April 20, 2020 by Tim
Is there anything more annoying than managing passwords? Creating them, remembering them, losing them– it’s a hassle! However, it’s important to take password management seriously. Passwords are your first line of defense in cybersecurity. If someone gets a hold of your password, it’s game over for whatever that password was meant to protect.
In this article, we’ll first take a look at how cybercriminals try to defeat or steal your passwords. We’ll then discuss what goes into making a secure password, as well as additional security measures you can use to protect yourself online.
Before we can create a strong password, we need to know what a weak password looks like, and where passwords can fall short. Let’s take a look at a few of the ways passwords can be defeated.
Have you ever had an account on Yahoo.com? How about Facebook? Ever play the game Words with Friends on a smartphone, use eBay, or booked a room with Marriott?
If you answered yes to any of these questions, some of your personal data was likely exposed online. All of these companies have suffered massive cybersecurity breaches in the past decade. In some cases, the leaked information included usernames and passwords.
The impact of a data breach can extend far beyond the site that was originally affected. This is because attackers will try to use the leaked username/password combinations on other websites. For example, they might take your Yahoo password and try it over at TD Bank, Capital One, Wells Fargo, and any other site they can think of. If you’re using the same password there as you used at Yahoo, you could be in big trouble. This brings us to the first cardinal rule of passwords:
Rule #1: Never re-use passwords. Especially do not use the same password for all of your accounts. Set a unique password for every site you use. This way, attackers can not access all your accounts by obtaining the password for just one.
You can see if one or more of your passwords have been exposed by visiting the website Have I Been Pwned? and entering your email address. To “pwn” is a slang term that means to compromise a computer system. The site will alert you if you have accounts on any sites that suffered a data breach.
Another way cybercriminals might get your password is by stealing them. The most common method is phishing, where attackers send a fake email that’s meant to imitate a legitimate site. For example, they might direct you to face-book.net instead of the real facebook.com in the hopes that you’ll be tricked into entering your Facebook password. Since they control the phony site, they can grab any passwords that are entered there and use them to access your account on the real Facebook.
It’s important to keep a sharp eye out for phishing attacks. Always check the URL of pages you visit to make sure it’s legitimate. You should also check that the From address on emails is what you expect it to be.
Always check the URL in the browser’s address bar before signing in.
Edit June 2020: Read our full post on phishing here.
Believe it or not, it’s also possible for attackers to simply guess what your password is. Today’s password-cracking software can make thousands of guesses in just a few minutes. These automated programs will often try every word in the dictionary, including proper nouns like names, cities, and streets.
If you are being specifically targeted, the attacker will try to gather as much information as possible that could be a part of your password to help him or her along. For example, with a simple online search they may be able to discover your middle name, mother’s maiden name, street name, pets’ names, favorite sports teams, and the list goes on. If you are using any of these as your password, it won’t be hard for a cybercriminal to guess their way in to your account.
Don’t think you can fool the attacker by using substitute characters, either. For example, some people may think they are being clever by using G1@NTS123 instead of GIANTS123. Nope! Everyone knows this trick by now, and attackers will try these kinds of combinations as part of their guessing game.
We come to our next cardinal rule:
Rule #2: Never use personal information in your passwords. Passwords should be completely random and use multiple words, or random letters and numbers.
It’s also important to use long passwords to prevent them from being guessed. For example, a password that is 6 characters long can be cracked by a fast computer in less than 15 minutes. It will simply try every possible combination of numbers, letters, and symbols until it finds the right one. This is called a brute force attack. By increasing the password’s length by just three to total 9 characters, however, the new brute force cracking time would be over 10 years! The takeaway: longer passwords are better.
Rule #3: Use long passwords!
Based on what we’ve learned, we know what we need to avoid when creating passwords. The perfect password is:
Strong passwords of random text would be something like:
Some good random-word passwords are:
I find random-word passwords easier to use and remember. Obviously, don’t use any of these as actual passwords! They’re just examples.
Tools are available to help you create random passwords. PasswordsGenerator.net creates random jumbles. Online versions of the Diceware system, like this one at Glenn Rempe’s site, can create word-based passwords.
Rule #4: Use completely random passwords.
You may ask how you’re ever supposed to remember long, random passwords. This is where a password manager comes into play.
A password manager is a program or service that keeps track of your passwords for you. Access to your password is controlled by a master password, which should be very strong. Once you log in using the master password, you have access to all of your usernames and passwords. You can conveniently copy and paste the passwords into different websites as you log in.
You have two options for password managers. One is to use an online service, such as 1Password.
Edit 2020-5-5: Since this post first ran, I have also become aware of the excellent Bitwarden password manager. Because Bitwarden is open-source and its code is fully audit-able, it is arguably even more secure than 1Password. Visit the Bitwarden site here.
Sample of the 1Password password manager.
Of course, there is an element of trust when using an online password manager. Though 1Password and similar services claim that they are totally unable to access your passwords, that mostly has to be taken on faith. You can read more about their security policy here.
For the tech-savvy and/or paranoid, you can use a program that lives locally on your on computer. KeePass is a great password manager for those who prefer to keep their database offline. KeePass is also open-source, meaning that its underlying code is made public, so you can trust that nothing nasty is happening behind the scenes.
KeePass is a good choice for those who prefer an offline password manager.
However, the additional security of using an offline password manager comes with a trade-off: If you use a local program like KeePass, YOU ALONE are responsible for backing up your password database and master password. If you lose them, they are gone forever.
1Password does back up your password database, but like KeePass, there is no way to reset your master password. Do not lose your master password for your password manager!
You should definitely memorize your master password, but also be sure to keep a copy of it somewhere. Offline, written on paper is a good idea, because you can still recover your password even if something happens to your computer (plus, you can’t hack a piece of paper). For extra security, don’t write down what the password is for. You could also ask a friend or relative you trust to store the password for you.
Rule #5: Use a password manager.
In spite of all your efforts, there is still a chance that your passwords could be stolen or exposed. As I love to say: 99.9% secure still leaves .01%! And no, there is no such thing as 100% either.
To improve your security even further, you need to set up two-factor authentication (also known as “2FA” , or multi-factor authentication “MFA”) You’ve probably already used two-factor authentication on some sites, such as for online banking. With MFA, you enter your password and are then asked to supply an additional piece of information, such as a code sent via text message or from an app.
Multi-factor authentication significantly improves your login security. Even if someone has your password, they will not be able to receive the additional code needed to sign in. We recommend setting up 2FA on all of your sensitive accounts, such as for email or online banking. If you aren’t sure how to set up MFA for a specific site, just search Google. For example, for Gmail, search for “Set up MFA for Gmail”.
Rule #6: Use two-factor authentication.
A large portion of password security relies on knowing what not to do. To that end, it seemed worthwhile to give a quick summary of what to avoid:
Properly managing your passwords can be a daunting task. If your passwords seem weak or are the same for every site, don’t feel bad. You are not alone! Begin by taking some small steps. A good start would be to change the passwords for your most sensitive accounts, especially your email addresses and online banking sites. If you aren’t ready to set up a password manager, it’s OK to write down your passwords on paper and hide it somewhere in your house for now. It’s not perfect, but it’s better than nothing! Set aside a little time every week to change a few passwords and eventually set up your password manager, and before long you’ll be more secure than ever before.
Thanks for reading the Green Mountain IT Solutions Blog. This was one of the most time-consuming posts I’ve written yet, but it’s also probably the most important. For more great content, be sure to fill out the Subscribe form at the top right to have new posts emailed to you every week.
