IT Classroom
Defend Against Password Attacks 25
  • 友善列印版本


    In 2016, over 500 million user accounts were hacked from Yahoo alone. Many systems and applications store login names and encrypted passwords as local files and use them to authenticate users. Hackers can steal these files and use software to compile all possible password combinations into a testing file. Each test password is encrypted and checked with the stolen password until it is cracked. After one account has been comprised, the hacker will use it in an attempt to hack this person's other accounts. Given this risk, we should categorize our personal accounts into low, medium, and high in term of importance. We should then create different passwords for each category, which incrementally increase in length and security strength according to the level of importance. If a password in one category is compromised, it reduces the impact across different categories.


    • Tier 1: loss would not be catastrophic but the data is not something you would want in the public domain (e.g. free online services)
    • Tier 2: accounts related to work or containing personal/ private data (e.g. emails, computing platforms, and social media) 
    • Tier 3: accounts which store sensitive personal or work-related data such as financial and other confidential information (e.g. online banking platforms and Human Resources Systems in the workplace)


    Points of Defensive:

    1. Set strong password

    To create passwords that can avoid hackers' priority testing, we should increase password strength in both complexity and length to make hacking impossible to complete in reasonable time.

    • Length: consist of more than eight characters
    • Complexity: combine capital and small letters, numbers, and symbols


    The most common way to increase complexity is to begin with a memorable phrase in English and then modify it into a passphrase by first extracting the initial letters and numbers, and then changing some letters into uppercase letters and symbols using self-defined rules.

    • Phrase Expert introduced passphrase password in year 2003
    • Passphrase (step 1): eippiy03 -> e!Pp!y03


    It is essential to have complexity and length in setting password. Without complexity, even long passwords such as 123456123456 or monkeymonkey, can be easily cracked by hackers.

    In order to set and remember different passwords, we can use the password formula: Fixed password + Variable (Systems/Services/Devices). The following are examples in high category with self-defined rules.

    • Fixed: e!Pp!y03
    • Variable 1: selects two initial letters and set the second capitalized

    Example: Social media WeChat: wC

    • Variable 2: add additional third character to Variable 1 and change to the symbol in upper left direction in the keyboard

    Example: Personal online Bank X: pOb -> pO%


    Password examples in different categories:

    Tier 1 password: e!Pp!y03 (8 chars)

    Tier 2 password: example 1a : e!Pp!y03wC (10 chars)

    Tier 3 password: example 2a : pO%e!Pp!y03 (11 chars)


    Remember to create more unique and personalize rules in the fixed, variable and ways of combination. For examples, using letters from phonic of other languages like Cantonese or Putonghua, from Chinese input methods or even strokes with characters in keyboard or numeric keypad. We can also insert the variable part in between any position of characters.


    2.  Important Reminders on Password Storage and Authentication

    A lot of users save passwords without encryption to a file in the server. Hackers can search for and open these files directly using compromised accounts that give access to the server. In addition, even normal users can open these files if permissions are set inappropriately. Therefore, any password files must be encrypted (refer to IT Classroom, September 2015 issue) and stored offline in a safe location. In addition, you may use password management software to generate and save strong passwords for accounts in different systems. You must set a very strong entry password for such software and select a trustworthy company. In addition to passwords, you are also encouraged to use multi-factor authentication including fingerprint, SMS and email verification where available.


    Important Notes to Keep Your Accounts and Related Organization Accounts Safe:

    • Use long and complex passwords
    • Categorize passwords into tiers by the importance of the data they protect
    • Use password a formula to generate and remember passwords
    • Encrypt password files and store offline in a safe environment
    • Use password management software according to your needs
    • Use at least two factor authentication with you password if possible 


    Please contact IT Helpdesk at 18888 for further information.


    Share articles