A monthly Information Security publication for the WPI community.

This month let's focus on PASSWORD HYGIENE. It's a set of best practices that reduces the likelihood of your account being compromised.

In this issue:

  • Password Cracking Techniques & AI
  • Password Managers 
  • How to Make a Strong Password
  • Learning with Laughter
  • From WPI's CISTO: If a Vendor Is Breached...
  • Where to Find Information Security?
  • Meet Jim MacDonald!
  • Featured Videos & By the Numbers 
  • Do You Reuse Passwords?
  • Passwords in the News
  • Expired Password Phishing Scam at WPI
  • Diversity in Cybersecurity
  • Additional WPI Password Resources

Password Cracking Techniques

Because hackers have advanced methods to make many password attempts in just a few seconds, creating strong and varied passwords or passphrases is more important than ever. People who don’t use password managers often use the same passwords for all their accounts, leaving them vulnerable to credential compromise.

Hackers often use algorithms to repeatedly guess the password, including making common number and symbol replacements for letters. So you can't trick them by changing your password from mypassword to mypa55word!   

  • Brute force attacks try combinations of characters of a predetermined length.
  • Dictionary searches run through known words; password dictionaries even exist for a variety of topics, including politics, movies, and music groups.
  • Phishing attacks lure you into clicking on an email attachment or link that collects your password or installs malware. The malware might track keystrokes or take screenshots to nab the password. 
  • Rainbow attacks use different words from the original password in order to generate other possible passwords. Malicious actors keep a list of leaked and previously cracked passwords, which will make the overall password cracking method more effective.
  • Guessing! An attacker may be able to guess a password without the use of tools. With enough information about the victim or use of a common password, they may be able to come up with the correct characters.

These definitions came from TechTarget.com, and the article below offers more details.

Password Cracking from TechTarget.com

AI Is Utilized in Password Cracking

According to PowerDMARC, "AI-powered password-cracking tools utilize artificial intelligence and machine learning algorithms to efficiently guess or crack passwords. These tools can learn from existing password data, recognize patterns, and automate various techniques to compromise user accounts." In addition to expertly enacting Brute Force and Dictionary attacks defined above,  here are other common AI password cracking methods:

  • Pattern Recognition - AI algorithms can recognize patterns and trends in passwords, such as the use of common phrases.
  • Data Mining - AI can mine and analyze large datasets, such as breached password databases.
  • Credential Stuffing - It is the automated process of using stolen username-password pairs from one site to gain unauthorized access to another.
  • Keyboard Sound-Based Attacks - An AI model can replicate a typed password on a laptop with an accuracy rate of 95 percent.
How to Protect Your Passwords from AI (PowerDMarc)

Time it Takes Brute Force Hack Passwords in 2024 

Hive Systems password rainbow chart: the vertical axis = the number of characters. The horizontal axis = password attributes. Chart sections are purple, red, orange, yellow, and green.

Color Code:

Purple - Cracked instantly; uses 4-6 characters and no character variety.

Red - Cracked in a few seconds to 5 months; uses 7 - 14 slightly varied characters.

Orange - Cracked in 2 to 33,000 years; uses 11 - 14 widely varied characters.

Yellow - Takes 618,000 to 2 billion years to crack; uses 11 - 16 widely varied characters.

Green - Takes 11 billion to 19 quadrillion years to crack! They use widely varied 13 - 18 characters.

Protect Passwords from Artificial Intelligence

Using  the best password and security practices make it harder for artificial intelligence tools to figure out your password. To protect against AI and other hacking tools:

  • Create stronger passwords
  • Use multi-factor authentication
  • Avoid public Wi-Fi
  • Use password managers
  • Monitor data breaches
How To Protect Your Password Against AI (Inquirer.net)

Password Managers

While technology promises to make our lives easier, and it generally does, every new website and application we sign up for is another password we must remember. For many, it becomes impossible to remember all of them. Think about yourself – do you reuse your passwords on multiple accounts? This is considered risky, so utilizing a password manager can reduce your risk.

What is a Password Manager?

A password manager is a software application designed to store and manage online credentials and generate strong passwords. The passwords are usually stored in an encrypted database and locked behind a master password. Once you log into a password manager using a "master" password, you then create an entry for a specific application and utilize the password manager for logging into that application.

Steps to Set Up a Password Manager:

1. Download a password manager program.

2. Create a master password for your password vault.

3. Start logging into your accounts.

4. Begin to change your passwords.

Pros and Cons of Password Managers

While password managers have many benefits, they are not foolproof. Weighing these pros and cons against your needs and habits can help you to decide what is best for you. (There is not currently a specific password manager that WPI Information Technology supports as university-wide software.)

PROS:

  1. No need to memorize all your passwords.
  2. Help to protect your identity.
  3. A highly secure password is generated for you.
  4. They enable easy access to accounts across multiple devices.
  5. Many password managers work across different systems, for quick access to your passwords regardless of which system you’re on.
  6. Saves time.

CONS:

  1. Password managers have been hacked, but overall, their track record when it comes to securing data is very good.
  2. Password managers can be a single point of failure, for instance, if the master password is forgotten or lost.
  3. All of your sensitive data is stored in one place.

Make a Strong Password

Here are tips on how to make a strong password. Your master password is the key to your password manager, so it is imperative that it's both strong and memorable!

  • Don’t reuse passwords.
  • Create long, complex passwords with a variety of character types.
  • Use a passphrase, a series of words that are easy to remember but hard to guess, such as a favorite quote.

Example of Passwords with Increasing Complexity

ActionPasswordStrength
Pick something meaningfulgompeigoat OK
Increase the lengthgompeigoatlovestocheer Good
Add capitals for complexityGompeiGoatLOVEStocheer Good
Swap in a number for additional complexityGompeiGoatLOVES2cheer Better
Add punctuation for even more complexityGompei-GoatLOVES2cheer!Better
Add spaces (where allowed) for normal sentence structure and natural typingGompei-Goat LOVES 2 cheer!Best

For additional password tips, check out this article from the Cybersecurity and Infrastructure Security Agency.

Use Strong Passwords (CISA.gov)

Learning with Laughter

Two pictures of a knight. The first is labeled "Multi-Million Dollar Cyber Budget." The second is the knight's helmet. An arrow labeled "Password Reuse" is entering the helmet's eye slit. 

    

From WPI's CISTO: If a Vendor Is Breached...

Even with individuals using excellent WPI passwords, breaches can still happen to external WPI partners. If a vendor notifies you of a breach or other a cybersecurity issue, it is vital to immediately report details to WPI's Chief Information Security & Technology Officer at CISO@wpi.edu

Read more about Breach Notifications

Where to Find Information Security?

This month Information Security will present at New Faculty Orientation on Aug. 14, 11:00am - 12:30pm, Innovation Studio 203 and 205.

New students can chat with us at the Tech Clinic on Aug. 20 11:00am - 1:00pm.

Meet Jim MacDonald!

Jim is wearing a suit and tie and smiling.

"Hi, I'm Jim MacDonald, and I'm the Assistant Director of Security Engineering and Operations here at WPI. I graduated from WPI with a BS in ECE in 2012 and an MS in CS, with a focus in Cybersecurity, in 2022. I have been with WPI IT since 2013, holding several previous roles before joining Information Security in April of 2023. Outside of work, I previously volunteered as an Assistant Rowing Coach for the WPI Men’s Varsity Crew team from 2012-2018, and currently volunteer with the United States Coast Guard Auxiliary." 

Featured Videos 

These brief videos explain password hygiene.

Intro to Password Security (2 min)Password Hygiene (2 min)

Passwords By the Numbers

- Password attacks increased over tenfold in 2023, from around 3 billion per month to over 30 billion.

- In April 2023, there were 11,000 password based attacks per second.

- Microsoft reported about 10,000 password entries per month put into malicious sites during April - June 2023.

Microsoft Digital Defense Report (October 2023)

Do You Reuse Passwords? 

Here are some findings from TechReport about password reuse.

Data Breach Causes: 81% poor passwords, 19% other
The average worker uses 1 password over 13 times across various accounts.
Up to 65% of people use the same password for multiple accounts.   
Password Reuse Statistics (TechReport)

Passwords in the News 

Last month nearly 10 billion leaked passwords were found on a forum. The list is referred to as RockYou2024.

10 Billion Passwords Leaked in July 2024 (PC World)

In November 2023 the Midnight Blizzard hacker group used a password spray attack to take control of an inactive Microsoft account. Next they exfiltrated emails and attachments from the Microsoft corporation. 

Key Lesson from Microsoft's Password Spray Hack (The Hacker News)

Expired Password Phishing Scam at WPI

WPI passwords do not expire. In the past, bad actors tried luring WPI account holders in by emailing a phony expired password notification. If you receive a message like the one below, then it's a scam. One way to check is to hover the mouse over the button or link and look in the lower left corner of the screen to see the real address for where it will bring you.

Right click to open images in a new tab.

Image of a phishing email with captions: The from address looks convoluted. Microsoft is based in the US, so an email from them ending with.es is odd. Subject line is from an external source and the word notifier is oddly used. Long text mimics disclosure statements at other organizations.
Screenshot of an expiring password notification scam that is made to look like an official email from Microsoft. 

Check out the Phish Bowl for Other Recent Attempts:

WPI Phish Bowl

Diversity in Cybersecurity 

Michael Echols is smiling and wearing a navy blue suit.
Michael Echols

Additional WPI Password Resources 

Tips for Creating a Secure PasswordPassword SafetyWPI Account Password StandardIdentify Theft: Credential Stuffing (stolen usernames and passwords)

Coming Next Month...

Social Engineering 

Is there a cybersecurity topic that you would like to know more about? Please contact WPI Information Security using Get Support below.

Title

Content