Don’t worry. Your password is totally strong enough…

shutterstock_4359

Password safety is an increasingly complex and important issue. Fortunately, there are some simple ways to keep safe.

 
Companies that house user information such as email addresses and passwords are common prey to hackers. The most obvious threat to your personal security are sites that host financial or personally identifiable information such as bank card numbers, address information, or medical history.

But even sites that host non-essential information, such as web forums or frequent customer programs, are huge threats to your digital safety. These sites have become a big part of our lives, with the average web user having accounts on more than two dozen different websites though utilizing only a quarter as many passwords to manage them all1. That means that when one of your accounts is compromised, numerous others follow like dominoes.

If you are like most people, you use the same or similar passwords for almost everything. Hackers often break into sites like Tumblr, LinkedIn, Yahoo!, or MySpace, and even though those sites do not necessarily have your credit card information, they do have your email address. Combined with your password, your email address is tantamount to the keys to your entire digital presence.

Computer expert John Pozadzides wrote a great article about how this all works2. He notes that hackers almost never initially try to break into bank websites or VPNs or other sites with two-point authentication, excellent security, or sites more likely to reach out to the user if something suspicious is going on. They go to the weakest sites first and then use that information to gain access to everything else. Your Instagram password, for example, might lead them to something that does have financial information such as your Amazon or Paypal accounts.

Once a hacker cracks all of that data open, they often post it online or sell it to others. Because of that, we know that many people use the same passwords for things, with “123456” being the most common of all3.

Even if your password isn’t the same on every site, many of us have deceived ourselves into thinking we are safe from online identity theft by our own cleverness. Many people use formulas to utilize common words or phrases that are easy to remember. These tactics, however, are not commonly effective because hackers are already aware of that. For example:

password_chart02Take the password “golfpro.” Many men utilize passwords based upon hobbies or interests4, whereas women often utilize proper names. That password would be guessed instantly by a password cracker. It is short, composed entirely of letters, and it is pretty easy to guess.

Let’s pretend you get fancy and replace the first “o” with “0” to get “g0lfpro” (replacing both “o’s” won’t make a difference.) That’s better, but it would still only take two hundred milliseconds to crack. Since that password is too short for many systems, let’s add the last two digits of the year of an average user’s birth to the password to get “g0lfpro70.” This is about as sophisticated as most people get, and even that password would be compromised in only 42 minutes.

Finally, let’s add a symbol to the end of that password to get “g0lfpro70!” as our test. A computer would need one month to crack that password. This is better, but still not ideal. Compare that to a randomly generated 12-character password like “/?DQ%3g-3b(F” and the difference is pretty stark. That password would necessitate 485 thousand years to crack, but unless you actually are a computer, you might find that very difficult to remember. Fortunately most web browsers, even those on mobile devices, have password managers that can help you remember complex passwords.

Here is some advice for a secure password:

1. Never use the same password for more than one website.

It doesn’t matter how important or unimportant the site or service is, this is an unnecessary exposure to hacking issues. Always use a unique password for every site you frequent. That way if someone steals the password database from one site, it won’t publicize your credentials to dozens of others.

2. Use randomly generated passwords.

The random password above was created using the website passwordsgenerator.net. Randomly created passwords are exceedingly strong, and unlike golfpro, 123456, baseball, and password, they aren’t preloaded into password cracking software. The randomly generated password “DcJhC~74s_!^_;v9”, which is 16 characters long, would require 41 trillion years to crack. You wouldn’t have to worry about foreign hackers at that point since the Earth will have long ceased to exist by then.

3. Use a password manager.

Password managers will make your life easy by remembering passwords for various sites on your computer. As long as you are using an up-to-date and secure browser (avoid Internet Explorer), password managers are pretty good at spotting phishing websites.

4. Avoid predictable formulas.

This is especially important if you don’t want to use password managers or randomly generated passwords. Even though “g0lfpro70!” was a stronger password than “golfpro” in our example, it wasn’t anywhere close to the kind of strength in the random passwords. That’s because tactics like swapping numbers for letters, adding numbers to the end of a string, and capitalizing the first letter are well known to hackers and password guessers, and won’t stand up long against a professional cracking attempt.

If you still insist on utilizing a non-random password, here are a few more tips, starting with the example of “camper” which would be guessed instantly under normal circumstances.

5. Use multiple words as a base.

Combine more than one word all while avoiding names or words that are related. Changing this up to “camperblue” means it would take 59 minutes to crack that password.

6. Use numbers, just not predictably.password-chart-1

Putting the number 7 between those words for “camper7blue” increases the amount of time needed to crack it to a month.

7. Use more than one symbol, and again, not predictably.

Adding the $ and # symbols to get “#camper7blue$” and a computer would need 13 thousand years to crack it. Replacing the letters ‘s’ in ‘password’ to ‘$’ symbols is not as helpful.

8. For what it’s worth, avoid vowels.

Even though vowels make up a minority in the alphabet, our propensity for using common words in pass phrases means there is a 50% chance your password will contain at least one, and hackers know that5.

9. Go long. Very long.

If adding symbols and numbers isn’t your thing, you could try using even more words. The web comic Xkcd has summed up some of this discussion in a great strip featured above. In it, author Randall Munroe describes how length is one of the most important aspects of a strong password.

Rather than jump through the myriad hoops of weird symbols, meaningless strings of characters, and endless numbers, he suggests merely having a long password of common words that are easy to remember.

He’s right about one thing, as evidenced in the table on page 12, long phrase passwords are much harder to crack than shorter ones with swapped out symbols. However many websites have password rules that make some phrase passwords impossible by requiring numbers, symbols, and capitals or by forbidding proper nouns, common words, or duplicate letters.

That said and despite the length, the example he provides in the strip of “correcthorsebatterystaple” is now instantly guessed by password crackers thanks to the fame of this strip.

xkcd
“Password Strength”|xkcd.com

Wrapping Up

If you are interested in testing the strength of your passwords or want to generate new ones, you can test their strength at howsecureismypassword.net. Maintaining good password hygiene is important to staying safe online. This can help prevent any number of problems, from data intrusion and auto theft to someone breaking into your work email.

As computer users, we all have a duty to ourselves and should utilize good practices. But as employees, managers, or representatives of a special district or a company, we should exercise extra caution with work related accounts. This not only includes yourself, but in setting password policies for your employees too.

Sources:
1- http://arstechnica.com/security/2012/08/passwords-under-assault/
2- http://onemansblog.com/2007/03/26/how-id-hack-your-weak-passwords/
3- http://www.whatsmypass.com/the-top-500-worst-passwords-of-all-time
4- http://stories.avvo.com/consumer-protection/create-a-secure-password.html
5- http://www.infoworld.com/article/2632462/security-management/test-the-strength-of-your-password-policy.html?page=3

Both comments and trackbacks are currently closed.