Whenever I’m presenting a talk about password security, I start with a simple question:
“Who here uses the same password for everything?”
Usually, up to half the room will raise their hands. And a good portion of the rest say that use only a handful of passwords across all their accounts. That’s not good, right?
Then I show them this video – Edward Snowden talking to John Oliver about password security:
The takeaway message from the video is this:
“For somebody who has a very common 8 character password, it can literally take less than a second for a computer to go through the possibilities and pull that password out.”
Reluctantly, I ask the room:
“Who uses a password with less than 8 characters?”
This time, it’s usually more than half the room. Think about that – there’s a good chance that half of all people online use a password that can be cracked by a computer in less than one second. Truly terrifying. But it gets worse.
According to this list of most common passwords:
“91% of all user passwords sampled appear on the list of the top 1,000 passwords.”
That is unbelievable. Put another way, hackers can get into 91% of password-protected accounts with a list of just 1,000 commonly used passwords!
So why are people so blasé when it comes to their password security? For starters, most people seem to have an “it couldn’t happen to me” attitude about the possibility of being hacked. But even if they did shudder at the thought of being hacked, they also shudder at the thought of having to change (and then remember) all their passwords.
But that’s not an issue if you use a password manager.
The Anatomy of a Strong Password
After watching the Edward Snowden video, you’re probably starting to get the idea. But here’s a simple checklist for creating a good password:
- It should be AT LEAST 16 characters
- It should contain numbers and special characters
- It should use a variation of upper and lower case letters
- It should not contain any word found in the dictionary
- It should not contain easily guessed information such your birth date, phone number, spouse’s name, pet’s name, kid’s name, login name, etc
When it comes to password security, the longer a password, the harder it is to brute force (that is, have a computer guess). Every extra character in your password makes guessing it exponentially harder. Of course, if your password contains dictionary words or easily guessed information, it becomes weaker.
A good rule of thumb is to never have more than 3 characters of the same type next to one another – never more than 3 uppercase letters, or 3 lowercase letters, 3 numbers or special characters next to one another. Alternate their use as much as possible.
To read more about how hackers crack a password, check out this article:
Anatomy of a hack: How crackers ransack passwords like “qeadzcwrsfxv1331” – three hackers try to crack 16,000+ passwords—with 90 percent success.
How to Survive the Password Apocalypse
Mat Honan was a senior staff writer with WIRED (he now works for Buzzfeed). In 2012, his online presence was comprehensively hacked, culminating in the loss of his Twitter handle @mat. He wrote about his ordeal here:
Whilst the use of passwords doesn’t appear to be going anywhere, Mat does offer up some invaluable advice around password security:
Until we figure out a better system for protecting our stuff online, here are four mistakes you should never make—and four moves that will make your accounts harder (but not impossible) to crack.—M.H.
- Reuse passwords. If you do, a hacker who gets just one of your accounts will own them all.
- Use a dictionary word as your password. If you must, then string several together into a pass phrase.
- Use standard number substitutions. Think “P455w0rd” is a good password? N0p3! Cracking tools now have those built in.
- Use a short password—no matter how weird. Today’s processing speeds mean that even passwords like “h6!r$q” are quickly crackable. Your best defense is the longest possible password.
- Enable two-factor authentication when offered. When you log in from a strange location, a system like this will send you a text message with a code to confirm. Yes, that can be cracked, but it’s better than nothing.
- Give bogus answers to security questions. Think of them as a secondary password. Just keep your answers memorable. My first car? Why, it was a “Camper Van Beethoven Freaking Rules.”
- Scrub your online presence. One of the easiest ways to hack into an account is through your email and billing address information. Sites like Spokeo and WhitePages.com offer opt-out mechanisms to get your information removed from their databases.
- Use a unique, secure email address for password recoveries. If a hacker knows where your password reset goes, that’s a line of attack. So create a special account you never use for communications. And make sure to choose a username that isn’t tied to your name—like firstname.lastname@example.org—so it can’t be easily guessed.
Password Security: Where To From Here?
If your password security is in desperate need of improvement, it’s never too late to start. It may seem like an ordeal to think up new passwords, let alone actually log in and change them all, but it’s not actually that hard. And, as you’ll see in our next post, using a password manager makes the task quick and simple.