You look intently at your display. There, a stream of odd characters and digits stares back at you: wehidomcid97.
At first, it may seem like nonsense; a typo, a kitty cat walking across a computer keyboard, an incorrect phone call, or a computer program bug. But in the realm of cyber security, something like this string is more valuable than a typographical error. it is priceless. Specifically, this jumble of characters represents something called entropy. And in the world we live in, it is the most important way to protect your online self from the chaos that is the cyber world.
Wehidomcid97: The Key to Digital Security
People tend to go toward the things they are used to, however, in order to simplify their lives, they often choose the names of passwords correlated to the things they love; a pet, their birthday, a sports team, etc. The human tendency is to look for patterns of order and meaning. But, security systems are created to identify patterns, which makes security systems easy to crack. In order to prevail over a security system, we have to look for the randomness.
The purpose of this article is to examine digital security through random password creation. In order to achieve this, the article will explain how this term is superior to your password, the function of crypto-entropy, and how the human mind is organized to look for order and how that diminishes security.
The Structure of A Random Password
Let us examine the first password in question which is the password wehidomcid97.
12-character strings may easily be mistaken for something you would receive, but would be human unreadable, impossible to memorize, and even painful to spell one character at a time for a friend to guess the string.
Those strings need to create inconveniences for the user instead of the systems that lose the hack competition. While most people are closing the creativity gap between humans and robots, one of the main objectives when hackers try to bypass a password system is using predictive systems as one of the options. These systems try to guess the password using the individual characters that make the password.
Dictionary Attacks vs. Randomness
Systems trying to bypass passwords use systems that hack using a dictionary attack, meaning they try to guess the password using a dictionary of common passwords and words. Out of passwords that a dictionary attack would take milliseconds to hack, one common example is Sunshine1985. These example passwords are basic and would be easily compromised. Starting a string with characters in a common order is just as easily compromised, with a password like Password123.
Other passwords take multiple days to guess. Instead of password tourism, strings like this, where a dictionary attack would skip right over, would remain uncracked in a scenario with limited resources. Because of that, their time and resources would need to be diverted to a system that would try to take every character and make every possible combination with a password that would include all characters. This system would take far longer than the previous example strings.
Entropy: The math of Safety
Security experts measure the difficulty of guessable passwords using a concept called entropy. Entropy is measured in bits. The more bits, the higher the difficulty.
Let us try and measure the entropy of our example
- Length: 12 characters.
- Character Set: Lowercase letters (a-z) and numbers (0-9). This gives us 36 possibilities per position.
While 'wehidomcid97' is stronger than password, it isn't perfect. A stronger password would include upper case letters, and special symbols, bringing the size from 36 to over 90. But principle remains, length and randomization are the most important.
Adding a character increases the difficulty of cracking it by orders of magnitude. A 12 character random password would take centuries for today’s consumer hardware to crack using brute force methods while a 6 character password would take mere seconds to crack.
The Human Shortcoming
Entropy cannot be achieved by random human behavior, and it is random behavior that is needed to achieve entropy. 7 is often chosen as the answer to the question, "Pick a random number 1 to 10." People just as often choose the password "qwerty" or use two fingers on the keyboard to randomly generate some password.
Actually random sequences, such as "wqefwef8ycrfaye" would need a randomization tool. That is why using your brain to generate a security code is such a bad idea. Humans create identifiable patterns, and computers search for these patterns.
The Evolution of Cyber Threats
The evolution of cyber threats is why using "Fido123" as a password is no longer acceptable.
Cybercriminals have gone from petty crime to a highly profitable and sophisticated industry. The use of machine learning, specifically neural networks, to predict passwords has become common practice for cybercriminals.
GPU overclocking
Cybercriminals use pairs of Graphics Processing Units (GPUs) to create rigs that can guess billions of passwords every second. A single high-end GPU can guess billions of passwords that have been stored using the SHA-1 encryption algorithm. Gamers use these same rigs to achieve high-end, resolution video games.
The only thing that prevents computational power from being used against you is complexity. While this string appears random, it represents a mathematical obstacle that a hacker would not find worth it to break because it would be too time and energy expensive.
Managing the Chaos
The main concern of complete randomness is memory. If random strings are truly that random, how am I supposed to remember, wehidomcid97 for my email, 'x92mqLqz' for my bank, and '77zlqpWm' for my social media accounts."
The answer is quite simple. You should not remember them.
You should not be able to remember your passwords because if you can, that simply means they are not secure enough. You need to stop memorizing passwords and trust a Password Manager instead.
The Importance of a Password Manager
Services like 1Password, Bitwarden, and LastPass enable you to create all of your accounts' passwords to be a long, complex, random string. Your passwords are stored in an encrypted vault and you only have to remember one 'Master Password' to gain access to it.
Using a password manager means that this string represents the relinquishing of responsibility of memory to a secure database instead of a human memory. You are then able to use true complexity and secure a memory system that is far beyond a human brain.
Two-Factor Authentication (2FA)
Random strings (passwords) can be captured through phishing attacks (where a user is manipulated into entering information into fraudulent websites). This is why phishing attacks should be paired with simple random string passwords and Two-Factor Authentication.
The first layer (the password) is a string of random characters and the second is a 6-digit number authenticated through a user's mobile device (the app). A hacker can break into the user's account by guessing the password, yet they do not possess the time-sensitive code on their account.
The Future of Authentication: Beyond Strings
The industry is even moving toward eliminating simple random string passwords such as 'wehidomcid97' completely and is moving toward Passkeys.
Passkeys are a protocol based on public-key cryptography. When a user attempts to log into a server, the device has a private key which the device proves to the server without actually sending the key.
The user unlocks their device with a biometric scan (face or fingerprint).
The password is cryptographically linked to the device and is a key that is hundreds of characters long. Out of sight, out of mind, and a lot better than this term.
Embracing the Nonsense
So, what is wehidomcid97? It is a reminder that in the digital world, a simpler and clearer logic is a weakness and a complex and chaotic logic is a fortified structure.
When making a new account, don’t use any dictionary words. Don’t use anniversaries, birthdays, or any personally identifiable information. Instead, look for a username like this.
usernames like the one above may be easier to store on a sticky note, but they are better than creating an account's username or password with dictionary words or other identifiable information. They are the barriers that keep your data safe while the algorithms are trying to steal the data.
Here’s how to take the digital hygiene to the next level?
- Evaluate your accounts. Considering your banking and email accounts, if you are using a password you can remember, that means you need to do an immediate password reset.
- Get a password manager. It is better to use a random password that is more than 20 characters for every account.
- Enable 2FA. Each account should have different sentences or words that you will remember and use for your passwords so don’t use the same password for multiple accounts.
- Check for leaks. Go to "Have I Been Pwned" to check if your email has been part of a data breach.
Don't wait for a breach to happen. Start using the examples above now.
