Password Security

Background

Creating a strong password is the single easiest step that you can take online to prevent identify theft, lost information, and hacked accounts. Unfortunately, a number of people do not take this simple step seriously enough, resulting in millions of hacked accounts and lost identities every year.

But before we discuss how you can create a strong password, let's look at the ways in which hackers approach cracking your password.

Password Cracking Explained

There are a number of ways in which a hacker can get your passwords. The most common is a "brute force attack", in which a hacker simply slams a website with thousands of possible passwords for an account until one is accepted.

In a brute force hacking attack, three simple character changes to your password is the difference between such a program taking 2.23 hours and 2.21 years to crack your password. For a standard 7 letter password with just lower case letters, there are 8,031,810,176 possible combinations. That may seem like a lot, yet it would only take 2.23 hours to crack such a password using password cracking programs easily available over the web. Adding just 1 number, 1 upper case letter, and 1 symbol results in the password taking 2.21 years to crack.

Password Strength Tips

That's simple enough, so let's now discuss how to strengthen your passwords and some simple steps you can take to keep your strong passwords secure.

Use Various Letters, Numbers, and Symbols

They should use a combination of lower case letters, upper case letters, numbers, and symbols. The more random the password, the harder it is to crack (more on this shortly).

  • Weak Password: johndoe
  • Much stronger: J0hn*Do3

Create Long Passwords

But the above isn't enough. You also need to make sure that your password is (ideally) over 8 characters long.

  • Strong Password: J0hn*Do3
  • Much stronger: J0hn*Do2003

Creating Accessible Passwords[1]

Of course, remembering "J0hn*Do2003" can be difficult. So why not preserve the strength of longer passwords, and translate that into an easy-to-remember password? The best way to do this is create a short sentence that is memorable to you but hard for a computer program or even a person to crack. Separate the words with a dash to increase security further (in fact, the dashes, or whatever special character you choose, is the single most important part of this password, as it increases the length, and therefore increases the time it takes to crack).

  • Practical Password: segans-beautiful-stars

Update Your Password Often

The more often you update your passwords, the less likely that you'll be to fall victim to hacking.

Never Use Common Passwords

Your partner's name, child's name, pet's name, sports team, last four digits of your social security number, city, college, date of birth, or common words/combinations like "god", "love", "password", "1234", or "qwerty" are all the first thing a hacker will guess. Avoid them.

Use Different Password for Different Websites

If you use the same password for your online banking and your sports chat forum, you are opening yourself up to an attack. Hackers will never target websites with strong security systems like your bank. Instead they will aim for smaller sites like forums or e-commerce sites. If they can attain those passwords, the chances of them having your banking password suddenly skyrockets.

You may be saying, "but how would they get my forum password?". A simple "brute force" attack in which a server is bombarded with thousands of possible passwords for your account are very common. To a hacker it is as simple as telling a program to do it in the background while he watches TV. And these programs are very common, easily downloadable from a number of websites.

You may be saying, "But how do they know what my username is on these websites?". Finding your login ID on these sites is generally as easy as going through your cookies or web browser's cache. Most insecure website will routinely leave this information unencrypted. And if you've ever used a public computer, you're essentially handing that information over to them.

So do yourself a favor and use different passwords for different websites. Clear your cache and cookies often, and be very prudent when using public computers.

Frequently Asked Questions

How can I test my password strength?

We recommend using a utility such as Microsoft's Password Strength Checker. If your password doesn't register as "Strong" or "Best", change it right away!

Be very cautious about inputting your password into various websites claiming to be password strength checkers or strong password generators. Many of these are simply creating "dictionaries" of "strong" passwords to get around password crackers not being able to crack otherwise hard-to-guess passwords.

Which passwords should I update?

All of your passwords! The password you use for less important sites like forums or e-commerce sites are just as important as the passwords you use for your online banking or your website's FTP.

If you are worried that some sites may be storing your passwords without any encyption, check a website's privacy policy and even contact them for details. If stored in plain text, do not register at that site, or if you do, be very caution about what information you provide them with.

How often should I update my passwords?

The more often you update it the better, but being realistic, we would recommend updating your passwords at the very least every 2-3 months.

What else can I do?

As stated above, never type your password into any website that you don't know. This includes websites designed to create encrypted hashes of your passwords: many hackers create their dictionary of brute force attack options using these websites, and while they may appear useful on the surface, they most certainly are not.

But this won't happen to me, right?

It could and does happen to people like you all the time. On February 18th, the Washington Post reported that over 75,000 systems were hacked in 1 day. This included 2,500 companies in the USA. Hackers don't discriminate: whether you're a small or big company, they will do whatever it takes to make life difficult on you. No one is immune: Google (article), Twitter (article), and Baidu (article) have all been successfully attacked.

Tags: #security #online_safety

  1. Please see Thomas Baekdal's article entitled "The Usability of Passwords" for more information on this method. Source.