12 Jul, 2019

Tell me your date of birth and I'll tell you your password.

There is a strange experiment that has been circulating on the internet for a long time, which many people reading this article are also aware of. First, we are asked to do the simple mathematical operations that appear on the screen in our head, and then, when the operations are finished, we are asked to think of "a color and a tool". Immediately after, the following texts appear on the screen, "You thought of 'red hammer', didn't you?"

In fact, it has been confirmed by some experiments that more than half of the people who take the test - if not 98 percent as mentioned - are the first thing that comes to mind. There are many theories as to why this is so. Without going into all these details/reasons, when we look from our own field, we see that we are faced with a similar situation.

Our topic is passwords…

Although the importance of passwords, which is the first and most important line of defense for both companies and their employees as well as individual users, is known in the world of Cyber ​​Security, it is a fact that it is one of the most neglected issues. Let's support this reality like this...

1-123456
2-123456789
3-12345
4-1234567
5-Qwerty
6-Princess
7-Welcome
8-abc123
9-123123
10-654321
11-password
12-12345678
13-111111
14-sunshine
15-iloveyou
16-admin
17-666666
18-football
19-monkey
20-!@#$%^&*

According to the research, the above list is the top 20 most used passwords in 2018. “123456” in the 1st place and “password” in the 2nd place maintain their place as the champions of the last 5 years. The information is created from the data of approximately 5 million users who lost their passwords as a result of cyber attacks experienced around the world in 2018. Again, according to the research, 3 out of every 100 users in the world use "123456" as their password. This is in theory as follows: if you have a company of 100 people and you do not have any measures such as access authorization or multi-factor authentication, an attacker can infiltrate your system and access all your information without having to deal with your firewall, encrypted servers. Not on the 100th, but on the 34th try.

So why do we encounter such a picture when our passwords and the information doors they open are so important?

Unfortunately, there is no clear answer to this question. People may be doing this because they take it easy, they want it to be something they will remember easily, because they don't really care, or because they say nothing will happen to me. It is possible to multiply the options… But we cannot bypass the “red hammer” effect. Before we get to this part, let us explain some concepts.

When it comes to password security, the first thing to know is the "Brute Force" attack, which is the most frequently used method by attackers. In this attack, the attacker tries to reach the correct password by trying random passwords even though he does not have any information. Generally, a list of many passwords is prepared, especially simple passwords such as "most used ones" as above, and one by one is tried to log in to the account whose password is desired with the help of a software. The software stops by giving a signal when it finds the correct password. The success of the attack depends on factors such as the extent of the attacker's password list and the complexity of the user's password.

Since we cannot determine the list an attacker uses to attack, the most effective method we have is to set a sufficiently complex and secure password. So, what is the situation that provides this "security"? Or are “complex” passwords secure enough as many of us think?

We can tell if a password is secure by looking at its "probability set". The larger the probability set, the more secure our passwords will be. Theoretically, there is no password that Brute Force attacks cannot crack, given enough time and processing power. This time may be months or even years, but for simple passwords, minutes or even seconds may be sufficient, not months or years.

Now let's explain the password security and probability set as follows; For this, basically 2 factors are important.

      • Password length
      • Character depth

Password length is the length of the password we know and how many characters our password consists of. The character depth is how many different choices we can make for a character in our password. Let's clarify the situation with an example;

Let's say your bank asked you to set a 4-digit, binary (0-1) password for your credit card. Your password length is 4 characters and the depth of each character is 2. (0 or 1) In this case, our probability set would be 16 (2^4=16). In other words, there are at most 16 different passwords and we need to choose one of these 16 passwords. If we say that your bank gives you 3 attempts without blocking your card, a person who gets your credit card will find the correct password with a 3 in 16 chance, or about 19 percent.

Another bank uses the system we normally use for credit card passwords and asks you to set a password using 4-digit numbers 0-9. In this case, our probability set is 10000 (10^4 = 10000). As we can see, although our password length is the same, our probability set has increased from 16 to 10000 as the digit depth has increased. The probability that a person who seizes your credit card will be able to find your password before your card is blocked is now 0.03 percent (3 out of 10000), instead of 19 percent (3 out of 16). But could the 0.03 percent probability be more insecure than the 19 percent probability? The answer is both yes and no…

Now we can come to the “red hammer” part that we have been talking about all along.

When a large number of people are asked to set a 4-digit numeric password, they directly turn to special passwords such as birth dates, wedding anniversaries, graduation dates, or easy-to-remember passwords such as 0000 and 1234. This number is so high that you have seen the special password policies of banks so that you do not choose these numbers or their variations. Attackers in the cyber world take action by calculating everything that humans can think of and calculate. In other words, the person who wants to crack your 4-digit password knows that he should start with these "special" numbers first, not randomly among 10000 possibilities, and organizes his attacks accordingly. Not only for credit cards and numeric passwords, research shows that; People often choose their passwords from the things they value most in their lives, such as hobbies, bands, etc.

Now let's make things a little more "complicated". This time, let's consider a password with numbers, letters and special characters, not a 4-digit credit card password;

Let's say you are the manager of a catering company and your favorite vegetable is cauliflower. The password you use for your internet accounts is "cauliflower01!" instead of “K4rn484h4rO1!” which is more “complex” and meets the “secure” password policy of many companies (Containing 8-16 characters, uppercase and lowercase letters, special characters, numbers…).

In this case “K4rn484h4rO1!”, “cauliflower01!” stronger than

Unfortunately we have to say that there is no big difference between the 2 passwords. The techniques and programs used by the attackers are so advanced that they can guess that you will use 4 instead of A and 8 instead of B, and produce and try all the variations on their own. And this trial period, which used to take a long time, is now very, very short. In short; The biggest difference between the two passwords is that one is harder to read…

Speaking of the password policies of ready-made companies, we can also talk about how this situation has become a problem by itself. Password policies are normally created in order for company employees to take an active role in making their passwords difficult and therefore protecting company information. Since the beginning of the article, we have tried to convey that people have certain predispositions for passwords and these tendencies are well known to attackers. The awareness of this aptitude and inclination also applies to the password policies of companies. To give a simple example: If a company asks its employees to set a password between 8 and 16 characters, for most people this password is 11 characters and tends to be the person's phone number. If there are requirements such as letters and special characters, a “!” The problem is solved with the sign. Variations of "special" dates, initials of the name and special characters at the end are also widely used.

Unfortunately, these examples are not produced according to the scenario, on the contrary, they are events that we encounter constantly.

It should not make any sense as if we had no choice but to lose our passwords to malicious people. The examples above are situations that are frequently experienced and cannot be avoided no matter how much awareness is tried to be created.

So what should we do?

  • First, keep your passwords long and complex (deep).
  • Be careful not to use your personal information in your password.
  • Never tell anyone your password. (there are those who say, we know)
  • Change your password regularly.
  • Use a different password for each user account.

These are our recommendations for users to secure their passwords.

On the other hand, companies need more comprehensive solutions. For this reason, in order to prevent data leakage that may occur as a result of the seizure of passwords, institutions must use the Privileged Access Management (Privileged Session Management), Identity & Access Management (Identity and Access Management) and Multi Factor Authentication technologies suitable for their needs within the framework of an integrated strategy.

In this article, we tried to convey the most basic information about secure passwords.

You can contact us for more detailed information about password security, to benefit from our trainings and for all your questions and needs regarding cyber security, KVKK, GDPR, ISMS and ISO27001.


To request a quotation for the following: Cyber Security, Digital Transformation, MSSP, Penetration Testing, KVKK, GDPR, ISO 27001 and ISO 27701, please click here.

About Content:
Share on Social Media:
Facebook
Twitter
LinkedIn
Telegram