
Don't pass on password protection
For many of us, not a day goes by that we aren’t logging into an account for various tasks, entertainment or work. As such, we've all heard stories of failed password protection...the cousin who had their bank account emptied after their account was accessed or the friend who had their data stolen from a company-wide hack.
Beyond the stories we share, recent statistics tell an even more compelling story in favor of strong passwords. Here’s how: According to recent studies, 81% of breaches at companies or organizations leveraged stolen or weak passwords (2020 Verizon Data Breach Investigations Report), and one million passwords are stolen every week (2019 Breach Alarm).
Read on for five ways to help design secure, strong passwords and keep our information safe.
Exploring how hackers think
Understanding how passwords are cracked is the first step in devising an approach to designing good passwords.
“Hackers can automate the cracking of stolen password hashes between billions and trillions of passwords per second using high-performance supercomputers,” said Jetson. To do so, hackers apply brute-force cracking, an automated process that uses every possible letter, number and word combination to guess your password.
“To combat this, we moved to more complex passwords by adding characters, but even those have replicable patterns, like using the @ symbol to replace the letter A,” Jetson continued. He explained that this is a great place to start, but went on to share more details on how to create even stronger and more secure passwords.
Five tips for designing more secure passwords
Although no password is uncrackable, increasing the complexity of the password can make the process more difficult. It has proven to be an effective method for dissuading hackers, ultimately protecting your accounts and information. Check out these five tips, provided by Jetson, to inform a more secure password strategy:
Tip 1: Length is the number one determinant for a secure password.
Passwords are at their strongest when they are over 14 characters long. A good strategy for creating a password is to select four or five unrelated words strung together by a special character; think along the lines of horse-blue-rain-earphones (but please don’t go using this exact password now!). Using unrelated words increases the complexity of the password so that hackers cannot guess as easily.
Sometimes, there can be a password character limit that prevents the use of this strategy. In that case, another method is to think of a sentence, like “Jack and Jill ran up the hill,” and use every letter to create the base of the password. You can add further complexity with characters and numbers; for example, add a colon and a date to make it jajruth:2021.
Tip 2: Vary your passwords.
While it may seem easier to use the same password for multiple services and logins, it can quickly threaten all your accounts. That’s because if your password gets stolen in one instance, it can be used to access multiple sites and organizations you belong to. Databases of stolen usernames and passwords are used in credential stuffing and password spraying attacks. User credentials can be leaked when third-party services are compromised and improperly encrypted. Hackers then use these credentials in bulk to attempt login, with commonly observed passwords, significantly reducing the number of attempts.
This makes using different passwords across services critical.
Tip 3: Utilize multi-factor authentication.
While we strongly urge everyone to use different passwords across services, multi-factor authentication can be used as an additional security measure against hacks that stem from many attacks against passwords.
Multi-factor authentication requires something you know (a password) and something you have (a mobile device, YubiKey or hardware token) to log into an account. This prevents hackers, who may obtain your password, from accessing your information without your knowledge. However, the exception comes into play if they have somehow also obtained the device to which the multi-factor authentication service sends a verification code via text, call or push notification through a dedicated mobile app or acquires the hardware token.
Tip 4: Avoid malware.
Malware is intentionally malicious software, typically containing capabilities such as a keylogger. A keylogger is a type of malware that can track every stroke you enter on your keyboard. As you could probably imagine, this can allow hackers to view your accounts and credentials. Avoid sites and links in suspicious emails that could be rife with malware like keyloggers. You can also stay proactive by installing an antivirus and updating your device.
Another level of protection against malware is to avoid using the administrative account on your computer. That’s because if malware runs under the administrator context on your computer, it maintains all the administrator capabilities, including disabling your antivirus or installing additional malware to embed itself deeply within the system. So even if malware does slip through, if you don’t use the administrative account on your computer, it won’t have the same access to your files and information that you do under a “standard” user account.
Tip 5: Act quickly when a hack occurs.
Finally, even with the strongest measures, passwords can be compromised sometimes. In that event, change your password immediately to mitigate illegitimate access to your information.