It goes without saying that the Internet is part of our daily lives whether at home, at school, or at work. While the resources we access in each of those aspects of our lives might be different, they all have one feature in common: passwords. A password is literally the string of characters that controls our access to data on local networks or on the Internet from a variety of devices (e.g., desktop, laptop, smartphone, etc.). This means that choosing a good password is a must, especially with more and more data going to the cloud. Remember, if your data is in the cloud then a good password becomes (in a lot of cases) your only line of defense from the bad actors trying to get their hands on your data.
Traditionally, passwords stemmed from our names, our family members’ name, birthdays…. You get the idea. We also suffer from “password fatigue” because we have multiple accounts to keep track of; this causes users to start choosing weak and easy to remember passwords (non-complex and less than 10 characters) along with using the same password on multiple accounts. This has led us down the path to a history of bad habits making it even easier for those with malicious intent to guess, or crack, your password.
These people are increasing their success rate of finding your password through a number of methods. First, they have computers working from a library of known popular passwords to throw at your various accounts; Facebook, Office 365 and Google are
very popular targets as you can well imagine. Please do not work under the misconception they are doing this by hand, folks; computers make everyone’s lives easier, including those with nefarious purposes. Second, they are doing research on you (via Facebook and Linkedin) to learn more about you in order to help guess passwords based on names, birthdates, etc.. Third, through the use of cloud-based computing, they have near limitless computing power to throw at your account or stolen password hash; the formula is pretty easy: more computing power = less time to crack.
Do we even want to think about what happens if they get their dirty mitts on our valuable credentials? Unfortunately, if your imagination runs wild with this it would probably guess most of the outcomes. From fraud and ransomware campaigns to outright theft of data, the sky is the limit. With your username and password in hand, the bad guys can be whoever they want to be with little or no risk of being discovered or arrested. Thanks to the Internet, the world has become a very small place and password hacks can take place from anywhere at any time.
Fortunately, there is a short list of actions you can take to protect yourself and your digital identity:
Password length and complexity:
This may seem daunting but by following a common formula (e.g., couch or separate words with special characters, replace letters with numbers, etc.) across different accounts, you can make it nearly impossible for your password to be guessed or cracked. Think on this: taking a 12 character password of all lower-case letters to one with basic complexity (upper + lower + number +special character) changes the time required to successfully crack the password from 20 hours to 9.6 millennia!!!! (based on the computing power of 1 trillion guesses per second) There are also third-party services, such as LastPass or 1Password, that make creating and managing your passwords even easier.
Bypass password hints:
Don’t use this! If the bad guys find this info, it just helps them narrow their search for your password and we do not want to help them out. If a site lets you bypass this, do so; if not, make up a nonsensical word or phrase that has nothing to do with your password.
Learn from history:
Fortunately for us, there is a great resource that identifies known bad passwords; bad in the sense they are very popular among Internet users and good guesses for the bad guys. Check it out at https://cry.github.io/nbp
Why not make it even harder for bad actors to get into your accounts by requiring more than just a password? By requiring a password and a second (and sometimes third, yikes!) form of authentication, it won’t matter if they guess your password: they can’t get your data. Some common examples of this are one-time codes via text message, biometric data (e.g., facial recognition, fingerprint, etc.) and expiring codes provided by secure applications on a mobile device, such as Google Authenticator or Authy. Most online services are supporting different forms of MFA and users are encouraged to start using them as they greatly increase the safety of their accounts.
So please, take the time to change the way you think about your passwords and the impact they have on your digital life. To see how your password stacks up, download our 5-Step Checklist For Creating Robust Passwords. We can all be that much safer with just a few simple steps.