there’s one thing that I’ve learned from penetration testing, it’s that passwords need to be secure. According to recent research some of the most common passwords include ‘123456’, ‘qwerty’ and even ‘password’. These are very weak and should be avoided at all costs. However, complicated passwords can be hard to remember. If you continue reading I’ll teach you a very simple memorisation technique for passwords that are near on impossible to guess.
Check out the example below:
Seems like a pretty strong password right? But how on earth will you remember it every time you want to login?
If we break it down, what I’ve actually done is taken a simple sentence that is easy to remember such as ‘I work for Dionach and my password is really strong!’ and taken the first letter of each word and substituted certain words for special characters or numbers to increase the complexity. In this case, for becomes 4, Dionach is naturally capitalised so it becomes a capital D and the and becomes an ampersand. It is important to make use of capitals, numbers and special characters to increase what is known as 'password entropy' which is basically a measurement of how unpredictable a password is. If you only use lower case letters, an attacker would only have to cycle through 26 options for each character when performing a brute-force password attack. If you include capitals, this instantly jumps to 52. Adding numbers and special characters as well will more than double this again.
The use of random passwords alleviates the fear of being susceptible to a dictionary attack as it very unlikely that a password such as this will be included in a file of commonly used passwords or English word/number combinations.
For extra security you can always go one step further and choose your favorite quote or song lyrics to increase the length to a string of 20+ alphanumeric and special characters.
If I came across a password like this whilst penetration testing, it would surely be a significant speed bump and I’d have to try and find another way in.