![\"\"](\"https:\/\/www.backblaze.com\/blog\/wp-content\/uploads\/2022\/08\/bb-bh-Password-Practices-Post-Recovered_Design-E4--e1660774555663.png\")
<\/p>\n<\/p>\n
Even if you\u2019ve heard about the 3.27 billion email and password combinations made public in 2020, you may not have heard the worst of it.<\/p>\n
Anyone could buy the list for $2 a download.<\/a><\/p>\n You\u2019d think that was the scariest part of what became known as the Compilation of Many Breaches (COMB) leak<\/a>\u2013but it\u2019s not.<\/p>\n The scariest and most preventable part of this breach is that people reuse their passwords and cybercriminals know it.<\/strong><\/p>\n You may have read Backblaze\u2019s post about credential stuffing attacks.<\/a> Briefly, it’s a brute force attack using credentials from a list like COMB to unlock an account, most likely with a weak and common password like 123456 or “passwort” (if you\u2019re German).<\/p>\n Is there a better reason than COMB to stop reusing passwords for multiple devices, apps and websites? That alone should do it, but if you need more reasons, they are legion.<\/p>\n There\u2019s no denying how hard it can be to remember 12 to 15 pieces of information in length. After all, our telephone numbers are only seven digits long by design\u2013which happens to be the length of any sequence of numbers we humans can easily recall.<\/p>\n While we each have responsibility for implementing password best practices, the COMB attacks show us that personal password protection isn\u2019t enough. Cloud providers are also responsible for protecting the data entrusted to them. Backblaze uses a sophisticated security approach<\/a> to protect access.<\/p>\n Regardless, user verification is just more effective with strong passwords, so here are a few tips on keeping your password secret and your data safe.<\/p>\n First and foremost, a password is a secret authenticator, according to the National Institute of Standards and Technology (NIST). They have a lot to say about the strength of passwords<\/a>. We\u2019ll get into details a little later.<\/p>\n The string of letters, numbers, and symbols used in a password can\u2019t be easy to guess or forget. This is tougher to achieve than it sounds, and typically users choose short, memorable passwords for convenience.<\/p>\n If you want to eliminate the possibility of being the next victim of credential stuffing, here are some things you shouldn\u2019t do:<\/p>\n The reality is that cybercriminals can (and have) released accurate email and password combinations, and the best way to render that old information utterly useless is never to use those passwords again. (Also, stop adding a “2” at the end of “Password1.” You\u2019re not fooling anyone.)<\/p>\n You should know that verifying a digital identity with an email and a password isn\u2019t as straightforward as presenting your photo ID at the airport. And, password authentication isn\u2019t as safe as it once was, thanks to cybercrimes resulting in lists like COMB. In light of the security risks cybercrime poses, new authentication guidelines were created to help cloud providers ensure the authenticity of a user.<\/p>\n There are three types of authenticators.<\/a><\/p>\n Cloud providers or verifiers can employ different combinations of authenticators to achieve different levels of assurance that will ultimately help to reduce successful cybersecurity attacks. The different combinations of authenticators create an authentication assurance level (AAL)<\/a>. For example, when you log in, a cloud provider might use a combination of your password and a code generated by an authenticator app.<\/p>\n A strong password is essential to each authentication level. Each AAL relies on something that only you know\/have\/are and is difficult to estimate. Cybercriminals only need to guess one reused email and password combination to make a costly mess of things for you or your business.<\/p>\n This may sound too simplistic, but the NIST (SP 800-63-3 Appendix A<\/a>) qualifies a password\u2019s strength by its length. In the case of brute force attacks, shorter passwords are too easy to uncover before rate limitings results in a lockout. Passwords of sufficient length reduce the success of credential stuffing or denial-of-service attacks. The NIST recommends that cloud providers allow passwords or password phrases of almost any length so long as it doesn\u2019t require excessive processing time to hash.<\/p>\n You might think that having a complex password in addition to a long password would protect you even more, but NIST focuses on length rather than masking efforts. Password cracking tools already factor things like case changes and phonetically similar letters into their algorithms. NIST also recommends that password complexity not impede memorability, which would defeat the purpose of using a password to authenticate something you know. Too complex of a password leads people to writing down passwords or storing them in unsafe places rather than forgetting them. This vulnerability has to be addressed when cloud providers provide instructions for creating passwords for users.<\/p>\n One more way to ensure you\u2019re using a strong password is to use a tool to randomly generate one based on a set of standards, like length, type of character, readability, etc.. Randomly produced passwords are harder to brute force attack or guess. While there are a few different places you can find a random password generator, we love password managers like BitWarden, 1Password, and LastPass, which generate, organize, and secure passwords.<\/p>\n Remember that breached data can provide insights into what an old password might be for the same account or similar type because cybercriminals know that we are creatures of habit.<\/strong> Not only that, but some facts are immutable. A great example is when you always select the same challenge question. If that data has been breached, it\u2019s likely known to cybercriminals; also, your mother\u2019s maiden name is not going to change. As another layer, you can use randomly generated answers to security questions the same way you use randomly generated passwords, meaning those answers won\u2019t be able to be reused (or easily gleaned from dumb Facebook quizzes).<\/p>\n Next, let\u2019s get into how you can keep cybercriminals from guessing your strong passwords.<\/p>\n These days you can take advantage of a password generator and save it to your password manager. However, there are times you need to come up with a strong password.<\/p>\n Consider using a memorable phrase that\u2019s 12 to 15 characters long. A few ideas for memorable phrases are to use a song lyric, a poetic verse, or a line from a movie.<\/p>\n Avoid being predictable. Also, avoid the temptation to use sensitive information like your child\u2019s birthdate or your first and last name or 12345678. Trust me, using this type of information is uber common worldwide.<\/p>\n Another way to check that you\u2019re using a unique password is by culling breached data records. According to Troy Hunt\u2019s pwned.com<\/a> site, the password Qwerty was used 71,219 times before I typed it into Have I Been Pwned Password API<\/a>. As Hunt points out, the NIST recommends that cloud providers compare user-generated passwords with unacceptable ones. A blocklist should have passwords from previous breaches and predictable options that include the service name, like using the password \u2018G000gle\u2019 for your Gmail account.<\/p>\n In the battle against brute force attacks from cybercriminals that can compute ridiculous numbers of hashes without rate limiting, users play a critical role in protecting your data with strong passwords.<\/p>\n Here are a couple other ways to keep your data safer:<\/p>\nWhat Is a Password?<\/h2>\n
\n
How Does a Strong Password Help Keep Your Data Safe?<\/h2>\n
The Three Authenticators<\/h2>\n
\n
Strong Passwords Defined<\/h2>\n
How to Create a Strong Password<\/h2>\n
What Else Can You Do to Protect Against Credential Stuffing Attacks?<\/h2>\n