The days of peering over someone’s shoulder while they type in their password have long gone. Hackers use sophisticated software in order to crack your password combination. And depending on the size and possible combinations of your password, you could be cracked in less than a minute.
Something as simple as your phone password or pin number on a debit/credit card, normally four digits, only has 10 possible values per digit. That means that there are 10,000 possible combinations of that password. That’s definitely too many password attempts for a human, but password cracking software can get through that many combinations in milliseconds.
Worried yet?
Before you pack your bags and attempt to live an off-grid lifestyle, try some of these tips for securing your passwords and if you can, share these tips with your staff to build awareness in your company.
Mix Characters and Increase Length
Let’s approach these tips from the angle of a hacker. Let’s pretend I am a hacker and you are an employee of a firm who has not received any training or guidelines on the use of passwords. When you started, you were given accounts and created passwords for all the systems you have access to. It’s highly likely that many, if not all of these passwords were the same. It’s also likely that this password is between 6-8 characters, so that you can easily remember it.
Let’s look at some stats found by Kevin Fogarty in IT World. Six characters (letters and numbers, but all lowercase and without symbols) has 2.25 billion combinations.
- Using a web app hitting the site with 1,000 guesses per second, I can crack that in 3.7 weeks.
- If I went offline and used high powered servers or desktops, I could guess at a rate of 100 billion a second and crack your password in 0.0224 seconds.
- If I went even further and used parallel multi-processing clusters, I could guess at a rate of 100 trillion a second and crack your password in 0.0000224 seconds.
If you add a symbol and make your password ten characters long, you can make it significantly harder for me to crack your password.
- Using a web app – 54.46 million centuries.
- Offline with high powered servers – 54.46 years.
- Offline with parallel multi-processing clusters – 2.83 weeks.
If I am super determined, I might spare a few weeks, but I would only do that if I knew for sure you had a pot of gold behind that password. Otherwise, what’s the point? I could be doing a lot more with my life.
Use a Unique Password for All Accounts
It seems like an obvious one, but you would be surprised at how many people do not do this (80%+ reuse passwords, according to a recent study). If I hack your password, I’m going to try to log into all major online services I think you are signed up to. I’m not going to be satisfied by only having access to your emails. I will use your emails to determine what other services you have and I will try and use the same password to log into these.
Who knows, I might find a way into your work email and then an internal work system that keeps track of customer financial data. Gold mine.
If you’re having trouble remembering all of those passwords, which I expect you will because you are not Sheldon from the Big Bang Theory, then use a password manager. If you are running a business, have a password manager as part of your internal system. Staff can store and share passwords intra- or cross-departmentally.
Techradar has published this list of best password managers in 2016. LastPass is the number one password manager, according to Techradar and even includes a password generator to help you create more secure passwords.
Don’t Use Personal Information in Your Passwords
I suppose it is more convenient and easy to create a password that has memorable information in it - your birthday or the birthday of someone you know, your street name, your own name or the name of a family member, even the name of a pet.
In the event you have opted for convenience over security, you just made my life a whole load easier. Remember that password cracking software I mentioned earlier? Well many of them come with a feature where I can add your personal information and it will use this information to guess your password.
This is even better for me because I can crack longer passwords much quicker than I could if your password was completely random.
Use Two-Factor Authentication
There are ways I could crack your password if you had two-step authentication.
For those who don’t know, two-factor authentication involves adding another factor for verifying your identity and logging you in. For example, a service may ask for your password in combination with your fingerprint, a push notification to your phone, or even a token/smartcard. Two-step authentication is where there is a second step (i.e. a second password).
Some of the top password cracking tools contain features that allow you to crack the second step as well, assuming that step is also a password and not another factor.
Two-factor authentication isn’t a lost cause. In fact, if you use it in combination with a strong password, it would be exponentially harder for me to crack. And if your password gets too hard to crack, I am just going to move on to someone who is an easier target.
Many web services and applications allow two-factor authentication in the settings, but some do not. If I were doing my part for society, which I’m not because I am hacker, I would think about contacting those services and telling them how they could really help their customers by implementing a second authentication factor.
If you are a business, you can implement a second factor for all of your employees who are entering systems where the most sensitive or confidential data is stored. A good place to start is by doing an audit of all your data, systems and the people who have access to it. This will help you decide the scope of the project and get the right company on board to help you.
Don’t Opt for Moving Off-Grid Just Yet…
Hackers are rarely as sophisticated as the guys from the series Mr Robot. Most of the time they are looking for buckets of data they can sell, or they are just testing systems for vulnerabilities they can exploit. As soon as they find something is too difficult to crack, they will leave it alone.
A strong password, password management and two-factor authentication are the three tools you have to ensure your password is impervious to the bad guys.