We get it – managing passwords is no fun. In today’s age of Cloud based applications, we now need to manage and remember hundreds of passwords in order to properly do our jobs. The need to continually change these passwords or create new ones to access new tools leads us to forget existing passwords and reset them more often than we would like to admit.
Our initial thoughts to make our lives easier may be to always reuse the same password across multiple accounts. However, if your password from any of these accounts gets compromised due to a data breach – you are ultimately giving hackers access to all of your online applications where they may gain access to sensitive company and personal information.
Reusing passwords across various systems and websites is a major risk once a cybercriminal identifies one of your passwords. They will try to re-use that password anywhere they think you may have a personal or professional account. Often this process is automated, and access can be gained quicker than the length of time it would take you to reset all your passwords.
Also be aware that using your company email address as a username or reusing passwords across multiple systems and websites may be a violation of your company's policies potentially putting your job at risk.
Create a strong password
When creating a password for a system or website - always use unique, strong passwords. Here are some tips to creating a strong password:
- Never use a single word as it may appear in a dictionary.
- Avoid using words or numbers that could be associated with you. Examples may be your date of birth, a family member’s name (including your pets).
- Your password should be a minimum of 8 characters and up to 64 using numbers, alphanumeric characters and symbols.
- When permitted, use what is called a passphrase. A passphrase is a collection of words or a phrase that is easy for you to remember.
- When available, always enable 2fa (Two-Factor Authentication).
So, how can hackers and cybercriminals steal your passwords?
Hackers typically use a method called “brute force attack”. A brute force attack typically consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing it correctly. The attacker systematically checks all possible passwords and passphrases until the correct one is found. Hackers will often use tools that would allow them to run hundreds if not thousands of password combinations within seconds if a web application or system is not well-developed to prevent these types of attacks.
A brute force attack often uses what is called a “dictionary attack”. A dictionary attack is based on trying all the words in a prearranged listing. Such attacks originally used words one would find in a dictionary (hence the phrase dictionary attack), however there are now much larger lists available on the Internet that contain hundreds of millions of passwords recovered from past data breaches.
There is also software that can use such lists and produce common variations, such as substituting numbers for similar-looking letters or characters. Dictionary attacks often succeed because many people have a tendency to choose short passwords that are ordinary words or common passwords by appending a digit or punctuation character. Dictionary attacks are difficult to defeat, since most common password creations techniques are covered by the available lists, combined with cracking software pattern generation.
Outsmarting a hacking attempt
The good news is that brute force attacks and dictionary attacks can be outsmarted by using the following methods:
- Use a passphrase with mismatched words that you may find easy to remember. Some sources indicate that a common password can be hacked in as little as 18 milliseconds, while a four word passphrase (when properly selected) can take thousands of years to crack. If you need some ideas for creating a random passphrase, try this tool: https://www.useapassphrase.com/
- Always use two-factor authentication. Two-factor authentication is a security measure designed to add a second layer of authentication when accessing your applications or accounts. These can be in a form of a text message, a verification email, or a special code that changes every 20 seconds on your mobile device. Without this additional code, cybercriminals can not access your account even if they manage to crack your password. This additional verification should be used for accessing ALL your critical systems.
We now know the importance of creating and maintaining secure passwords and pass phrases. But, how are we supposed to remember all of these passwords and passphrases for so many websites?
The answer is with a strong password manager. A good password manager allows you to securely store your passwords in a central encrypted password vault which can only be decrypted from your computer using a strong master secret. The compromise of the master secret to a password vault would require all passwords in the vault to be recreated. However, many password managers today provide two-factor capability and are designed in a way that cloud password services are not able to access the vault, even if compromised. Password managers contain much information that is valuable to cyber criminals, making them high-value targets, so securing these vaults is essential.