A monthly Information Security publication for the WPI community.

This month let's focus on PASSWORD HYGIENE. It's a set of best practices that reduces the likelihood of your account being compromised. 

In this issue:

  • Password Managers
  • Password Cracking Techniques
  • Passwords by the Numbers
  • How to Make a Strong Password
  • Expired Password Phishing Scam at WPI
  • Learning with Laughter
  • Breach Notifications
  • Where to Find Information Security?
  • Featured Videos
  • Passwords in the News
  • Diversity in Cybersecurity
  • Additional Password Resources on the Hub
  • Coming Next Month...

Password Managers

While technology promises to make our lives easier, and it generally does, every new website and application we sign up for is another password we must remember. For most, it becomes impossible to remember all of them. Think about yourself – do you reuse your passwords on multiple accounts? This is considered risky, so utilizing a password manager can reduce your risk.

What is a Password Manager?

A password manager is a software application designed to store and manage online credentials and generate strong passwords. The passwords are usually stored in an encrypted database and locked behind a master password. Once you log into a password manager using a "master" password, you then create an entry for a specific application and utilize the password manager for logging into that application.

Steps to Set Up a Password Manager:

1. Download a password manager program.

2. Create a master password for your password vault.

3. Start logging into your accounts.

4. Begin to change your passwords.

Pros and Cons of Password Managers

While password managers have many benefits, they are not foolproof. Weighing these pros and cons against your needs and habits can help you to decide what is best for you. (There is not currently a specific password manager that WPI Information Technology recommends or supports as university software.)

PROS:

  1. No need to memorize all your passwords.
  2. Help to protect your identity.
  3. A highly secure password is generated for you.
  4. They enable easy access to accounts across multiple devices.
  5. Many password managers work across different systems, for quick access to your passwords regardless of which system you’re on.
  6. Saves time.

CONS:

  1. Password managers have been hacked, but overall, their track record when it comes to securing data is very good.
  2. Password managers can be a single point of failure, for instance, if the master password is forgotten or lost.
  3. All of your sensitive data is stored in one place.

Password Cracking Techniques

Because hackers have varied methods to make many password attempts in just a few seconds, creating strong and varied passwords or passphrases is more important than ever.  People who don’t use password managers often use the same passwords for all their accounts, leaving them vulnerable to credential compromise.

Hackers often use algorithms to repeatedly guess the password, including making common number and symbol replacements for letters. So you can't trick them by changing your password from mypassword to mypa55word!  

Brute force attacks try combinations of characters of a predetermined length.

Dictionary searches run through known words; password dictionaries even exist for a variety of topics, including politics, movies, and music groups.

Phishing attacks lure a user into clicking on an email attachment or link where the user enters their password or malware is installed. The malware might track keystrokes or take screenshots to nab the password. 

Rainbow attacks use different words from the original password in order to generate other possible passwords. Malicious actors keep a list of leaked and previously cracked passwords, which will make the overall password cracking method more effective.

Guessing! An attacker may be able to guess a password without the use of tools. With enough information about the victim or a victim who uses a common password, they may be able to come up with the correct characters.

These definitions came from Techtarget.com, and the article below offers more details.

Password Cracking from Techtarget.com

Passwords By the Numbers

Microsoft did a study of over 280,000 attacks and analyzed the compromised password data. This is what they found:

Compromised Password CharacteristicsFrequency of Use
Under 10 characters96% 
Under 8 characters92% 
6 characters or less72% 
Did not use a number72% 
Used a special character2% 
Microsoft Digital Defense Report OCTOBER 2021 (p. 86)

     

Time it Takes a Hacker to Brute Force Your Password in 2022

Image from Hive Systems of a password rainbow chart. The vertical axis has the number of characters. The horizontal axis has password attributes. Chart sections are purple, red, orange, yellow, and green.

Color Code:

  • Purple - Cracked instantly; use 4-11 characters and do not use a variety of characters.
  • Red - Cracked in a few seconds to 5 months; use 7 - 18 characters and some variety of characters.
  • Orange - Cracked in 3 years to 69,000 years; use 11 - 17 characters and a wider variety of characters.
  • Yellow - Takes 202,000 years to 9 billion years to crack; use 13 - 18 characters with a wide variety.
  • Green - Takes 92 billion years to 438 trillion years to crack! They use 16 - 18 characters with a wide variety.

How to Make a Strong Password

These best practices help protect your accounts:

  • Don’t reuse passwords.
  • Create complex passwords with a variety of character types.
  • Use a passphrase, a series of words that are easy to remember but hard to guess, such as a favorite quote.
  • Enable multi-factor authentication (MFA).

Example of Passwords with Increasing Complexity

ActionPasswordStrength
Pick something meaningfulgompeigoat OK
Increase the lengthgompeigoatlovestocheer Good
Add capitals for complexityGompeiGoatLOVEStocheer Good
Swap in a number for additional complexityGompeiGoatLOVES2cheer Better
Add punctuation for even more complexityGompei-GoatLOVES2cheer!Better
Add spaces (where allowed) for normal sentence structure and natural typingGompei-Goat LOVES 2 cheer!Best

     


     

Expired Password Phishing Scam at WPI

WPI passwords do not expire. However, bad actors have recently tried luring WPI account holders in by emailing a phony expired password notification. If you receive a message like the one below, then it's a scam. One way to check is to hover the mouse over the button or link and look in the lower left corner of the screen to see the real address for where it will bring you.

Image of a phishing email with the following captions: The from address looks convoluted. Microsoft is based in the US, so an email from them ending with.es is odd. Subject line is from an external source and the word notifier is oddly used. Long text mimics disclosure statements at other organizations.
Screenshot of an expiring password notification scam that is made to look like an official email from Microsoft. 

Check out the Phish Bowl for Other Recent Attempts:

WPI Phish Bowl

Learning with Laughter

Meme with 2 pictures of a knight. The first shows the knight's torso and head covered in armor, and is labeled "Multi-Million Dollar Cyber Budget." The second picture focuses on the knight's helmet. An arrow labeled "Password Reuse" is entering the helmet's narrow eye slit. 

    

Breach Notifications

Even with individuals using excellent WPI passwords, breaches can still happen to external WPI partners. If you are notified of a cybersecurity issue, it is vital to immediately report details to WPI's Chief Information Security Officer at CISO@wpi.edu. 

Read more about Breach Notifications

Where to Find Information Security?

This month Information Security will present at New Faculty Orientation on Aug. 16 10:45 AM 12:15 PM, Innovation Studio 203-205. We will also be available to chat with new students at the Tech Clinic on Aug. 22 11AM-1PM.

Meet Jim MacDonald!

Jim is wearing a suit and tie and smiling.

"I am an Information Security Engineer at WPI. I graduated from WPI with a BS in ECE in 2012 and an MS in CS, with a focus in Cybersecurity, in 2022. I have been with WPI IT since 2013, holding several previous roles before joining Information Security in April 2023. Outside of work, I volunteered as an Assistant Rowing Coach for the WPI Men’s Varsity Crew team from 2012-2018, and currently volunteer with the United States Coast Guard Auxiliary."

Featured Videos 

These brief videos explain password hygiene.

Password Hygiene (2 min)Intro to Password Security (2 min)

This video explains how Dictionary Attacks work. Please note the last 30 seconds of the video contains an advertisement for NordVPN. We appreciate the educational value of their video, but are neither endorsing their product nor using it at WPI.

Dictionary Attacks Explained (3 min)

Passwords in the News

In 2022 the FBI found stolen credential information for universities posted in online forums or listed for sale on criminal marketplaces.

Compromised Credentials in Higher Education - 2022

At UMass Lowell some accounts with weak passwords were compromised and used to target students with a job scam.

UMass Lowell - 2020 (web)UMass Lowell - 2020 (pdf)

Diversity in Cybersecurity 

Michael Echols is smiling and wearing a navy blue suit.
Michael Echols

Additional Password Resources on the Hub:

8 Tips for Creating a Secure PasswordPassword SafetyWPI Account Password StandardIdentify Theft: Credential Stuffing (stolen usernames and passwords)

Coming Next Month...

Social Engineering

Is there a cybersecurity topic that you would like to know more about? Please contact WPI Information Security using Get Support below.

Title

Content