Passwords are now an everyday nuisance. Every time you want to read your webmail, edit a file on DropBox, Skype call someone, or even unlock your phone, you need to enter a password. We all take this security for granted and expect our passwords to remain just that; ours. Unfortunately in todays day and age, we get hacked. Chances are if you are reading this, you have already been hacked. Most people won’t even realize they have been hacked, however if you have EVER used Dropbox/LinkedIn/Myspace/Adobe/Target/Yahoo, then your password has absolutely been taken. What do we do from here? Let’s explain the basics of password security, and how to avoid being completely taken.
Password brute-force hack attacks will follow a standard pattern. They start with the letter A until the letter Z, then do AA to ZZ, and continue on. They will also add in characters and numbers as well. This takes a very long time, however if you have direct access to the computer, MANY passwords can be tried very quickly. Ultimately this is the most time consuming attack, however it is guaranteed to provide results given enough time. When your password goes from 8 characters to say 12 characters, it increases that time exponentially. A rough calculation shows that an 8 character password can be cracked in under 42 minutes, while a 12 character password will take up to 100 years. It is as simple as adding the word ‘here’ to your current password!
Funky Characters Not So Much
Sure, the password “Dn<398^$2@!]” (485,000 years to crack) is more secure than “Hereismypass” (300 years to crack), however who in their right mind can actually remember that?! Don’t make the password too difficult to type that you will forget what it is, and ultimately have to reset it back to “password” just so you can sign in!
Phrasing Is Critical
The easiest way to create a secure password is take your favorite phrase and modify it slightly. For example, rather than “Abbey0712” (4 days), try “MyDaughterAbbeyBorn0712” (133 sextillion years!). Keep in mind, some sites/services won’t allow a password that long, but come up with something unique to you. “TodayIsAGreatDay12” works great on 99% of sites out there, and you literally can’t forget it!
The next thing to avoid is password reuse. What does that mean exactly? Well, your email password should be different than your DropBox password, and your bank accounts should have a different password as well! This is easier than you think. Let’s say we like the “TodayIsAGreatDay” password, we can easily add the website name to the end of it. For example, “TodayIsAGreatDayWellsFargo” and “TodayIsAGreatDaydropbox”. They are secure AND easy to remember. Keep in mind, this isn’t perfect, but I guarantee it is better than what you are currently doing! Any improvement is just that, an improvement! The real reason you MUST have different passwords for different sites is because that particular website might get hacked, and your password will get taken. Recently Yahoo had 500 million usernames and passwords taken from their site. Let’s say you had an email with them and used the password “Jimmycat17”. Well, the hacker now has your email address and password you used. They will then try to log into your bank accounts using your email and password. If you happen to use that same password at Bank of America, they will absolutely get into your account and take your money. They will utilize scripts to check your email and password across a plethora of websites that might provide them value. Dropbox/Banks/etc, and they then have access to your personal files and money! Stay safe, and use different passwords for each service.
Don’t Get Phished
This paragraph really deserves an entire blog post dedicated to it, but we need to discuss it right now. Phishing scams are a website that looks identical to another websites sign-in page. They hope that you won’t recognize that you are being scammed and will type in your username and password.
To combat this, triple check the address bar to make absolutely certain you are logging into the right website. You can do this by looking at the address bar in your browser. Look to make sure that the domain ends in a .com or .net(or whichever they use), and there is a / immediately after the com/net.
You can see this in the example above, that the URL has a / right after the .com. This will prove that you are signing into the correct website. Lots of phishing based websites will have “login.microsoftonline.com.somerandomsite.ru/”. This means you are actually on the website for ‘somerandomsite.ru’ and NOT on office 365’s legitimate sign-in page. They will take your login credentials, and then you are in trouble!
Stay safe out there everyone, and always practice safe online habits!