A monthly Information Security publication for the WPI community.
This month let's focus on PASSWORD HYGIENE. It's a set of best practices that reduces the likelihood of your account being compromised.
In this issue:
- Password Managers
- Password Cracking Techniques
- Passwords by the Numbers
- How to Make a Strong Password
- Expired Password Phishing Scam at WPI
- Learning with Laughter
- Breach Notifications
- Where to Find Information Security?
- Featured Videos
- Passwords in the News
- Diversity in Cybersecurity
- Additional Password Resources on the Hub
- Coming Next Month...
While technology promises to make our lives easier, and it generally does, every new website and application we sign up for is another password we must remember. For most, it becomes impossible to remember all of them. Think about yourself – do you reuse your passwords on multiple accounts? This is considered risky, so utilizing a password manager can reduce your risk.
What is a Password Manager?
A password manager is a software application designed to store and manage online credentials and generate strong passwords. The passwords are usually stored in an encrypted database and locked behind a master password. Once you log into a password manager using a "master" password, you then create an entry for a specific application and utilize the password manager for logging into that application.
Steps to Set Up a Password Manager:
1. Download a password manager program.
2. Create a master password for your password vault.
3. Start logging into your accounts.
4. Begin to change your passwords.
Pros and Cons of Password Managers
While password managers have many benefits, they are not foolproof. Weighing these pros and cons against your needs and habits can help you to decide what is best for you. (There is not currently a specific password manager that WPI Information Technology recommends or supports as university software.)
- No need to memorize all your passwords.
- Help to protect your identity.
- A highly secure password is generated for you.
- They enable easy access to accounts across multiple devices.
- Many password managers work across different systems, for quick access to your passwords regardless of which system you’re on.
- Saves time.
- Password managers have been hacked, but overall, their track record when it comes to securing data is very good.
- Password managers can be a single point of failure, for instance, if the master password is forgotten or lost.
- All of your sensitive data is stored in one place.
Password Cracking Techniques
Because hackers have varied methods to make many password attempts in just a few seconds, creating strong and varied passwords or passphrases is more important than ever. People who don’t use password managers often use the same passwords for all their accounts, leaving them vulnerable to credential compromise.
Hackers often use algorithms to repeatedly guess the password, including making common number and symbol replacements for letters. So you can't trick them by changing your password from
Brute force attacks try combinations of characters of a predetermined length.
Dictionary searches run through known words; password dictionaries even exist for a variety of topics, including politics, movies, and music groups.
Phishing attacks lure a user into clicking on an email attachment or link where the user enters their password or malware is installed. The malware might track keystrokes or take screenshots to nab the password.
Rainbow attacks use different words from the original password in order to generate other possible passwords. Malicious actors keep a list of leaked and previously cracked passwords, which will make the overall password cracking method more effective.
Guessing! An attacker may be able to guess a password without the use of tools. With enough information about the victim or a victim who uses a common password, they may be able to come up with the correct characters.
These definitions came from Techtarget.com, and the article below offers more details.Password Cracking from Techtarget.com
Passwords By the Numbers
Microsoft did a study of over 280,000 attacks and analyzed the compromised password data. This is what they found:
|Compromised Password Characteristics||Frequency of Use|
|Under 10 characters||96%|
|Under 8 characters||92%|
|6 characters or less||72%|
|Did not use a number||72%|
|Used a special character||2%|
Time it Takes a Hacker to Brute Force Your Password in 2022
- Purple - Cracked instantly; use 4-11 characters and do not use a variety of characters.
- Red - Cracked in a few seconds to 5 months; use 7 - 18 characters and some variety of characters.
- Orange - Cracked in 3 years to 69,000 years; use 11 - 17 characters and a wider variety of characters.
- Yellow - Takes 202,000 years to 9 billion years to crack; use 13 - 18 characters with a wide variety.
- Green - Takes 92 billion years to 438 trillion years to crack! They use 16 - 18 characters with a wide variety.
How to Make a Strong Password
These best practices help protect your accounts:
- Don’t reuse passwords.
- Create complex passwords with a variety of character types.
- Use a passphrase, a series of words that are easy to remember but hard to guess, such as a favorite quote.
- Enable multi-factor authentication (MFA).
Example of Passwords with Increasing Complexity
|Pick something meaningful||gompeigoat||OK|
|Increase the length||gompeigoatlovestocheer||Good|
|Add capitals for complexity||GompeiGoatLOVEStocheer||Good|
|Swap in a number for additional complexity||GompeiGoatLOVES2cheer||Better|
|Add punctuation for even more complexity||Gompei-GoatLOVES2cheer!||Better|
|Add spaces (where allowed) for normal sentence structure and natural typing||Gompei-Goat LOVES 2 cheer!||Best|
Expired Password Phishing Scam at WPI
WPI passwords do not expire. However, bad actors have recently tried luring WPI account holders in by emailing a phony expired password notification. If you receive a message like the one below, then it's a scam. One way to check is to hover the mouse over the button or link and look in the lower left corner of the screen to see the real address for where it will bring you.
Check out the Phish Bowl for Other Recent Attempts:WPI Phish Bowl
Learning with Laughter
Even with individuals using excellent WPI passwords, breaches can still happen to external WPI partners. If you are notified of a cybersecurity issue, it is vital to immediately report details to WPI's Chief Information Security Officer at CISO@wpi.edu.Read more about Breach Notifications
Where to Find Information Security?
This month Information Security will present at New Faculty Orientation on Aug. 16 10:45 AM 12:15 PM, Innovation Studio 203-205. We will also be available to chat with new students at the Tech Clinic on Aug. 22 11AM-1PM.
Meet Jim MacDonald!
"I am an Information Security Engineer at WPI. I graduated from WPI with a BS in ECE in 2012 and an MS in CS, with a focus in Cybersecurity, in 2022. I have been with WPI IT since 2013, holding several previous roles before joining Information Security in April 2023. Outside of work, I volunteered as an Assistant Rowing Coach for the WPI Men’s Varsity Crew team from 2012-2018, and currently volunteer with the United States Coast Guard Auxiliary."
These brief videos explain password hygiene.Password Hygiene (2 min)Intro to Password Security (2 min)
This video explains how Dictionary Attacks work. Please note the last 30 seconds of the video contains an advertisement for NordVPN. We appreciate the educational value of their video, but are neither endorsing their product nor using it at WPI.Dictionary Attacks Explained (3 min)
Passwords in the News
In 2022 the FBI found stolen credential information for universities posted in online forums or listed for sale on criminal marketplaces.Compromised Credentials in Higher Education - 2022
At UMass Lowell some accounts with weak passwords were compromised and used to target students with a job scam.UMass Lowell - 2020 (web)UMass Lowell - 2020 (pdf)
Diversity in CybersecurityMichael Echols
Additional Password Resources on the Hub:8 Tips for Creating a Secure PasswordPassword SafetyWPI Account Password StandardIdentify Theft: Credential Stuffing (stolen usernames and passwords)
Coming Next Month...
Is there a cybersecurity topic that you would like to know more about? Please contact WPI Information Security using Get Support below.