****UNDER MAINTENANCE****

This page describes password strategy.

Password Hygiene

Standard 100% QWERTY keyboard

  • 10 digits
  • 26 characters in the English alphabet
  • 52 lower and upper case characters
  • 32 special characters
  • 94 when using all of them

Password Cracking

Number of combinations in scenarios

10*10*10*10*10*10*10*10 = 100,000,000 combinations (CISA recommends 16 characters)

94*94*94*94*94*94*94*94 = 6,095,689,385,000,000 combinations

450K*450K*450K*450K = 41,006,250,000,000,000,000,000 combinations (CISA recommends 5-7 words)

Even more combinations than that with word delimeter and leetspeak rules applied

TO-ADD:Screenshots of password crack attempt timelines from uidbot or uidworkhorse

Description of password cracking attacks

  • Brute force
  • Dictionary (700,000+ words in english)
    • ~450K on github .txt list, fewer if filtered between 3-6 character words
  • Wordlists

Password Attack

  • Credential Stuffing
    • Use of known compromised passwords and username combinations
  • Password Spray
    • Few common passwords to many accounts

Password Protection

Password Managers eliminate need to remember numerous credentials (password/passphrase).

Eggs in basket argument: Can require separate MFA type to open password vault.

Recommended: 1Password, Bitwarden

Notes:

  • Passwords are weak because we can remember them.
  • Passphrase > Password
  • Understand password attacks to build better passwords
  • Brute force/dictionary
  • Password managers
  • [1] Password attacks - https://www.beyondtrust.com/blog/entry/password-cracking-101-attacks-defenses-explained
  • [2] Password weaknesses - https://techcommunity.microsoft.com/t5/microsoft-entra-blog/your-pa-word-doesn-t-matter/ba-p/731984

UIDRRO