revealed or stolen. Almost anyone can easily crack what we used to think were very long, complex, good passwords.

Yes, the attackers have to get your password hashes first, but it really is not as difficult as most people think. Beyond attackers just stealing them from sites and services you authenticate to, it is not that hard to just guess or steal them at will from the user (or the sites and services they belong to).

There are tens of billions of passwords and password hashes out on the Internet in “password dumps” from previous compromises (e.g., from phishing and site and service compromises). Some of your passwords and password hashes are likely included in them. You can go to https://haveibeenpwned.com and see if one of your passwords or hashes are compromised. You probably have at least one compromised password or hash, if not more. If you use a password manager, each compromised password or hash works against exactly one site or service, where it was involved.

If you do not use a password manager, you likely share passwords (or password patterns with common roots) among multiple sites or services, and each stolen password or hash means the attacker can get into multiple sites and services (that share the same password or password pattern).

Attackers are routinely, remotely guessing at supposedly long and complex passwords successfully, such as Welkom2020 (https://www.world-today-news.com/municipality-of-hof-van-twente-hacked-by-simple-password-welkom2020-now/). Welkom2020 is what most people think of when they think of a “long and complex” password, but it is not long or complex enough.

It used to be that we cybersecurity “experts” said your passwords should be at least six characters, then eight characters long, then 10 characters, and now 12 characters long. But I am here to tell you that any password that is not fully random needs to be at least 20 characters or longer with good complexity to have any hope of surviving a password hash cracking attack. That is the situation today.

In a few years, even that is likely to be similar to the six-character recommendation of yesteryear.

Very Fast Password Hash Cracking

Today’s password hash cracking “rigs” can guess up to hundreds of trillions of password guesses per second (i.e. measured in T/hs) if the attacker can get your hashes. Do you think your password can withstand hundreds of trillions of guesses per second? If so, for how long?

It does not even take hundreds of trillions of guesses per second to compromise most people’s “complex, strong” passwords.

KnowBe4 has a password hash cracking rig that guesses at “only” 6.2 trillion guesses per second. We run it at least every 30 days against our user’s passwords and we break most “complex, strong” passwords in three days or less. Here is an example of the passwords we broke last month:

Look at those passwords! They are all what almost anyone would call “strong and complex”, and yet we are breaking them in three days. I do not even want to show you what we break in 30 days. And anyone can do this. You can buy the capability for hundreds of trillions of guesses per second in the cloud for $100…after your free subscription trial period, that worked just as well, ends.

Yes, an attacker has to get your hashes to be able to crack them, but it is not as hard as it seems these days. If an attacker can get on an endpoint or on the network, they can probably extract everyone’s hashes. It is what the bad actors do when they break into an organization. Step two, after breaking in, is to obtain everyone’s password hashes. It usually only takes minutes.

But the bad actors often do not even need to “break in” to obtain people’s password hashes. Several times a year, we learn of a new vulnerability that allows attackers to remotely obtain people’s password hashes, often through email. I have written about it many times over the years, including here: https://www.dhirubhai.net/pulse/pay-attention-prepared-yet-another-remote-windows-hashing-grimes-xfg2c.

Let me be clear. Attackers can send you (or your users) emails that can extract the user’s password hashes. Sometimes the user does not even have to open the email. Sometimes the user does not even have to click on a link or image. But at the very least with all the known attacks, all the email has to do is trick the user into clicking on a link or an object in the email, and the user’s password hash is remotely sent to the attacker.

Note: Most of these remote password hash extractions involve Microsoft software, but not all. Remote password hash extraction attacks have been identified across all popular operating systems.

Every time I read about one of these remote hash extraction attacks, I keep thinking I have seen the last of them. But we get two to three of them a year, year after year. It has been that way for at least five years now.

What Type of Password Is Safe From Cracking?

Well, something that is fairly long (say at least 20 characters plus), has some non-conventional complexity (i.e., complexity is not in normal places and/or uses rarer characters). Take a look at the password examples given above and see if your password is stronger. For most of us, probably not.

And who wants to create (using their own memory), remember, and use passwords that are stronger than that? Almost no one. It is hard to do. It is especially hard to do without repeating a password or using a predictable password pattern.

Instead, use a good password manager.

AFAIK, the hash of an 11-character truly random password has never been cracked…at least publicly. Password managers usually create 15- to 18-character long, truly random passwords. Outside of a bizarre, unheard of nation-state attack, I cannot think that type of a password would ever be guessed or its hash cracked.

You and everyone else should be using a password manager to create, manage, and use unique, truly random passwords on each site and service.

If you are trying to decrease human risk…and we all are…use multifactor authentication and other strong authentication solutions along with a good password manager. The attackers are too good to not implement these security strategies.