Balancing ease of access for user security has been an issue ever since the creation of the personal computer. Creating a strong balance is key to your security whether it is for your personal use or business.
We will walk you through the best way to create passwords, manage your passwords (if necessary), and the importance of a master password. First, we need to discuss how hackers crack passwords if we are going to make secure passwords.
First, make sure that whatever company you sign up for is using the latest up to date password hashing and that they are not storing your password in plain text like FACEBOOK once did. (this still happens today). How companies store your passwords is incredibly important, as any password you create going forward will be useless if not stored securely.
Now if the company is using a modern security system to store passwords, then hackers will most likely try these two methods on the hashed passwords:
- Brute Force Attack
- Dictionary Attack
Brute Force Attack
The name implies the method. They simply are trying to access your password by running it through a computer and trying every possible combination. The longer the phrase, the more combinations exist, and the more combinations equals a harder password to crack.
In today’s world, having a password that’s at least nine random characters long will suffice for this attack. If you want to get nerdy and look at the math behind this, check out this Khan Academy video.
What if instead of guessing each character in the password individually and randomly, we set some rules to help break the password. The English dictionary would likely be an excellent place to start. Instead of trying to crack each character, the hacker can now look for specific strings of characters that relate to the words in the dictionary. Keep in mind that this technique tries the most used words first. The same technique can be applied to any language.
Custom dictionaries are being made every day to make cracking easier by using real passwords that people have used in the past. This means if your password was part of a previous security breach, it is most likely included in a hackers dictionary. These dictionaries are much more useful and can cause a password to be cracked in seconds.
How do you check if your password resides on one of these lists?
Well, you can never know for sure since a hacker’s dictionary might not be accessible to check, and some companies have been unwilling to notify the affected users. An excellent place to start would be to use the pwned password checker tool.
Creating Your Password
First, NEVER use the same password twice. Imagine a robber steals the key to your car and it just so happens to work on your house and the new restaurant you opened. We have different keys for our physical locks so why should we use the same one digitally?
The whole point of having a password is to secure yourself online. Using “password” for your password is extremely insecure. Here is a list for the most common passwords.
The first rule is to choose a password that meets specific length requirements.
Please note that substituting alphabetical characters to look like numbers is NOT secure. (ie. substituting 3’s for E’s) Also, if you think you’re clever it is often a tactic that a hacker will use when cracking by associating characters that look like a letter together.
Here is an example of a strong password: R37Gj4!hj37^dyb!klm
Unfortunately, you’re probably not going to remember it unless you’re Michael Ross from the show Suits. This is why “forgot apple ID password” & “forgot google password” is one of the most searched for terms on google. A good password needs to be easily remembered!
This XKCD comic is a good illustration of the problem with current password techniques and provides us with good rules going forward.
Ok so we have the makings of a good password that we can remember by using something like:
This is more efficient if you are remembering multiple passwords instead of using a password manager. It is a passable way to create a password. Random is, of course, better so use this random password generator and play with the rules.
Do you want more than “just good enough?”
Perfect, then let us take it up a couple of notches. This is especially vital if you’re using a password manager that requires a master password.
The first thing we need to do is something we mentioned earlier. Use a less common English word or something you would not find in a dictionary. Examples include a brand name, slang, anything really as long as it means something to you. Note that using a family member’s name, including a pet’s name is extremely insecure.
Here we switched out one word for a brand name. This one change would make it that much more difficult to crack. Next, we can add characters but in places that don’t make sense.
Perfect, now we have a strong password. This might be a little over the top but is great if it is used for your master password. As it is the only one that you need to remember.
One more layer of security to add is two-factor authentication.
Two-factor authentication requires you enter a separate code that is sent to you or available on your mobile through an authentication application like google authenticator.
The secure way is not to use one and have a impeccable memory that can hold all your different passwords. This, unfortunately, is not feasible for most people. I could get into more detail about the best password managers but the important things you’re looking for in a password manager are.
- They use local encryption and not server-side encryption.*
- Offer two-factor authentication and use google authenticator or a comparable service.
- The forget your password function only gives you a hint for your master password instead of actually making you able to reset it via email.
The password manager will create those intense long passwords for you that are different for each site.
The Master Password is the key part. Just don’t forget it and for the first week set a reminder to log into your password manager once daily so you get used to typing it out. Don’t use this password for anything else!
Lastly don’t use any of the passwords I have used as an example in this post since they have probably been added to a password crackers dictionary already.