26 Nov How to create a strong password
The best passwords will prevent brute force and dictionary attacks, but it’s also possible to make them easy to remember. Try these password ideas to make your accounts unbreakable.
Your passwords grant access into your own personal kingdom, so you are probably thinking ‘what are the best practices to create a strong password’ to protect your accounts against these cybercriminals. If your passwords were part of a breach, you will want to change them immediately.
So, you may wonder what’s the solution? Uncrackable passwords. But before jumping to that, let’s first take a look at the various ways passwords can be hacked, so that you understand the most common methods being used today.
How does a password get hacked?
Cybercriminals have several password-hacking tactics at their disposal, but the easiest one is simply to buy your passwords off the dark web. There’s big money in the buying and selling of login credentials and passwords on the black market already, and if you’ve been using the same password for many years, chances are high that it’s been compromised already.
But if you’ve been wise enough to keep your passwords off the outrageous black market lists, cybercriminals have to crack them. And if that’s the case, they’re bound to use one of the methods below. These attacks can be aimed at your actual accounts or possibly at a leaked database of chopped passwords.
Brute force attack
This attack tries to guess every combination in the book until it hits on yours. The attacker automates software to try as many combinations as possible in as quick a time as possible, and there has been some unfortunate headway in the evolution of that tech. In this chart from University of South Wales we see while brute force attacks are considered slow they can still crack an alphanumeric (upper and lower case) 6 character password in 33 minutes. However, to crack the same alphanumeric password with 10 characters would take 150 years. If nothing else, we learn from brute force attacks that password length is very important. The longer, the better.
Dictionary attack
This attack is exactly what it sounds like — the hacker is essentially attacking you with a dictionary. Whereas a brute force attack tries every combination of symbols, numbers, and letters, a dictionary attack tries a prearranged list of words such as you’d find in a dictionary.
If your password is indeed a regular word, you’ll only survive a dictionary attack if your word is wildly uncommon or if you use multiple word phrases, like LaundryZebraTowelBlue. These multiple word phrase passwords outsmart a dictionary attack, which reduces the possible number of variations to the number of words we might use to the exponential power of the number of words we’re using, meaning the more words in the password phrase the better.
Phishing
That most disgusting of tactics — phishing — is when cybercriminals try to trick, intimidate, or pressure you through social engineering into unwittingly doing what they want. A phishing email may tell you (falsely) that there’s something wrong with your credit card account. It will direct you to click a link, which takes you to a phony website built to resemble your credit card company. The scammers stand by with bated breath, hoping the ruse is working and that you’ll now enter your password. Once you do, they have it.
Phishing scams can try to capture you through phone calls too. Be careful of any robocall you get claiming to be about your credit card account. Notice the recorded greeting doesn’t specify which credit card it’s calling about. It’s a sort of test to see if you hang up right away or if they’ve got you “hooked.” If you stay on the line, you will be connected to a real person who will do what they can to wheedle as much sensitive data out of you as possible, including your passwords.
The composition of a strong password
Now that we know how passwords are hacked, we can create strong passwords that outplay each attack (though the way to outplay a phishing scam is simply not to fall for it). Your password is on its way to being uncrackable if it follows these three basic rules.
Don’t be silly
Stay away from the obvious. Never use sequential numbers or letters, and for the love of all things cyber, do not use “password” as your password. Come up with unique passwords that do not include any personal info such as your name or date of birth. If you’re being specifically targeted for a password hack, the hacker will put everything they know about you in their guess attempts.
Can it be brute force attacked?
Keeping in mind the nature of a brute force attack, you can take specific steps to keep the brutes at bay:
Make it long. This is the most critical factor. Choose nothing shorter than 15 characters, more if possible.
Use a mix of characters. The more you mix up letters (upper-case and lower-case), numbers, and symbols, the more potent your password is, and the harder it is for a brute force attack to crack it.
Avoid common substitutions. Password crackers are hip to the usual substitutions. Whether you use DOORBELL or D00R8377, the brute force attacker will crack it with equal ease. These days, random character placement is much more effective than common leetspeak* substitutions. (*leetspeak definition: an informal language or code used on the Internet, in which standard letters are often replaced by numerals or special characters.)
Don’t use memorable keyboard paths. Much like the advice above not to use sequential letters and numbers, do not use sequential keyboard paths either (like qwerty). These are among the first to be guessed.
The best password methods (and great password examples)
The sentence method
This method is also described as the “Bruce Schneier Method.” The idea is to think of a random sentence and transform it into a password using a rule. For example, taking the first two letters of every word in “The Old Duke is my favorite pub in South London” would give you:
The revised passphrase method
Use proper nouns, the names of local businesses, historical figures, any words you know in another language, etc. A hacker might guess Pantomime, but he or she would find it ridiculously challenging to try to guess a good password example like this:
PantomimeAnnyeongSaranghaeyoSoulCalibur
Recommended ways to improve your password portfolio
All of the above methods help to strengthen your passwords but aren’t very workable, given that the average person uses dozens of them. Let’s review a few ways we recommend: use new complex passwords and a password manager, install an authenticator app on your smartphone, and purchase new hardware. Each of these can help with better and more secure authentications.
Be careful who you trust
Security-conscious websites will mix its users’ passwords so that even if the data gets out, the actual passwords are encrypted. But other websites don’t bother with that step. Before starting up accounts, creating passwords, and entrusting a website with sensitive info, take a moment to evaluate the site. Does it have the security certification in the address bar (https), ensuring a secure connection? Do you get the sense it is up on the newest security standards of the day? If not, think twice about sharing any personal data with that website.
Use multi-factor authentication
Multi-factor authentication (MFA) adds an extra layer of protection (which becomes your first layer of protection should your account details ever get leaked). These have become the new industry standard for effective security. In another blog post, we explain how they are used and how you can add MFA to common social accounts such as Twitter and Facebook. They require something in addition to a password, such as biometrics (fingerprint, eye scan, etc.), or a physical token. This way, as simple or complex as your password is, it’s only half of the puzzle.
You may find this article interesting too:
9 Apps Where You Can Set Up A Two-Factor Authentication
Additional security tips surrounding passwords
Protect your login information further with these common sense, high-security tips:
Use a VPN when on public Wi-Fi. That way, when you log into accounts, no one is intercepting your username and password.
Never text or email anyone your password.
When selecting security questions while creating an account, choose hard-to-guess options to which only you know the answer. Many questions have easy-to-find answers in social channels with a simple search, so beware and make sure you choose your security questions wisely.
When you’re done, take the time to tell your family and friends to protect themselves too. Breaches continue to happen, so just by sharing this blog post with friends and family, you will be helping your inner circle to protect themselves.
Remember, in SOS Support we offer you peace of mind security solutions to your company, so, your systems will be safer. Contact us!