FB Pixel

tokensecurity

Greetings Kambrians! We are launching a new series for our token holder community. Because security and our community are very important to us, each week we will release a new article that covers “best practices” for keeping your tokens and accounts safe. For today’s security “best practices,” we will cover password security -- what it means, how you can best implement good habits when creating your passwords, and what applications you can use to help prevent malicious actors from gaining access to your accounts.

What is a strong password?

With Moore’s Law still in effect, today’s computers are getting increasingly faster. Exponential growth in processing power makes it increasingly hard to know what a strong password is. Sure, the current model that most websites follow probably used to be sufficient, but in today’s world, one must understand why creating a strong password is absolutely paramount to your account safety.

Photo Credit: TechXplore

Brute Force Attack

Since the beginning of time (okay, not really) crafty programmers have been creating programs called “password crackers” that try an infinite number of password variations to try to “crack” people’s passwords. This is known as a “brute force attack.” While many websites do not allow for an infinite number of password attempts, it is an important concept to understand because the shorter your password is, the easier it is crack.

8 character password crack takes 2 hours
A strong password according to most websites

A strong password as defined by most websites is a mixture of upper-case & lower-case letters, a number, and one special character totaling at least 8 characters (i.e. K@mbr1an). While this is certainly better than the password “password,” this is absolutely NOT a strong password. We hate to be the bearer of bad news, Facebook, but this password can be brute forced in less than 1 hour (and that was back in 2007)! If you just simply double that password to include a mixture of 16 random characters (uppercase & lowercase, numbers, and special characters), you can increase the brute force time to require 30 trillion days to crack with our current processing power. 

You can check your password strength by using a "Brute Force Calculator," available here. Please keep in mind these values are for processing power according to 2007. Processor technology has greatly evolved since that time, and provisions need to be accounted for when selecting your password. Greatly exaggerate the times returned by this tool to estimate password strength.

16 character password takes 30 trillion years
That's a long time!

Dictionary Attack

Similar to brute force attack, dictionary attacks use programs or scripts to try to “guess” your password using different variations of common words. Instead of just trying as many different kinds of letters and characters as it can, it opts to go for a more “logical” route, and tries to guess your password using the most common or most likely candidates for a password. This process has been enhanced over time with machine learning, as many people create very similar passwords. You would be shocked at how simple and common some passwords are. A dictionary attack will often append a number and/or character to the end of a word to satisfy the normal password requirements for most websites. This is a highly effective tool in most hackers’ arsenal.

a single word password takes less than half an hour to crack
Ouch. 20 minutes?

Key Logger Attack

A key logger is a simple program used to track all of the keystrokes you make in your computer. Passed through a variety of different mediums, this malware is a sneaky way to gain access to everything you type into your computer, especially passwords and credit/debit card numbers. This method is particularly dangerous because it excels where brute force and dictionary attacks are weak: password attempt limitations. Many websites do not allow you to attempt your password more than three times.

Good Habits 

“A fool and their money soon part ways.” We hope these helpful habits will drastically change the way you view computer security. Good password habits are imperative if you want to ensure that hackers do not gain access to your accounts (or your money!). If you follow a few simple steps, you will exponentially decrease the likelihood that your accounts will be compromised. 

Password Managers

One of the best tools you can implement to start creating good passwords is a password manager. Password managers quickly and easily allow you to create impossibly strong passwords with the click of a button. Depending on the website you are using, some passwords can be over 100 characters, which would be essentially impossible to crack for perhaps thousands of years. We highly recommend that you download and use one of the most popular password security apps today, so you can get started right away.

Image result for 1password
Photo Credit: 1Password.com

Password Variety

The most common mistake people make isn’t just that their passwords aren’t strong enough. More often than not, they use the same password for everything! This is a huge mistake. If a hacker does happen to gain access to your password, regardless of how difficult it was, they now have access to every account. The goal is to make it as difficult as you possibly can to gain access to any account, and the only way to accomplish this goal is to use a different password for everything. Do not make any two passwords the same, and you will surely be well-protected (provided they are strong passwords).

Passphrases (Sentences/Random Words)

Another strategy that people employ is the use of “passphrases.” Passphrases are a string of words, including spaces, that are used as your password. Please be advised, these passwords are significantly easier to crack; however, as long as you use at least 24 words, it will be unrealistic for a bad actor to crack your password without years of running a dictionary attack. The more randomized your words are, the more difficult cracking becomes. It does provide some benefits, though. While it would be nearly impossible to memorize a 40 character random-string password, you could theoretically memorize a 40 word password. This allows you to take your password anywhere that you go, without writing it down. We recommend a minimum of 12 (but 24 is better) words for very important accounts/wallets.

Example custom passphrase: please yesterday create tomorrow exceed strong long passwords protect self well okay

Photo Credit: SearchSecurity

Note: Just because these are using whole words does not mean they are easy to crack with a dictionary attack. Passphrases are highly complex and are extremely difficult to hack.

Password Storage

Your passwords are only as safe as the piece of paper you write them on. Please take extra care when securing your passwords. To reiterate, password managers are an excellent way to store your passwords. Just be sure that you store your “master password” to your password manager in a safe location. As with all of my “backups,” I suggest to write them out (by hand) on paper, and store them in at least 2 separate locations: perhaps a bank safety deposit box, a physical safe, and a very trusted family member. This suggestion is highly subjective to what you deem safe. You may write them in a ledger and store them in safe locations. That said, here is what you should NOT do:

  • Don’t take a picture of them. Your phone may not be secure, and your photos may be backed up to the cloud.
  • Don’t store them all in an unencrypted text document on your computer. These are incredibly easy to gain access to. Malicious actors will scan your computer for files like these.
  • Don’t store them only in one location. We hope it never happens to you, but in the case of a house fire or hardware malfunction, you coulds lose access to all of your accounts.

What apps can you use?

Here’s the good news! Creating and storing your passwords has never been easier. This list is short; however, there are a number of other applications you can use instead of these. While the list is not exhaustive, you should be well-protected if you utilize any one of these programs.

1Password & LastPass

Both of these programs are “password managers.” Password managers encrypt and save all of your passwords in one location. Additionally, they allow you to quickly create the absolute strongest passwords so that you are protected as well as you can be. If you take anything from this article, take this: download and use a password manager. By using a password manager, this removes the responsibility for you to safely store all of your passwords to just safely storing just one password: your master password. This, too, should be a very strong password. Store it well.

VeraCrypt

VeraCrypt is an encryption suite that allows you to encrypt files and photos so that you can safely store them on a computer or USB flash drive. Based on cryptography, this open-source software utilizes varying degrees of encryption, including SHA-512, to secure your files. There is no known way to crack this level of encryption, so you can safely store it anywhere without the worry of it being cracked. Again, this does rely on you creating a strong password to decrypt these files; however, this serves a similar purpose to reduce the responsibility to safely store all your passwords to only one password.

MalwareBytes

Prevent keylogger attacks by regularly scanning your computer with an up-to-date security client, such as MalwareBytes. Malware tools may provide additional protection where antivirus’ may not. It is recommended that you utilize both tools. If you are on Windows PCs, you should have Defender (Windows’ antivirus) built in to your OS. Ensure that your computer has its antivirus enabled and actively defending your machine, and regularly run your malware suite with up-to-date definitions to have the highest level of safety. 

The most important app for password security

This particular app will absolutely save you from the most headaches, viruses, keyloggers, phishing, and any other form of attack. It’s called the “be careful what you click on” app. You cannot download it, though. It just needs to be installed into your everyday life. Here’s a general rule of thumb: if you do not know what it is, DON’T CLICK ON IT! Always double check the URL you are visiting, and look for signs that you may be under attack. Most blockchain and/or traditional companies will NOT ask you for your private key, or any funds. If you follow this simple rule, you will save yourself from 90% of the trouble that most people encounter.

In conclusion

We hope that today’s password security article left you with this final thought: are you protected? How safe are your accounts? Do not wait for something bad to happen to you before taking action! Start implementing strong passwords today. 

We look forward to bringing you more security tips like these. Follow us on Twitter to get the next security blogs as they are released: https://twitter.com/KambriaNetwork.

We understand this is a lot of information to take in. Still have questions? Don’t worry - we’ve got you covered! Join the conversation on Telegram, and we’d be happy to answer any questions you may have. We’d love to get to know you. https://t.me/kambriaofficial.

Author

Kambria is the first decentralized open innovation platform for Deep Tech (AI, Robotics, Blockchain, VR/AR…). Using our platform, anyone can collaborate in researching, developing and commercializing innovative ideas and get rewarded fairly for their contributions. Through partnerships with government agencies, top universities and leading companies, Kambria is dedicated to building a sustainable open innovation ecosystem to change the way we innovate and to accelerate advanced technology development and industry adoption. Together, let’s shape the future of technology where technology is open and contributes more to society.