Creating strong, unique passwords has become a necessary evil, particularly for those who use dozens of apps, websites, and other services. Passwords we choose must be at least a certain length, contain letters, numbers, and special characters, can’t be repeated, must be changed regularly, and so on. If we follow the recommended guidelines, choosing good passwords that we can remember becomes a challenge.
According to recent studies, around 70% of the world's most popular passwords can be cracked in less than a second. Some examples include 1234, Password, and Test1, yikes! Attackers use a range of tricks to try and obtain passwords used for online accounts. Among these are a brute-force attack (trying many passwords to crack an account), password spraying (trying some common passwords across many accounts), and credential stuffing (using compromised usernames and passwords on many different sites). The attacks are not performed manually. Instead, software tools are used to automate attempts, allowing for many attempts per second and faster exploitation. The weaker and more common the password, the quicker they are cracked. Many tools are available for free online as they are often written and published by security researchers who are trying to find vulnerabilities before attackers do.
Targeted password cracking has become easier with the rise of social media and the proliferation of publicly accessible personal information. Many details commonly used in passwords are available for anyone to see: names of children, hobbies, favorite places, etc. Tools can take this information and generate possible passwords with modifications people frequently add, such as capitalizing the first letter or adding numbers and an exclamation point at the end.
So how do you create good passwords that are hard to crack? Below are some helpful tips to help keep your personal information safe and private. Note that none of these will ever be 100% effective at protecting you and your information, but they are good practices that can make things much more difficult for attackers and make you far less desirable of a target.
Use a password manager. While it is best if passwords only exist in your head, remembering many strong passwords is a difficult task. Password managers are applications that securely store your passwords in a central location that is accessed by one very strong password. When using a password manager, you no longer need to remember your other passwords, just the password to get into the manager. Your other passwords can be very long, completely random, and unique for every site or application you use. Password managers typically provide a way to automatically generate random, secure passwords for you so you don’t even have to come up with them yourself. Some do require subscriptions and it is important to choose a trusted provider (some popular choices are LastPass and KeePass), but overall password managers, when used properly, are a great way to increase password security.
Use a passphrase. For passwords, you do need to remember, using a passphrase instead of a password can make the result long, secure, and easy to remember! Make them at least 15 characters. Use numbers, capitals, special characters, and spaces (when permitted) in nontypical places. For example, the following passwords would be very difficult to track but are fairly memorable: “workp1ace security-critical.” or “cat f00d is _awesome_”.
Use multifactor authentication. Having 2 layers of authentication to access your account will protect you even if your password is cracked. Someone would still need access to your second factor to log on to your accounts, which typically is your email or cellphone.
Delete accounts you no longer use. Websites are breached every single day. If you use the same password for multiple sites, compromising a service you haven’t used in years and have forgotten about can grant an attacker access to your other accounts. You never know who or what has been compromised. When you are no longer going to use an account, make sure it’s deleted and not left in limbo.
Regularly check your accounts. It’s amazing how much suspicious activity goes unnoticed and how long a compromise can last before detected. Check your critical accounts frequently for anything out of the ordinary, such as logins from an unrecognized device or location, password or email modifications, or unauthorized purchases. Consider an Identity Theft Protection and Monitoring Service. These services proactively monitor and notify you of suspicious activity. Some plans include insurance.
Protect your recovery methods. Take the time to set up the password reset questions and answers on each site appropriately. Don’t use the same questions and answers on multiple sites. Treat this information just like passwords and store it in your password manager.
While new authentication methods like facial recognition and fingerprint reader are slowly being adopted, the reality is that passwords will be around for a while, and adopting these best practices is an effective way to protect ourselves.
If you’d like to know more, check out these password tips from Aaron!