DDoS attacks present a real threat to organizations that do not practice healthy security policies. Many attacks leverage webcams or other IoT devices on the public internet that have been left with default administrative passwords. DDoS attacks have impacted multiple countries and companies and, by some estimates, up to 40% of all web traffic.

These aren’t vulnerabilities that can be “patched” as they are vulnerabilities in the meatspace of setting up devices. Leaving a default password on a device that can connect to the internet is a guarantee that it will be absorbed into one or more botnets and be used for attacks. The solution is actually quite simple:

Make better passwords passphrases

Don’t install devices on your or any network with the default password left in place. And don’t use the same password across the board. At a minimum, while you work on better password habits, try to cluster them into categories like banking, medical, kids, etc., so that you can change them together if you hear about a breach. I can preach on the importance of unique, complex passwords for every single login as many do, but security and privacy have to be consumable, and a fad password overhaul is about as effective as a fad diet.

As password requirements get longer (at least 8 characters, include a number, contain one lowercase letter, contain one uppercase letter, contain a special symbol, contain an emotion, taste savory), an easy way to meet the requirements is to adopt the idea of a passphrase. Many attacks are brute force dictionary attacks of words, and combining multiple words and making up new words massively increases your defense against this type of attack.

  • An 8-character password using all lowercase letters has ~217 billion
  • Add uppercase characters, and add another 54.5 trillion
  • Add numbers into the equation, and add another 221 trillion
  • Mix capital letters, special characters, and non-English words and combine longer phrases to exceed 669 quadrillion

A simple passphrase might be a song lyric you like. “Put on your red shoes” is a lyric from a song I am fond of.

putonyourredshoes

Incorporating an additional language and changing red to roja significantly reduces the risk of this passphrase being guessed in a dictionary attack.

putonyourrojashoes

Adding capital letters and replacing letters with numbers and symbols (L33T) further improves your passphrase.

putOny0urRoja$hoes

Now add your cluster flag to help create granularity for your passphrases.

putOny0urRoja$hoesDrs
putOny0urRoja$hoesBills
putOny0urRoja$hoesBanks

Are these the best possible passwords? No — long, complex passwords unique to every single login is the best process. But this is an easy way for the everyday person to establish better password security while they work on building up to that best practice.

Now go change your passwords! “Petsname123” isn’t good enough.