How to Protect Yourself
Let’s face it, the entire password thing has gotten out of hand. We have different passwords to log-in to our computers at work, our computers at home, our bank accounts, our shopping accounts, the library, airlines, etc. To cope, most of us turn to password managers.
A History of Password Managers
For the most part, the first password managers came to be in 1995. These were password protected Word or Excel documents that were easy to break. In 1997, Microsoft released encryption, whereby the master password to open a Word document or Excel spreadsheet was far more secure. In these versions, Microsoft employed a 40-bit encryption key based on MD5 hashing. While better than prior protection, this encryption was relatively weak. An average computer with a Core i7 CPU can easily break it. In fact, I have cracked this encryption many times for colleagues who forgot their passwords.
In 2007, Microsoft employed AES-128 encryption with SHA-1 hashing. Beefing up to 128-bit encryption made longer passwords extremely hard to decrypt. Short passwords are another matter. A Core i7 CPU can run five hundred password combinations per second. This goes up to 100,000 per second with a NVIDIA video card. Therefore, if the password is relatively short, then a brute force attack can break this encryption in days. Worse yet, a university grade quantum computer can break this encryption in seconds. As before, I have been able to break passwords on this encryption scheme for colleagues who forgot their password.
In 2013, Microsoft employed AES-256 encryption with a SHA-512 hashing algorithm. This is the same encryption used by the U.S. Government and major banking systems. According to KItworks.com, AES-256 encryption is virtually uncrackable using any brute-force method. It would take millions of years to break it with current computing technology.
It would take millions of years to break AES-256 encryption with current computing technology
The AES-256 encryption used for Microsoft Office 2013 or later is so strong that only the simplest of passwords (1-3 characters) can be broken with today’s technology. Furthermore, AES-256 encryption is considered quantum computer resistant (I discuss this further below).
Encryption vs. Hashing
Both encryption and hashing algorithms scramble data. Encryption is a two-way algorithm. This means it scrambles data with a key that can be used to unscramble the data. Hashing is one way. In other words, when a user creates a new password the hashing algorithm will scramble it. Later, when the user enters that password for access it is scrambled again. If the two scrambled passwords match, then the user is granted access. If the two scrambled passwords do not match, then the user is denied access.
Just when Microsoft got its encryption act together, cloud-based password locker services became popular, and most people stopped storing their passwords in Microsoft Office. Some of these password services came with a fee, others, like LastPass, only charged for premium services like accessibility on mobile devices. These password managers employ the same secure AES-256 encryption as the current Microsoft Office products. However, your passwords, which are your life, are kept in the cloud. This makes them even easier for criminals to steal on a mass basis. As a result, nearly all these services have been hacked. Rather than list them all, it is safe to say that if you used a cloud-based password manager, then it is more than likely a cybercriminal has your information.
Harvest Now, Decrypt Later
The password management services will say that having been hacked is no big deal because the stolen data is protected by AES-256 encryption and can only be accessed with the master password, which is not stored in the cloud. However, the criminals who stole this data are employing a strategy known as harvest now, decrypt later. Put simply, these criminals have your passwords, they just cannot crack the encryption to see them. The strategy is to hold on to these passwords until quantum computer and algorithmic technology has reached the point of cracking AES-256 encryption. Worse yet, if your master password is three or less characters, then these criminals may be in the process of stealing your life as you read this.
Earlier, I stated that AES-256 encryption is considered quantum computer resistant. What you must realize is that quantum computer resistance is different from quantum computer proof. The most powerful conventional computer made today would take about three million years to break a sufficiently long password encrypted with AES-256. Using Grover’s algorithm, a university grade quantum computer would reduce that time to its square root. Hence, taking about 1,700 years to break the encryption.
You may feel that 1,700 years is nothing with which to be concerned. I beg to differ. According to the Microwave Journal, quantum computers have the potential to speed calculation required for cryptanalysis (a.k.a. breaking encryption) from years to minutes.
Quantum computers have the potential to speed calculation required for cryptanalysis from years to minutes
If your password is not sufficiently long, then you should be concerned. Even long passwords may be in immediate jeopardy. More elaborate encryption breaking algorithms, now employing AI, are being developed on an almost daily basis and more powerful quantum computers are being developed each year. In fact, it is widely believed that the U.S., Chinese, and Russian governments have quantum computers powerful enough to break AES-256 encryption in a matter of months. It is only a matter of time when this level of computing power will be a household item. When that happens, all the data harvested by the cyber criminals will be decrypted and the lives of millions of people could be destroyed.
Brute Force Attacks
Aside from breaking encryption, most hackers gain access to your accounts using brute force algorithms. As the name implies, there is no eloquence to this method. The hacker simply has a computer run through all possible combinations until it finds the one that is identical to your password. It is for this reason that all passwords must not be short. If passwords to access your online accounts are not sufficiently long, then a brute force attack can be successful in an instant.
With one of the new AI brute force algorithms, a hacker can immediately obtain passwords less than 12 characters in length that are not sufficiently complex. Conversely, it would take a brute force algorithm from 250 – 34,000 years to guess a 12-character password with uppercase and lowercase letters, numbers, and symbols. Even better, with forty-three sextillion possible combinations, it would take a brute force algorithm five billion – one trillion years to guess a 16-character password with uppercase and lowercase letters, numbers, and symbols. It is for this reason that all your passwords should be at least twelve characters long and include uppercase, lowercase, numbers, and symbols. The latter is critical because a good brute force algorithm can crack a 12–16-character password without a mix of uppercase, lowercase, and symbols in less than 3 weeks.
The time it takes to crack a password in a brute force attack may not necessarily be the time it takes to run all combinations until a match is found. People remember passwords by using actual words. For instance, the password, “bad” can result in some of the following combinations: bad, bda, abd, adb, dba, dab. Only two (33%) of these combinations (bad and dab) are real words. In this case, a smart brute force algorithm would reference a dictionary database and employ the real words first – making it possible to crack the combination 66% faster. It is for this reason you should try to misspell the words in your passwords. For instance, the password, WeLuVSteak20@21# will take longer to crack than WeLoveSteak20@21# because the word “LuV” is unlikely to be found in the dictionary database.
In addition, cybercriminals are continually adding to their password databases. These databases are a collection of previously used password obtained both on the World Wide Web and the Dark Web. Another database is of hashed passwords. So, the brute force algorithms will first use the hashed password database, then the common password database, then the dictionary database. This alone will allow it to break 65%-90% of passwords that are not sufficiently complex with uppercase, lowercase, numbers, and symbols. When this fails, the brute force algorithm will then employ every combination. At this juncture, employing every combination could take millions of years. The algorithm is still worth running because it will crack the shorter and less complex passwords in a reasonable amount of time.
In an experiment for Ars Technica, hackers were able to crack 65%-90% of twelve-character hashed passwords that contained only lowercase letters and numbers. This was accomplished by using a cluster of computers and, rather than using a simple brute force algorithm, the hackers used a database of hashed passwords they managed to get online. Even more concerning is one hacker did this in about 15 minutes. As these databases increase in size, the time it will take to crack your password will decrease. Why then should you use a long, complex, and misspelled password? Criminals always target low hanging fruit. A home without a burglar alarm that resides next to a home with one is far more likely to be robbed. The same is true for passwords. The shorter and simpler the password, the easier the crime.
As you can see, hackers are finding smarter ways to get to your passwords and access your data. Keeping that data safe will be an ongoing challenge as hackers continue to add to their databases and arsenal of algorithms. Luckily, many websites today have users prove they are not bots (a.k.a. computers running brute force attacks) and employ two-step authentication - where a code that is texted directly to the real user is required. As a result, online brute force attacks are significantly reduced. However, this makes the master password to your password vault a more valuable target for cybercriminals.
How to Protect Yourself
Stop using cloud-based password locker services.
Change all critical passwords. This includes passwords to access your computers and website for banking, credit cards, social security, etc.
All passwords should be at least twelve characters (ideally sixteen characters) containing uppercase and lowercase letters, numbers, and symbols with common words slightly misspelled.
Keep your passwords stored on a local encrypted drive that is kept offline (see below). This step may seem a little inconvenient, but it is far more convenient than trying to reclaim your life, money, and assets after a hacker strikes.
Creating An Offline Local Encrypted Drive
Get a USB flash drive, which is also known as a memory stick. Then, create a blank Excel spreadsheet. Once the spreadsheet is open, follow the steps below…
Click “File”
Click “Info.”
Click “Protect Workbook” and select “Encrypt with Password.”
Enter the master password of this choice. This password should be something that you can easily remember but others cannot easily guess. Your master password should also be complex and at least twelve characters, sixteen ideal.
Confirm your password.
Save your newly encrypted file to the memory stick.
Open the Excel file and populate it with your passwords. Populate the first column with the names of the devices and websites for which you have passwords. The second column should contain the URL (web address). And the final column should contain your password.
Save the Excel file.
Plug in the memory stick only when you must look up a password. Once the password is obtained, unplug the memory stick, and keep it somewhere convenient but safe. It is impossible for a hacker to get your passwords if the memory stick if offline.
If you only require passwords while at your computer, then you can employ a second level of encryption by encrypting the memory stick with a different master password than your Excel file. If you lose the stick, a criminal will have to break the encryption of both the stick and the file.
If you wish to keep the stick with you for use on a mobile phone, then only encrypt the Excel file. You can then view your passwords on your mobile phone with Excel mobile by plugging the memory stick into the USB-C port of the phone. I keep my password locker on a keychain and use the adaptor to access passwords via my iPhone.
Encrypting a Memory Stick
As mentioned in step 9, above, you can employ a second level of security by encrypting your memory stick with a different password than your Excel file. Please keep in mind that doing so will not allow you to access your Excel file (a.k.a. password vault) from a mobile device.
Windows
1. Plug your memory stick into a USB port on your Windows computer.
2. Enter Windows Explorer (Windows Logo Key + E)
3. Right click your memory stick and select “BitLocker,” then choose “Turn BitLocker. on” If you do not see “BitLocker,” then click “Show more options.”
4. Enter a password (remember, it should be memorable but at least twelve characters long with uppercase, lowercase, numbers, symbols, and a slightly misspelled word).
5. Choose how to save your recovery key, which is used to access the drive should you forget your password. I prefer to print it and keep it locked in my physical safe.
6. Choose selection to encrypt entire drive.
7. Click “Start Encrypting.”
8. Remove your memory stick only after the encryption is complete.
Macintosh
1. Plug your memory stick into a USB port on your Macintosh computer.
2. Open Finder.
3. Right click your memory stick and select “Encrypt.”
4. Enter a password and choose a password hint. Remember, your password should be memorable but at least twelve characters long with uppercase, lowercase, numbers, symbols, and a slightly misspelled word.
5. Click Encrypt Disk
6. Remove your memory stick only after encryption is complete.Making a Backup
Should you lose your memory stick (a.k.a. password vault), a backup will provide further protection. Ideally, the backup should be on a microSD card. Why? Because microSD cards are the most robust form of memory storage available. MicroSD cards are so robust that they can survive multiple cycles through a washing machine, and their thin profile makes them less likely to crush should you step on one. To create your backup, simply copy your Excel file to the MicroSD card. Then, follow the steps above to encrypt the MicroSD Card. Since this is a backup, both the Excel file and the MicroSD Card should be encrypted with different passwords. I keep my backup MicroSD Card in a physical safe and update the backup each month.
If your computer does not have an MicroSD card slot, then you can buy an adaptor. Many third-party adaptors have proven themselves unreliable, so I suggest the SanDisk MobileMate USB 3.0 microSD Card Reader, which can be purchased on Amazon.com for about $10 (micro-SD card not included).
COMING SOON
How to Protect Yourself from Identity Theft