Many hackers enter computer systems simply by guessing passwords, and with the top passwords of 2012, 2013 and 2014 being password, 123456 and 12345678, we’re not exactly making things difficult for them! (of 40 million Adobe account passwords leaked online, 2 million were 123456).
Increases in computer processing power makes cracking your password that much easier and faster.
As they say, the best password is one that you can’t remember – using that approach, you should look to using a password manager, such as Lastpass, Roboform or Keepass
However, even the best and strongest passwords can eventually be defeated mathematically given enough time and computer processing power. Whilst the use of strong passwords acts as a firm deterrent against password guessing attacks, and buys additional time against other attacks, where possible, you’ll want to look at using two-factor authentication – that is something you know (a password), and something you have (ie. a mobile phone).
When you login to a site that supports two-factor authentication (such as a bank), you’ll enter your password, and a one time generated code generated via either a text message or an app on your phone. As codes are generally refreshed every minute, even if a hacker had obtained your password, they wouldn’t have your one time password.
Have I Been Pwned?
It seems like that with every day that passes, some organization has had its customer database hacked and the details of which have been posted online for everyone to see.
The site HaveIBeenPwned.com (created by security expert Troy Hunt) allows you to check whether your account information has been leaked online from one of many hacker attacks.
You’ll then have a good idea of where you need to update your account passwords.
When not to… Reduce, Reuse, Recycle
Recycling. We all know it’s a good thing. Except when it comes to password security.
One thing recent hacker attacks have shown us is that its common for people to use the same password, or only slight variations of it for many websites. Once a website has been hit, that website account password is almost certainly the same for another website account.
Always use different passwords for every site. Not just variations of the same password (ie Password1 for Facebook, Password2 for Twitter….). This will ensure that if & when a website gets hacked, only that one site’s password is compromised.
Think Passphrase, not Password:
A common complaint I get in the corporate world is from end users is that complex passwords are difficult to remember (obviously use a password manager where possible – but this isn’t an option if logging onto a corporate network).
Rather than remembering a complex password, it would be easier to remember a sentence, or several whole words (end users tend to write complete passwords on post-it notes stuck to their laptops).
Combine words such as an activity you enjoyed as a child followed by the place that you performed the activity.
Beef the password up a little with caps, numbers and symbols.
ie. footballexeter might become F00tb@113x3t3r
However, it is no longer acceptable to simply just replace letters with symbols.
Hackers are now fully aware of our password habits and have now factored in these simple letter substitutes into their password cracking algorithms.
For example, replacing letter:
“a” with “@”
“o” with “0”
“I” with “1”
“s” with “$”
Likewise, always starting with a capital letter and ending with a number has become common and has been factored into hacking algorithms. In this case:
F00tb@113x3t3r might well become 1fO0tB@1lEX3T3rZ
Have a look on the popular password strength analysis site: HowSecureIsMyPassword? This will give you an indication of how long it will take to crack your password (remember – that’s an indication, not a guarantee, and based on the cracking ability of a common desktop computer, not the cracking ability of a hackers server farm).
Microsoft Research have a portal that will try and predict your password based on the last letter you typed.
Remember:
- 61% of consumers reuse passwords between sites.
- 76% of network intrusions exploit weak or stolen credentials
- 66% of consumers never change their password.
Summary:
DO’S |
DONT’S |
|
|
Probably the best piece of advice for everyone, stay educated, stay informed, take a look at ESET’s We Live Security site.
Also, head over to Microsoft’s Security Centre , OpenDNS Security Labs and Malwarebytes Unpacked for further info.
Download the handy Password poster for your office wall.
the-server.ninja