Passwords & Password Managers

Key Password Statistics

  • 53% of people rely on their memory to manage passwords.
  • 51% of people use the same passwords for both work and personal accounts.
  • 57% of people who have already been scammed in phishing attacks still haven’t changed their passwords.
  • 71% of accounts are protected by passwords used on multiple websites.
  • 29% of internet users have more password-protected accounts than they can keep track of.
  • 90% of internet users are worried about getting their passwords hacked.
  • The password “123456” is still used by 23 million account holders.
  • 33% of account-compromise victims have stopped doing business with companies and websites that leaked their credentials.

How are password stored

  • When you register for a website your password, it is put through a one way algorithm called a hash function.
  • Passwords should never be stored as Plain Text

37% of internet users say they have to request a password change once a month on at least one website due to forgetfulness.

Hashed Password

  • Below is an example of how a password might be stored in a database.

    Algorithm = SHA1
    Password = password1
    Hash = e38ad214943daad1d64c102faec29de4afe9da3d

The URL below shows you how the Hash function works with your passwords

https://md5calc.com/hash/sha1/password1

What happens when bad passwords are used

Hacking tools are everywhere and very affordable.

I can purchase the Elcomsoft Phone Breaker for $199 and try to break into your iPhone.

This tool might have been used to steal and post nude celebrity photos in the 2014 hack.

  • https://en.wikipedia.org/wiki/ICloud_leaks_of_celebrity_photos
    • The images were obtained via the online storage offered by Apple’s iCloud platform for automatically backing up photos from iOS devices, such as iPhones. Apple later reported that the victims’ iCloud account information was obtained using “a very targeted attack on user names, passwords and security questions”, such as phishing and brute-force attack guessing.

The Verizon 2019 Data Breach Investigations Report found that 80% of hacking-related breaches leveraged weak and compromised passwords.

Google’s New Research: Lessons from Password Checkup in action: 316,000 of users were utilizing already compromised passwords.

71% of Gen-Z respondents believe they wouldn’t fall for a phishing scam even though only 44% know what “phishing” means.

Password Cracking Video

Original computerphile YouTube Video – https://www.youtube.com/watch?v=7U-RbOKanYs

It only takes 10 minutes to crack a lowercase password that is six characters long.

How to protect yourself

  • Use a Password Manager
  • Use a good password for each site
  • Use a different password for each site
  • Never use a password twice
  • If you write you password down on paper, make sure to secure your paper
  • Don’t manage your passwords in your browser
  • Don’t use a password manager like Apple’s password icloud feature
  • Don’t use a company like NordVPN to manager your passwords
    • They do VPNs not Password Management
  • NEVER store you passwords in a non-encrypted file on your computer
  • Always change your password after a breach
  • Don’t send passwords in an email
    • Email is sent in Plain Text (see above)
    • You might forget to delete the password. Do you empty your email trash?
  • When you sign up for a service and they require you to have security questions
    • Don’t answer them correctly
    • Keep notes of what you say in your password manager or document it someplace secure

Use a Password Manager

Original computerphile YouTube Video – https://www.youtube.com/watch?v=w68BBPDAWr8

When you use a Password Manager

  • Enable 2FA
    • Mobile App
  • Preferably use a hardware
    • YubiKey
  • You can secure things with both 2FA app & a hardware key
  • There are multiple 2FA options to secure your password managers

Add Passwords To Your Devices

30% of mobile-device users never lock their gadgets because re-entering passwords annoys them.

Biometric Passwords

  • Biometric is less secure than a real password – this is why
    • Biometrics will be easier to hack than passwords. Not only are they subject to all of the current attacks that work when hacking passwords, but biometric data were never designed to be secret. Most people make sure not to divulge their passwords, but it’s difficult to imagine a world where everyone wears gloves constantly to avoid leaving fingerprints.
  • Someone can scan your face without your permission and gain access. 
    • They can’t do the same if it is password protected.

In a Virginia circuit court case from 2014, a judge decided that police could compel someone to unlock a smartphone using a fingerprint scanner, because a fingertip is like a fingerprint, cheek swab, or handwriting sample. But in that case, as in this one, the judge referred to an idea (first introduced in a 1988 John Paul Stevens Supreme Court dissent) that revealing “the contents of an individual’s mind” is protected by the Fifth Amendment. It’s basically the distinction between a safe that you open with a key and one that you open with a numeric code. Law enforcement can demand that you use the physical key to open the safe but can’t insist that you disclose a code that is held in your mind.

Employees report spending an average of 12.6 minutes per week entering and/or resetting passwords.

Crossing The US Any Border

Who is required to hand over the encryption keys to authorities

Mandatory key disclosure laws require individuals to turn over encryption keys to law enforcement conducting a criminal investigation.

Some Fun Password Stats

Password statistics for 2020 – ‘iloveyou’ and ‘sunshine’ are most common