Practicing Strong Password Security to Protect Yourself from Hackers
Having a weak password might not seem like a big deal, but it can be dangerous both personally and professionally. In this post, we discuss what makes a password weak, how attackers take advantage of weak passwords, and how you can practice strong password security to protect yourself from hackers.
What Makes a Password Weak?
Everyone talks about the fact that strong passwords are a fundamental part of cyber security but what makes a password weak or strong? A weak password is any password described by one of the following criteria:
- Too Short: A password should be a minimum of 8 characters (more is better)
- Too Simple: Passwords should include capital and lowercase letters, numbers, and symbols
- Reused: Passwords should be unique and never reused across multiple accounts
- Non-Random: Passwords should be random or pseudo-random
Odds are, you have at least one password that meets one of these criteria. If so, you should change it immediately.
For the record, taking a dictionary word and substituting numbers and special characters does not make it a strong password. There are less than 200,000 words in the English language, which a password guesser can check in minutes, even with all of the common substitutions. Adding numbers to the end (most people choose two and they’re often a significant year like a birthday) also has negligible impact on password strength.
How Weak Passwords Are Dangerous
Having a weak password may not seem like much of a threat. Since you need to remember and type it regularly, making it secure might not seem worth the risk. However, there are several ways that attackers take advantage of poor password security.
Brute Force and Dictionary Attacks
A brute force password attack is when an attacker tries every possible password to crack an account. A dictionary attack is when they try variations of every word in a list of words looking for a hit. If your password is weak (violating one of the criteria listed above), one of these attacks will hit you.
The time it takes to brute-force a password grows exponentially with the length of the password. This means that short passwords are very easy to break but they quickly get more difficult. Adding just a couple of characters to your password can have a huge impact on your cybersecurity.
The types of characters that you use in your password makes a huge difference in security too. If an attacker knows that your password is all lowercase letters, they can take advantage of this to speed up cracking it. Think just because a password is eight characters it’s secure? With effective hardware, an all-lowercase eight-character password can take only a couple of hours to crack. Not bad for access to your bank account.
Reused and non-random passwords are vulnerable to dictionary attacks. If your password is in the attacker’s dictionary or similar enough to it, the cracking time is seconds. Random, unique passwords are critical to cybersecurity!
Data breaches have become more and more common, with at least one data breach a month exposing hundreds of thousands of records. Whether you know it or not, your password has probably been exposed on at least one of your online accounts. If you’re not sure, check out haveibeenpwned.com, where you can type in your email address and get a list of breaches where it (and its associated password) have been leaked when a company’s records were stolen and disclosed.
If you reuse the same password for multiple sites, a data breach can be the end of your personal cybersecurity. Hackers routinely check username and password combinations exposed in breaches against other sites in hopes of finding a repeat.
Even if you’ve never been breached and never repeat passwords, data breaches can hurt you if you have a weak or common password. Another common hacker tactic is to add passwords exposed in breaches to their list of options to try when trying to crack a password. Trying to be clever and using the name of your favorite TV show (which isn’t a dictionary word) won’t help you if someone else thought of it too and was breached.
Assume that your passwords have never been leaked in a data breach attack. That doesn’t mean that you’re safe. One of the most common goals of phishing attacks is credential theft, either directly or through installing malware on your computer. And once an attacker has one password, the first thing they will do is see if you used the same one on other, more valuable services (Amazon, banking, etc.).
Practicing Strong Password Security
Weak password security practices put you and your online accounts in danger. Luckily, you can practice good password hygiene with five simple steps.
1. Generate Strong, Unique Passwords
Passwords need to be strong and unique, meaning that none of the criteria mentioned earlier should describe your password. Ideally, you should use a random password generator to create a strong password for you.
2. Store Passwords Securely
If a password is stolen, it’s no longer secure. Ideally, you would memorize every one of your passwords, but that is no longer feasible with the number of accounts that the average person has. A good alternative is a password manager like LastPass. Most password managers have browser plug-ins and mobile apps that will autofill your password for you and can generate strong, random passwords for you. If you use a password manager, create a strong, random password for it and memorize it. If you’re afraid of losing it, store a copy somewhere secure like a safe.
3. Use Multi-Factor Authentication
Multi-factor authentication is when you require more than just a password to access your account. Examples (from least to most secure) are SMS verification, mobile apps like Google Authenticator, or physical tokens like a smartcard or Yubikey. Multi-factor authentication makes it harder for an attacker with your password to access your account. Use it whenever it is available. Read our blog post, “Two-Factor Authentication (2FA): Secure or Not?” to learn more about how to effectively use multi-factor authentication to protect yourself from hackers.
4. Don’t Share Passwords with Others
You should never, ever share your passwords with others. Even if you protect your password well, you have no guarantee that they will do the same. For more discussion on the risks of shared passwords, see our earlier blog post on the subject.
5. Monitor Your Password Security
The final step to password security is monitoring your accounts for signs that something has gone wrong. If something looks weird on your account, change your password immediately. Even if you do everything right, maybe a data breach leaked your password. It’s a good idea to periodically check haveibeenpwned.com to see if you are a victim in any new breaches.
Protecting Yourself from Weak Passwords
Weak passwords are dangerous and can cause significant real-world damage. If someone breaks into your bank account, not only can they drain your accounts, they can ruin your credit history as well. Take the time to practice good password security and protect yourself both personally and professionally.
Practicing strong password security is a result of security awareness and benefits both individuals and companies. Sword & Shield offers security awareness training to organizations trying to improve their security posture.