One of my friends worked as a computer security auditor for a company. When we were talking about his day-to-day work, he mentioned that his primary job was to scold and educate employees on how weak their passwords were. Most of those employees were in charge of creating critical systems for clients around the world.
Now if IT professionals don't know how to make strong passwords, then what would be the state of the general population? It's more common than you think.
They say that a chain is only as strong as its weakest link. Passwords in many cases are the weakest link in every computer system. Next time you hear one of your friends say that their Instagram got hacked, just know that it is most likely that someone merely guessed their password.
How exactly do you make a secure password? Well, it has to meet several characteristics to make it harder for cybercriminals to obtain it. Here are some of my tips that will help you create a stronger password.
The shorter the password, the easier it is to obtain it by brute force. Using the processing capacity of computers nowadays, you can test billions of password combinations in a matter of seconds. If you are using a password with less than 8 characters, you are practically inviting people to enter your account.
You must remember that absolutely all passwords can be obtained by brute force, the only difference is the time it takes to do it. When we are creating strong passwords, we are ultimately trying to increase the time it takes to crack them.
There are websites you can use to find out how long it would take to brute force it. But before I share it, please note that you should never type a password that you use (or will use) on these websites.
Now that you are warned, you can check it out here. Anyway, here are some examples of passwords and the approximate time it would take to break them by force.
**** // Instantly******** // 64 milliseconds*********** // 3 minutes******************** // 200,000 years
We all have been there, you forgot the password to your email account, now you don't want to make the same mistake again. So you use easy-to-remember passwords like your partner's name, your birthday, address, phone number, etc.
Using personal information in your passwords makes it very insecure. All it takes is a quick conversation with a friend of yours.
You would think you are safe if you use a combination of those things, added with some numbers and special characters. However, there are tools like JohnTheRipper that are capable of generating all possible combinations from your personal data.
Again, It is a terrible idea to use any personal information related to you in your passwords. It is highly insecure.
StrangerThings123 // Bad, don't use passwords that are based on your interests0552325555 // Or your phone numbermohammad1999 // Or combination of your name and birth year
Use words and phrases that don't make sense while picking a password. Avoid words that appear in any dictionary or published literature.
Attackers use a popular method called a dictionary attack. In which they use the most popular passwords on the internet to try to guess yours. There are tons of password dictionaries on the internet, such as Hob0Rules which contain thousands of word lists. If your password is in one of these lists, consider changing it.
Here are some of the most common passwords:
// Do not use theseiloveyouQwertypassword1adobe123
People also like using characters like "abc", and "123" in their passwords. These predictable sequences next to each other make it easier for a hacker to crack your password.
// Very bad passwords, avoid theseIncreible123potato789xyz123456abc2020
Make sure your password includes uppercase, lowercase, special characters, numbers all mixed up together. This way, we greatly increase the number of attempts an attacker has to make to obtain a password.
monstersvsaliens // lowercase lettersMonstersVsAliens // lowercase and uppercase letters9MonstersVs2Aliens // All letters + numbers9Monsters.Vs.2Aliens // All letters + numbers + other characters
People who use a single password for all their websites like email, social media, bank, hosting, etc. put themselves at a huge risk of getting compromised. Sure, they are easy to remember, but if someone finds out a password for one of your accounts, they now have access to all of your accounts protected under the same password.
It is best practice to use different passwords for critical accounts like your bank account or your work email. So that when a website's passwords get leaked online, you are safe. If you have been using the internet for more than 10 years, there is a 90% chance that at least one of your passwords exists on the internet. And that leaked password will be used against you by malicious people to gain access to all your accounts.
There are hundreds of bots at work online whose sole job is to parse through these leaked password lists and try the combination of all those email and passwords on other sites like Paypal, Apple, or Google account.
There are tools like Have I Been Pwned that check if your email or phone number was leaked in a data breach and whether the breach also included your password.
Sensitive accounts like your bank, admin panel for a website, etc. should have a password that you change frequently and never use the old password ever again. This is particularly useful when you forgot that you shared your password with a friend or colleague a long time ago and they have gone rogue.
Why is making a secure password so dang difficult? I know it's a mess, it's hard managing long secure, hard-to-read, hard-to-remember passwords for each application you use. But there are easier ways to manage this.
I use a free service called LastPass, it safely stores all my passwords in one place, so I don't have to remember them. It also helps me generate unique passwords for each website and reminds me to change them frequently. I just have to remember one master password, which is used to encrypted and decrypt all my other passwords.
Even if you have the strongest password in the world, it will be completely useless if an attacker guesses it using methods other than brute force. Here are a few extra tips for you to keep in mind.
- Avoid entering your password on public computers, you never know if there is a physical or virtual keylogger installed.
- Do not enter your password on your phone or laptop using a public (open) WiFi such as coffee shops or malls.
- Stay away from websites that are not encrypted, always enter your passwords in websites that use HTTPS.
- Beware of people looking at your keyboard while you type your password. Practice typing your passwords faster and with no pauses.
- Never write down your passwords on sticky notes, or your computer, like a text file on your desktop.
- Never share your passwords with anyone over a phone or other means.
- Use 2FA whenever possible, this adds an extra layer of security on your accounts that support Two-Factor Authentication.
A service you use can have the best security practices implemented to prevent malicious activity, but they won't be able to stop anyone from guessing your password. It's only a matter of time when you find out someone has deleted all your posts on Instagram, bought expensive items from your Amazon account, or emptied your bank account.
No one likes passwords, recently Microsoft announced that they will be killing off passwords all together for all their consumer accounts. More companies will follow suit. You will be able to login using an Aunthenticator app on your phone, it is more secure and you don't have to remember passwords anymore.
However, the passwordless future is still far from a reality. For now, let us all be more responsible in picking our passwords and avoid falling prey to the malicious people on the internet.