Password Safety and Complexity to Protect Your Accounts
By James Warnken
“The most used password in the world is 123456”
A simple password like this is cracked in a matter of just a few seconds. Whereas, if your password contains one capital letter, lower case letters, and numbers it may take a few hours to crack. The most complex passwords take weeks to crack and they include everything above including randomly placed special characters within the password. Keep this in mind when renewing or creating passwords to ensure accounts and information are secured by complex and strong passwords.
Before delving into how to construct a complex and secure password, we must first understand how hackers are stealing and breaking passwords in just minutes and clicks.
There are 5 ways hackers steal and break passwords to be mindful of:
- Mass Password Theft-This form of theft is done solely using a program and exploiting files within websites that contain username and password credentials. A hacker uses a software that scans websites that store and create lists of user credentials and once found the hacker has full access to do with the information as they please. One interesting fact is that a computer does not have to be connected to wifi or even turned on for this to happen. This theft is done by a server basis which means websites with autofill passwords enabled and weak security are a prime target for this form of password theft.
- Wi-fi Traffic Monitoring- This form of password and credential theft often goes undetected, this is not often given a second thought. When visiting public places that offer free WIFI that require a sign in with an email are often where this takes place. A hacker sits within that network and once an email address is entered they then can monitor and record information from any site or programs visited while on the free public network. For example, say you are on a public network checking your social media accounts, if a hacker is monitoring the network once you enter your password to login the hacker now has the needed credentials to access the account.
- Trial and Error Theft- Although less practical for hackers, this method is still relevant and used with today’s technology. This method is exactly as it sounds. Hackers know that most people use significant words, phrases, or dates when setting passwords so just by guessing and performing trial and error a password can be cracked. For example, it is common for people to use their date of birth in some form within their password, this information is easy for someone to get ahold of and use when trying to guess a password.
There are two forms of phishing attacks
- Fake Websites- Everyone gets obvious spam emails, but what about the ones that seem legitimate and very important. Some hackers have been known to set up websites that mimic official sites that then send spam emails that seem real. This is one effective way hackers steal credentials without much work beyond the setup phases. The email usually seems very important and provides a link that will help resolve whatever issues is claimed to be occurring. Once the username and password have been entered the hacker has the information that then can be used to log into the actual account and do whatever they wish. These are very hard to spot and many times are never given a second thought. If this occurs and may be a problem that could be happening do not log in through the link provided in the email. Go to the official website and login there.
- Key Logging-This form of phishing is very common and usually is very easy to spot. Hackers send emails that attempt to catch the receivers attention through various ways that aims to drive them to clicking on a link attached to the email. If the link is opened it may seem that nothing bad has happened which is true from a general view. However, on the back end, the email will inject code into the device and begins tracking and recording information. Such codes track keys and information within files that are then used to breech, crack, and steal passwords, credentials, and sensitive information. One rule of thumb is if it seems to good to be true, it more than likely is.
Now that we know how hackers get our passwords, what can we do to stop them?
Here are 6 tips to making your password complex and impossible to crack.
- Password Length-The longer a password is, the most complex it is and harder it is to be cracked and stolen. Most websites require a minimum of 6 characters, but in reality, 8 should be the minimum characters used. Never use the minimum characters required but instead make passwords lengthy and use variations of uppercase, lowercase, numbers, and symbols to ensure passwords are complex.
- Password Variety- This may seem very simple but it is key to making password complex. Instead of using the usual variation of first name, last name, and date of birth, try switching things up and using quotes and phrases. These are much harder for hackers to guess or replicate. Use a set of words or phrases that have no direct attachment to you personally. To make the password more complex than that, use variations of this by substituting words in or out, or rearrange words so that it may not make much sense to anyone but you.
- Using the Full Keyboard- When it comes to creating a solid password we all typically use letters and numbers, but utilizing the entire keyboard will make passwords more complex and harder for hackers to crack. Using special character such as ‘’!’’ or ‘’#’’ are always a good idea along with other special characters. It is also key to not have characters, numbers, and symbols in a generic pattern. Mixing things up and replacing a character with numbers and arranging them in a unique pattern will ensure your password is complex and uncrackable.
- Variations across accounts- When it comes to logging in to accounts, many people fall into the thinking “’I want my password to be easy to remember’’ so consequently the same password is used across multiple or all accounts. This is very risky and makes all accounts vulnerable to attacks. Instead of using the same exact password, create variations of the password such as replacing letters with numbers or making characters capital or lowercase. Simple variations can protect accounts and add to their complexity making it harder for the attackers to steal.
- Avoid Common Passwords- When it comes to password complexity and making the job of a hacker harder, this tip is the easiest and can be impactful. Avoid using the famous ‘’123456’’ or ‘’qwerty’’ and any others that just seem too easy to guess. Also, it is important to keep in mind if it is something that sticks out on the keyboard, it is more than likely to easy and simple of a password. A simple password would be your initials and birthday where a more complex password may be the month you were born followed by middle name (capitalize one random letter) followed by a special symbol concluded with the day you were born.
- ` Renewing passwords- Passwords that have been the same for long periods of time are more vulnerable than ones changed from time to time. Best practices suggest a password should be reset and changed at least once every 3 months. Changing passwords will help out in both securing from future attacks but also for attacks that may have happened that were undetected. For example, a hacker could have login credentials and be hiding and monitoring data and information, but with regular password reset the hacker would be locked out and all access they had would no longer be available. In most cases stale passwords or passwords that have not been reset for long periods of time are the prime target for hackers that can grant them access often without anyone ever even knowing they are in.
Having all this in mind, let us see some examples of PCI compliance regulations regarding passwords.
- Passwords must be reset every 90 days
- Require a minimum password length of 7 characters
- Passwords must contain numerical and alphabetical characters
- New passwords cannot be the same as the old password
- Temporary locking of account after 6 failed attempts
- Idle timeout after 15 minutes
Be sure to check the full list of regulations as well as others within your industry to ensure both compliance and protection.