TSTC Cybersecurity instructor discusses best password practices

(ROSENBERG, Texas) – In today’s online world, it is often safer to assume that passwords will be compromised.

“Breaches happen all the time,” said Tim Janssen, a Texas State Technical College Cybersecurity instructor. “We like simplicity, and simplicity makes it easy for hackers. Some companies understand that passwords could be the weakest link of security.”

But when people arm themselves with that eventuality, they can help defend themselves against hackers. The best defense begins with being informed.

Hackers most often crack passwords through one of two approaches: brute force and dictionary attacks. Both names are descriptive of the methods used.

In brute force attacks, a hacker makes every attempt in the alphabet and special character sets to guess a password. Hackers can guess common passwords — think “123456” or “password” — in less than a second, according to research from NordPass, of Nord Security.

Dictionary attacks employ a list of possible passwords.

“Hackers have a huge file and let it attack a user account,” Janssen said. “With any luck, they can have it cracked within minutes.”

Last year, hackers added another formidable resource to their arsenals: RockYou2021.

“This is more of a concerning factor,” Janssen said.

RockYou2021 is a list of passwords compiled from previous security breaches. It is highly accessible. Even if a user has a complex password, if it is on the list, the user can consider their account compromised.

“(RockYou2021) already has 8.4 billion entries,” Janssen said. “Passwords across the whole world that people are using can be found here.”

While there are many opportunities for hackers to steal credentials, there are more resources available to users to make those breaches much more difficult.

Start with checking whether your email address has been associated with a data breach. Though this information depends on the transparency of the companies involved in the breach, Janssen suggests entering an email in the search bar of a website like haveibeenpwned.com. There, you can examine where the breaches originated and make a plan to increase the strength of your passwords – and the security of your data.

According to data sourced by the website howsecureismypassword.net, the lower the number of characters in a password, the easier it is to access. Even a five-character combination of numbers, upper and lowercase letters, and symbols can be cracked instantly.

However, an 11-character password with the same parameters for its characters will take 400 years to crack. A 12-character combination will hold out for 34,000 years.

“When the IT department says it needs to be 12 characters, here’s why,” Janssen said.

Complexity is key, in this case. But if your password is on, for example, the RockYou2021 list, it does you no good. That is also why many companies require their employees to change their credentials on a regular basis.

After you have crafted a quality password, however, resist the temptation to use it to access multiple accounts, like your work computer, bank account and favorite retailer.

“If you use the same password across all of them, that means multiple accounts compromised,” Janssen warned.

A password manager like KeePass can help defend against breaches like this, he said, adding that he does not recommend saving credentials when phones or computers offer to do so.

KeePass can help generate and store complex, unique passwords for multiple accounts — all in one place and accessed via a master password. Janssen keeps his account local, on his computer, for the added levels of security that his network provides. There is also an option to access the resource across multiple devices.

But perhaps the most effective tool to ward off hackers is multifactor authentication — like when, after entering their credentials on an account, users must then receive and enter an additional one-time code before accessing the account.

“If I’m a hacker and I have come across your credentials — your email address — that’s all I need,” Janssen said. “If I kind of know that you’re visiting this site, then I can attack that site with a word list. Multifactor really protects us because even if someone cracks your password, they have to reply with the text message.”

Janssen encourages his Cybersecurity students at TSTC to think about the layers of defense they can employ to keep data safe.

“If one layer is broken, how can we deter (hackers) from continuing their attack?” he asked.

You do not have to be training for a degree in Cybersecurity to leverage the best practices for online security.

“Please do not put passwords where they can be seen, like a notepad or sticky note,” Janssen said.

TSTC offers completely online training for its Cybersecurity program. Students can choose to pursue an Associate of Applied Science degree in Cybersecurity, an advanced technical certificate of completion in Digital Forensics Specialist, and an occupational skills award in Basic Cybersecurity. Cybersecurity is one of TSTC’s Performance-Based Education programs, meaning that students move through their training at a flexible pace.

In Texas, digital forensics analysts can earn an average annual salary of $89,750, according to onetonline.org. The number of analysts is expected to grow by 20% in the state through 2028.

Learn more about TSTC at tstc.edu.