Skip to content

Trending tags

Episode 13| Passwords: A Hacker’s Take on Cracking & Protecting Your Creds

Melissa Michael

14.09.18 33 min. read


Passwords. You plug them into your accounts, you try little tricks to make them more unique, but have you ever wondered what a hacker thinks of your passwords? For episode 13 of Cyber Security Sauna, ethical hacker Jan Wikholm joins us to talk about your passwords – how he cracks them in his job at F-Secure, the tricks hackers know you’re using, and what you should do to keep your credentials safe. Jan also fills us in on hashing, how he does brute forcing, how companies should protect their users’ passwords, and how to create a secure password you can still remember.

Janne Kauhanen and Jan Wikholm discuss passwords

Janne: Welcome, JW. 

Jan: Thanks. Glad to be here. 

So what do you do at F-Secure? 

I’m part of the red team at our consulting branch. And what a red team does, or what it means in our company is doing custom made attacks against companies. This usually means actually attacking the client’s premises physically, going in with people cloning cards, doing network penetration and so forth. But what we usually start with is using some sort of OSINT, meaning open source intelligence. We go through DNS records and so forth, and try to find what sort of servers the company has. And nowadays it’s very very common that companies are moving to Office 365, and they have a strong online presence with the Microsoft suite of applications. And one of the things that they usually have in many businesses is Skype for Business, or formerly called Lync. And what we usually do is we try to use Lync to actually find credentials that work. And that’s where my job begins. Cracking those, or attacking that Lync infrastructure and then starting to crack passwords, and then gaining a foothold into the company, using those credentials, or new credentials, move inside the network, and then finally attaining the goals that the customer has set for us.  

Right. So just so we’re clear, when we’re talking about you cracking passwords, you’re doing it with the company’s permission, and with their express request. 

Yes, this is companies hiring us to do this. Be the ethical hackers, be the enemies that are attacking this.  

Why are there weak passwords? 

There’s just too many for people to remember. So what usually happens is people tend to go for some sort of tactic in creating those passwords. And those are usually semi-safe, if you come up with a good tactic. But unfortunately people are also burdened with so many things to remember that they don’t usually come up with good tactics to generate those passwords. For example, the current month and number of the year, for example, August2018 or the equivalent in the local language. I can tell you that when we are starting to brute force, we are actually trying to log into the system, the first credentials we always try are the month and year, and maybe an exclamation mark at the end, probably with a capital first letter because usually these password policies require some sort of complexity. And these September2018 type of words are the first things we will try. It’s very weak. It will be done in several seconds when we are brute forcing these passwords. 

Are there other techniques that you find a lot of people are using but that the hackers are absolutely on to? 

Well, using common things like the days of the week names of months, names of seasons and so forth. For example, winter2019 is probably going to be someone’s name, or, for example, Independence Day when it’s up or whatever, like a car names like Porsche911 is undoubtedly someone’s password right now because it has upper case, lower case letters and numbers. And quite often these patterns are quite easy to guess. Usually the first letter is the uppercase letter. Usually the numbers are at the end, two to four numbers and usually the special character is the exclamation point at the end. So those are very common and very easy to break using these sort of pattern attacks when we are doing the cracking.

What I would say would be better would be actually just combine two words and for example, instead of having “car” and “apple” as separate words, put “carapple” together and for example, have the “apple” have the uppercase letter so you will have the uppercase letter in the middle of this new word “carApple” and that’s a lot more difficult to the computers to attack with dictionary attacks and then have a few of these new words together so that you could form some sort of sentence in your head, for example “car, apple music, basketball,” something like that. And have always, for example, the middle word be the uppercase one. So you would have “carApplemusicbasketball,” and you could easily have that sort of as a scenario. “I’m in my car listening to my Apple music on my way to basketball.” And then maybe have some sort of for example, score from a basketball game or something like that. 3, 0, or 71, 72 or something like that. And something that’s easy for you to remember, but that that’s already really, really long to input and actually, that makes it exponentially more difficult to crack uh by our automated means.

And when you have these words that you are combining, those are not dictionary words that you can actually find. Especially if you, for example, alter the word somehow. So instead of “apple,” you could have “aple” with one p, or three p’s, or something like that. Something that is easy for you to remember the small alteration there, but it’s not then crackable by a straight dictionary attack. But for example, if you have just a dictionary word, some numbers, that’s very weak.  

So having a technique where you misspell certain words in a certain way would be better than having a weak password and just adding the name of the service you’re using in the front or something like that.  

Yeah, definitely. Even though using some sort of a weakish or even strongish password that you use on every single service, but you just append or put something in the front to indicate the service. That’s good if the database gets stolen and no one knows what your password is. 


But depending on the service you’re using, not all services are equal in their security. Some actually still store their passwords in plain text. Let’s say ten years ago you registered for some service. If you had this same sort of algorithm back then, it was much more rare that those services would be handling your password with care. So what happens if that ten-year-old or five-year-old service gets hacked? Which is quite probable if it’s not kept up to date. And there’s your email and ten years password where the attacker can clearly see it says “service name dash some sort of password.” So it doesn’t take a lot of brains to actually go “Hmm, well, email is used as a login for plenty of services, so let’s see if I just change this name of service to Google or Linkedin or Facebook and use the same password.”

And if you’re using that same sort of algorithm of using this one secure password and then just prefixing it with a service, then any single leak that leaks your password in any format that is clearly legible, like easily correctable or in plain text will then render all of your passwords basically leaked. So if I get that old service database, I will get then access to your Facebook, your Google and so forth. So even though it might be more secure to crack because it’s potentially longer and more secure, but one leak is all it takes to actually expose your entire user attack surface, so to speak.  

So storing passwords in the plain is not the recommended practice but it still happens. What if you are running a service for millions of users? How should you store that user information?  

You should be using secure hashes, so cryptographically secure hashes like BCrypt, SCrypt or some other form of password-derived functions and they should be set to parameters that take long enough on your platform that you can handle the load of millions of users logging in so it doesn’t actually deny the service because of the long computation of password checking, but it should be difficult enough that when that password database gets breached, it should be very inefficient for attackers to just brute force everyone’s password. Because there’s several magnitudes difference between using non-secure hashing and secure hashing. Like, we’re talking about a hundred thousand attempts a second versus 3 billion or 30 billion a second, depending on your hardware. So there’s like a million times difference in those. So if you consider that something can be done in a day using regular fast hashes, that would then take a million days using those secure hashes.

So that’s the key thing that you should be doing, using secure, well-implemented versions of these. Don’t implement your own security functions, use libraries and choose secure functions from those libraries.  

8-character password is not enough

So when you’re storing hashes, you’re talking about not storing my password. You’re doing things to my password, and then you know what the end result is, and when I enter my password again, you’ll just do the same things again and see if the end result is the same, but you sort of never know what I input in the password field. 

Exactly. The backend system or the service itself that you’re using, they should not have any way to actually read your password as is. It should not be in any sort of reversible form. So you should be the only one that actually knows your password and when you are sending it, the actual backend is just doing the same transformation it did when it was storing your password, and then checks the database if these end results match, because it’s always the same computation that’s been done using these hash functions.  

To brute force the passwords through the user interface, for example, can you talk about these techniques a little bit?  

Yeah. It might be confusing when you’re thinking about, for example, your Facebook login and you’re trying to remember what the password was, what was uppercase and lowercase. And then Facebook tells you you have two attempts to retry your password. How on earth are we actually doing several thousand attempts?

So what we do actually is we usually use back end straight. So we’re not using the actual user interface. We look at where the login form is pointing to and then we will just send that request to the back end. But quite often we’re not after a specific user, we’re after a specific list of users and anyone will do. For example, if we have let’s say a medium sized company with a few thousand employees, we’ll find a few hundred of them on Linkedin and then we go through every single one of them with the same weak password. 


So that means that there’s a gap between every single attempt we do on your specific user, so your user doesn’t get locked out because there’s enough time spent in between that it doesn’t mind. Because usually there’s some sort of limit that you may have, for example, three failed login attempts within 15 minutes or something like that. But if we extend the time it takes between those attempts, we can just keep trying weak passwords throughout the organization. And finally we will have someone who is using, for example, December2017 or something like that.  

So one user can only log in every so often, but there’s no problem with 10,000 users trying to log in in quick succession. 

Yeah. Effectively, yes. This is something that is quite often missed by most monitoring.  


So what we then do is then we get access to that system and that’s brute forcing. We’re just guessing.  

So you’re not looking for Mike’s password. You’re looking for the guy whose password is Porsche911. 

Yes, exactly. And if it happens to be Mike, so what, then we’ll use Mike’s password and so forth. And that’s brute forcing. This is all something that the target organization or the target service can easily find in their logs. This is very noisy. This is like the most common denominator in any sort of password attacks is actually attacking the service, and this is something we want to avoid as much as possible. So that’s why we go with the, like the most usual password because that usually just nets us something even on the first few months that we try. Brute forcing is inefficient because we cannot use all of the CPU that we have at our disposal.

So what happens further along usually in this engagement is that we are able to exfiltrate some sort of password dump in the sense that we gained access to some web service for it, a webpage has a vulnerability. We are able to exploit it and get the actual contents of, for example, the user’s table, and usually the user’s table contains some sort of hashed version of the password and then we’ll take that entire data, will upload it to our password cracking rig, and then we’ll tell it, okay, this is this and this type of password, go at it. And then we have dictionaries that we go through first because those are, again, usually humans use actual common language terms and numbers and so forth. Those are quite predictable. And then once we get through those, we will just set our cracking rig to brute forcing meaning that we will go through every single letter, number, symbol, combination. And about the speed, the MD5 hashes can be cracked around 300 billion a second, and for example, a secure hash like BCrypt can be hacked at around 100,000 per second.  

Some experts say you should change your password every now and then. Others say it’s not necessary if you use unique strong, long passwords. What’s this discussion about?  

Well, the main point here is that the first view is basically assume breach in the sense that, expect that someone has gained access to your password and then try to limit how long they are able to use your password for. So for example, if your Gmail password is hacked and they gain access to your Gmail and are able to use that to, for example, get your password reset emails or so forth. If you change your email password, they are no longer able to access your account. And it’s simple as that. The reason why people say that you don’t need to change your passwords is also the fact that when people change passwords or rather when they are mandated to change passwords regularly, it becomes a mental chore. It increases stress because that’s another thing that you need to remember. And multiply that by the number of passwords you need to manage. If it’s all happening inside your head, then it’s not an equation that’s going to work. You’re basically just going to then come up with some sort of tactic to use to generate your own passwords. And those are not good.

So what the idea here for the not changing passwords is that when you’re actually using strong, unique passwords, you need to store them somewhere and preferably those passwords should be actually something that you don’t even know or you can’t remember. So for that you would need some sort of password manager. And I agree that if you’re using a password manager, it’s not needed to change so often.

Versus for example, if you’re reusing your password everywhere, because then any of those services that would get hacked would then make you a victim unless you change your passwords. But of course changing your passwords everywhere is very, very difficult. So for example, let’s say that you’re using the same password for every service you use and then you hear that, for example, Linkedin has been leaked. You would need to go to Linkedin, Google, Facebook, Twitter. Every single place has their own password reset mechanism. So that’s a very big chore, and to help with that you should have unique passwords per service. So you at least know that when Linkedin is hacked or Twitter is hacked or whatever is hacked, you should only change that singular password.  

Speaking of password managers, what is your opinion on those or are they a good way to manage your scores of passwords these days? Or are they just a repository for hackers?  

Well, obviously they are very valuable as a target. But basically, it reduces your mental load by quite a bit. Because now you would need to remember only, maybe the password that you use to log into your computer and then the password that you actually open your password manager with. And those are two passwords. Then everything else can be offloaded into the memory of this program, into the repository of this program. So there you actually need a very good password to unlock this vault because this is the most holy grail in your online security.

But the best thing about it, at least for me when I started using password managers, as I do use them regularly every day, was the immediate decrease in mental load. I was so relieved when I didn’t have to remember which sort of password or which sort of algorithm I used for which service – because I have used the same password for multiple services before. I have used these algorithms to somehow make the password from the service name, and so forth. Because previously there was no other alternative because we’re always told that never ever write your passwords in plain text. But I will tell you that even a notepad or an actual physical Post-It sticker with a strong password written down on it is better than reusing your passwords. But obviously digital encryption in a password manager is still safer because that’s still encrypted versus your Post-It notes are not encrypted, they are in plain sight.

But it depends on who is your attacker. Are you more worried that your 16-year-old kid will discover your bank account’s password, or are you more worried that someone will send you malware and gain access to your password manager, or notepad file, or text file that contains your password? Depends on who you are worried about and what sort of threat model you’re after. But for password managers, I definitely, definitely, say that they are worth the trouble and I, for example, am a proponent of actually paying for a service because that means that that company has a monetary incentive to keep me happy.  

Yeah, and you’re not the product yourself.  

Yes, exactly. Whereas if it’s a free product, then you are the product. 

You want to ask how they’re making their money. 


The greatest thing to me about password managers is that it’s one of those rare unicorn infosec things that actually make your life easier as well. It’s like back in the days when you would let the browser remember your password, but this time it’s secure.  

Yeah, exactly. 

Biometrics are a way to identify you, not authenticate you

So there are good password managers and bad password managers. What sort of things should I be looking for when I’m choosing a password manager? 

For me the main criteria of a password manager is the ability to save the database locally, and preferably in some way that I can transfer it, for example, with a USB stick to another computer and immediately start using that database of passwords. Another is cross-platform compatibility, because I use multiple operating systems, so I will be able to use that same password manager on multiple operating systems including my mobile phone, including my desktop and so forth. So that’s important to me. There are good alternatives, both paid and free. For example, our own F-Secure KEY, you can actually just copy the database over to a USB stick and then just keep that with you.  

Given how awesome password managers are, why aren’t people using them, like why isn’t everybody using a password manager?  

I think it’s just a case of this whole thing is so seemingly so complex. Like, password managers. As people have negative connotations with passwords. Everyone has forgotten their password. Everyone has typed mistype their password, everyone has bad experiences with how many passwords they need to remember and so forth. So just having the password in the word password manager is probably a bad selling point. So it should be labeled as something else, even though that’s effectively what it does.  

Security simplifier. 

Yeah, that would be a better one, although that sounds very cheesy and probably not a good selling point, but I think that’s a branding issue with passwords in general. And then I guess manager sort of also seems like a complex software versus what it actually is. It’s effectively a text editor with a password in front. That’s what it is. It can store your credit cards, credit card details. It can store your password information, it can store your pin code for whatever, in addition to just username and password logins to your websites. All of these, you could store a very securely in your password manager, but because it’s a password manager, people don’t, for example, think that it could store credit cards and banking details and so forth.  

So it sounds like a chore and it’s not the question of people having tried one and being disappointed. It’s people never get around to doing it because it sounds such a like such a hassle.  

Yeah. I think that’s the main point because obviously security and usability are usually tied in a balance in the sense that when you increase security, you’re usually decreasing usability. But for example, this has gone quite far already. For example, my iPhone has excellent support in already multiple apps that when I’m doing the login and it just has a small icon “use your password manager.” Then I log into my password manager in my iPhone and I select which account I want to paste in and that way I don’t need to swap between windows manually, but the actual login process is already integrated in IoS, in Apple iPhones. And the same is true for desktop operating systems. There are integrations into your regularly used browsers. You don’t need to swap windows if you don’t want to. There are of course, different people who do different things. Some people don’t want the browser add-on, but for a regular user, I don’t see any issues with actually just using the browser interface directly. It’s so very handy. It’s like one click away from the same experience as the saved passwords in your regular browsing.  

So how do you feel about that? You’re talking now about a password stored in the password manager and used through a browser interface instead of passwords being stored in the browser. How do you feel about letting Firefox handle all your passwords?  

Storing your passwords in Firefox a is not a good thing because those are stored in an unencrypted form or an easily breakable form on your disk and can be accessed by anyone who has access to your disk and it’s less secure than using actual, hardened password managers. I would prefer a secure password manager because you can also save other types of data there that you wouldn’t save in a browser.  

You’re still going to have to remember some passwords, the password to your password manager, and then the one to log into a computer. So is it better to just go ahead and string four random words together than use a jumble of numbers, letters and special characters? 

For sure it’s better to use actual human readable language. The main problem I see with like 2000 era password is that people are only concerned that this is hard to guess, but it’s hard to guess for humans, it’s hard to remember for humans. Computers don’t get give a damn basically about do you have numbers or lowercase, uppercase letters. They’re just numbers in the, in, in the very raw sense. They’re just bits in a different order and it doesn’t take long for a computer to try uppercase “A” versus lowercase “a.” Versus for a human, you need to remember, did I press shift here or not? And so forth. So definitely it’s a better choice to go with a longer password even though you’re stringing like dictionary words together.

One of the best ideas I have is to actually just make a sentence in your native language in different language and so forth. For example, “Mary had a little lamb,” that’s already probably a better password than just a jumble of a mixed case letters and so forth. Of course, “Mary had a little lamb” is unfortunately very short words, but if you choose any other type of a sentence, it’s easy for you to remember and the longer it is, the better it is.  

Speaking of that, is that like something you would have in your dictionary when you’re trying to break the password to something like pop lyrics or nursery rhymes or like sort of known phrases that people would use?  

That, I feel would be basically step number three. So, step number one would be just doing the September2018 type of password, so very, very simple dictionary attack. Second would be brute forcing up to a certain length, let’s say 12 to 13, 14 characters depending on how much time we have because obviously when we’re doing a red teaming engagement, we have some sort of time limit as to when this needs to be done. So we might have a few days or a few weeks depending on that and depending on how many other people need those computer resources, so we might not get to 14 characters or above, but we usually get to at least 12, 13.

And once those are exhausted, then we might go to something like that, but it’s more of a necessity. Like if we don’t get anything from the basic dictionary attack and we don’t get anything from that brute forcing of 12-character passwords, that would be unheard of. So we haven’t gotten to step number three of actually a trying to be creative with these sort of, string together four dictionary words with comma space dash hashtag or something like that. We haven’t gotten to that point yet because we’ve always already scored with at least the basic dictionary attack and by the latest with the 12-character brute forcing attack because people still think that eight characters is plenty strong. 

And it’s not. 

No, it’s not, because an eight-character password can be cracked in 12 hours to two days depending on how much computing power you have. So eight characters is not enough. 12 characters is getting there, but more is better and it doesn’t need to be complex. It needs to be long. Of course, if I know from something that you are using some sort of algorithm to generate your own passwords, if I find from Linkedin somehow, for example, that they exposed plain text password somehow and I find that you are using rap lyrics in your passwords, then obviously if I’m going after you, I would then just insert all sorts of famous rap lyrics to our password cracker and try to go for that. But it’s very rare that we’re going after one single person. The attackers in the real world might, because they don’t know how much your accounts are worth. They might be able to get your credit card details and so forth with this data because if you’re using a cloud-based manager and they guess your password, they might be able to get all of your data.

So that’s why it’s very important not to reuse passwords or not to even reuse ideas of these passwords across different places. So for example, have rap lyrics somewhere, then have mathematical equations somewhere and whatever elsewhere. Because you shouldn’t require more than a few passwords to be remembered, because you should remember what you’re logging into your computer and what you’re logging into your password manager. Most of the passwords that I have and use daily, I have no clue what they are. Even if I would paste them to my text editor, I would not remember them two minutes after the fact because those are so complex. And that’s the beauty of it, that if someone asks me at gunpoint, what is your Facebook password? Although I don’t have Facebook. But I wouldn’t be able to tell them because I would just say that “I don’t know. The computer knows.” “Well, show me your computer.” “It’s not here, sorry.”  

So based on your work, do you feel we’re getting better with passwords? Is the awareness about good password hygiene improving among users over the years?  

No. I hate to be the party pooper, but based on the work we do, no. I don’t know about consumers who are using websites from their home, because we don’t attack those, but at least at work, people usually see passwords more of a nuisance than security, that they just need to remember a dozen passwords again and again and they need to change their passwords again and again and that just still leads to the same problem of reusing passwords, reusing algorithms in their head for choosing passwords and like favorite cars, favorite sports teams, names of children, their birthdates, your wedding date and, and so forth. Those are so common in addition to these, like month-year combinations that unfortunately I can’t say that I’m seeing an improvement.

But of course we need to prefix that with the fact that usually when we’re doing engagements, we only see the bad passwords. Like we do crack up to 12 characters and we do see a like a bit better passwords. But if you are one of those few people, or let’s say there’s a hundred people who have actually strong passwords, we don’t know if that password was just one character away from us brute forcing it or if that was actually a unique and strong password, so that’s hidden from us. So that’s also selection bias that I only see the weak passwords. So far we haven’t seen a case, a company where we wouldn’t get dozens of weak passwords cracked or brute forced through some other means. So in that sense I’m not seeing an improvement, but it might be that some people are learning and those are just the passwords we don’t see.  

Have you seen companies distributing password managers, like a company that makes a password manager available for their employees to use?  

Yes, I believe that at least in two places I have used their software distribution center that they use to manage their managed application that they have had a password manager available.  

So it does happen. But you had to think about that a little bit. So it’s not very common.  

Yes. But again, there it’s like optional, you can install it if you are security aware enough, if you are conscious enough about passwords and managing them. It wasn’t installed per default, there wasn’t any sort of instructions on how to use it. There wasn’t any instructions on where to use it and, and so forth. So I can’t say that it has a lot of penetration in companies, uh, but I have seen also sys admin shares of password databases.  

Let’s talk about that a little bit. You would think that people like system admin would know not to reuse passwords or share passwords or use weak passwords. Is this the case?  

Based on what we found, they may be a little bit better than just the regular Joe, but they’re as guilty of it as the rest of them. Sys admins even more have different systems that they need to remember the passwords for and due to usually inflexible IT practices, there are shared accounts. For example in Linux type systems, there’s usually one root account and even though you could have a dozen different users who have permission to actually do whatever the root account has, the root account is still shared. It should be basically physically printed on paper and stored in a vault and no one actually uses it. It’s only for that worst-case scenario that you need to recover these machines, and none of the people are around who had actual access. But that’s not what ends up happening. Usually people end up sharing those passwords or reusing some sort of algorithm for those, unfortunately.   

So passwords are problematic. Password managers help with that problem a little bit, but are we going to be stuck with passwords forever? Are there other means of authentication that are coming up, something to replace passwords?  

I don’t see realistically that we would get away from all passwords, but there are things that can help. For example, there are certain USB manufacturers like Yubikey that have this hardware, this USB stick that basically acts as keyboard, so you input it into your USB drive and you press a button and it will input some sort of long, very long safe password. So then the hardware would be doing the actual, a remembering of the password, so you wouldn’t even know what that is. That’s one way. I think that Google, for example, rolled out massively to their employees with Yubikeys and they have seen a significant decrease in successful phishing attacks because people are no longer having to type their password anywhere.  

Yeah. Significant decrease, as in down to zero.  


What about biometrics?  

For some reason people have started to think that biometrics are good password or a second factor authentication. Biometrics are a way to identify you, not authenticate you. Because once your biometric signature gets leaked, it’s really damn hard to get new fingerprints. So that should be the basically the equivalent of your username, so there’s no harm in the attackers getting to know your biometric username as long as the password or the way to actually authenticate yourself is something else.

But if biometrics is the only way, like you have a user name and a biometric, then that also has very negative incentives for any sort of true criminals. Like, do they need to have your finger attached to your hand in order to open locks? And that’s a very real question. I mean if you consider any sort of high security weapons development, any sort of cyber weapons development or high tech and so forth, those are vicious markets where actual nation states or big criminal enterprises are interested, because those are million or billion dollar industries. So what is it to just cut someone’s finger off if that’s the way to get your crown jewels?

So no, fingerprints shouldn’t be the passwords, they should be the identifier at most. And not to the extent in more sensitive areas where people actually would have incentives to harm other humans. We don’t want that in any form, but for consumers, I don’t see any reason why you couldn’t have fingerprint as your way to identify yourself.  

For example, if you’re sitting on the bus, uh, twiddling with your iPhone, it’s a less of a problem to use your fingerprint to authenticate then to have somebody look at your password as you’re typing it in.  

Yeah, that’s true. But that depends on who, who is attacking you. Like again, within, I think it was within a few days or few weeks of the iPhone getting released with the fingerprint recognition or the fingerprint reader, there were some researchers who were able to basically bypass that. Like, our fingers are greasy, so every single Pepsi cup or Coke bottle, whatever you touch, your coffee cup, you’re leaving fingerprints all over and I need to just pick up one of those and just use different techniques that are available publicly for several years and I can open that iPhone easily.

But that depends on what your threat model is. Because most of the people out there, the bad guy is just some random criminal out there trying mass scale malware, email phishing or whatever. And they don’t care about your fingerprints. They just want you to click attachment, run their code, and then they steal your credentials by key logging. 

So what advice do you want to leave our listeners with struggling with passwords?  

Well number one would be to actually just use a password manager. They are a lot less scary than they sound. Second would be for any sort of very sensitive account that you have, and this would be basically, for example, your email, which is usually the crown jewel because you can reset all sorts of passwords using your email. So that should be your holy grail. You should be protecting that the most. So use second factor authentication for that. And whether that’s SMS alerts, whether that’s a phone call, whether that’s installing an app on your phone, then just leaking your password wouldn’t be enough. The bad guys would also need to be able to intercept this second factor authentication, so it makes it even more secure.

And thirdly, I would say if you must think of passwords, for example, the password you log in to your computer or your actual password manager, think longer. Think something that like a sentence, a rhyme, a lyric that it’s easy for you to remember and type. But think length. Because usually if things are done well for example, operating systems already handle passwords quite well. It doesn’t matter how long your password is it, it won’t use more storage, so think longer passwords and that should be the core, I think.

And maybe the last bit of information is when you’re changing your passwords and the site says that your password is too long, be a little bit skeptical of why is this like why did someone decide that there can be only 12 or 20 characters in a password?  

So what else are they doing wrong?  

Yes, because for example with the MD5 hashes even if you take four kilobytes or four gigabytes of data, the MD5 hash will be always the same length, and same with all sorts of these hash functions. They will always return the same length of value depending on the algorithm. So if you have a two-character password or a 200-character password, they would always require the same amount of storage. Of course with these secure passwords, they might require more computational resources. If your password is very long, there might be some upper limit, let’s say 200 characters, but I don’t see any reason in modern websites to have any sort of limitations on passwords within limits of less than 100 characters.  

All right. That’s good advice. Thanks for joining us today, JW 

Thank you very much.  



Cyber Security Sauna podcast

Melissa Michael

14.09.18 33 min. read


Highlighted article

Related posts


Newsletter modal

Thank you for your interest towards F-Secure newsletter. You will shortly get an email to confirm the subscription.

Gated Content modal

Congratulations – You can now access the content by clicking the button below.