Passwords are our single most effective cyber security tool, and making good use of them requires no technical skill whatsoever. So why, then, do we so often use them so poorly?
Since 2010, the password management company SplashData has culled the web for leaked user passwords from breaches and compiled the most outstanding data into a Top 100 Worst Passwords list. And every year, inevitably, the top two entries are “123456” and “password”. Almost three per cent of all passwords they find are “123456”.
There are a few good reasons to use bad passwords. Maybe you’re part of a software engineering team building a test account for an unpublished beta website. Perhaps you’re the operator of a public WiFi hotspot. Maybe you’re the type who gets excited by living on the edge–getting rid of your smoke alarms, eating expired food, publishing your home address on Craigslist and Chat Roulette.
If you’re not an engineer or a public WiFi host and value yourself and your sanctity, there is no good excuse for not using high-quality, diverse smart home passwords. Whether it’s a web account, a laptop, a router, a smart home device, or any other technology item in your near orbit, setting good passwords is the most effective way to stay cyber-protected. And you can do it just as well as any pro can by following a few easy steps:
1. Avoid common and easy-to-guess smart home passwords
Having simple smart home passwords is like having no password at all. Variations on common passwords–like “passw0rd” or “123456789”–simple passwords–like “abc123” or “11111”–using your name or the name of the service you’re signing up for, and other quick tricks of the sort should all be forbidden. As easy as they may be for you to remember, they’ll be easier for hackers to crack. Here’s how:
Any reputable website will store user passwords in hashed form. A “hash” is a long, complicated string of letters and numbers determined by a hash algorithm. A hash algorithm will take your password, process it, and output its corresponding hash value. The final result might look a little something like this: e10adc3949ba59abbe56e057f20f883e. That’s the hash for the password “123456”, according to the MD5 algorithm. You’ll notice that hash has no observable connection with its input, but that’s just a trick. It’s not a random value at all. You’ll receive the same result if you type 123456 into an MD5 hash generator.
Hackers have a tool at their disposal to address password hashing. A “rainbow table” is a list of hashes of common passwords commonly available online. Anyone possessing hashed passwords can reference a rainbow table to reverse engineer any common passwords in the bunch, however complicated their corresponding hash values may appear to the naked eye.
A rainbow table wouldn’t be helpful if your password is simple but not expected–say, a combination of your last name and your birthday. But if you’re unlucky enough to be targeted by a hacker, there are other tools capable of cracking a password of this strength. Consider: if a hacker has your hashed password, they likely also have leaked data in the form of your email, your name, your birthday, and any other information you provided to this hypothetical breached website. Using such information, your hacker could write a program that checks for the hash values of strings containing keywords and variations of keywords based on your other leaked information. In other words, if a hacker knows your name is Kelly and your birth year is 1984, they could check for hashes that return “Kelly1984”, “kelly1984”, “k311y1984”, et cetera.
The final tool available to hackers is called a “brute force” attack, where a computer runs through every conceivable combination of letters and numbers until it uncovers your password. This method is very resource-intensive and slow, but it can work against passwords that aren’t sufficiently long and complicated. Breaking “passw0rd” might only take a fraction of a second. Breaking “[email protected]” might take a year. “[email protected]@55w0rd” could probably never be broken for the rest of your hacker’s life.
Hence, this is why you want to use complicated, difficult-to-guess passwords.
2. Use a unique password for every site
Using the same password for multiple digital accounts and devices is like being the landlord of an apartment building and using the same key for every unit. If a malicious entity steals your key, they’ve functionally broken into every apartment. Using varied passwords for your multiple online presences is crucial. You don’t want a hacker who broke into your old AOL account to leverage that towards accessing your home security system.
3. Use a password manager
Password managers work like safes for your passwords. All your passwords to all the various websites you use are stored within your manager account, which is unlocked by whatever master password you set. Now, you might ask yourself: why would this help? Wouldn’t establishing a single point of failure–that master password–induce even more risk than whatever I’ve been doing thus far?
If you’re worried about placing all your eggs in a single basket, recent news won’t help ease your mind. A study published earlier this year by ISE, a security consulting firm based in Baltimore, found vulnerabilities in five of the most popular password manager applications.
Now you have two reasons not to use a password manager. And yet, it’s still worth it.
Password managers fully encrypt the data you store within them, so a hacker would need your master key to access your account’s contents. And the most reputable companies store your master key locally, on your device, rather than in the cloud. This means that your information would still be secure even if a password manager company were hacked. The company itself doesn’t even know your master key. Because all the information in your account is encrypted, even leaking that data will be meaningless to anyone without that key. Therefore, a hacker needs both your key and your computer to break your account, which should be very difficult to accomplish together.
Depending on how you look at it, the strength of password managers is also their inherent flaw. Using one of these applications means your security is entirely in your own hands. That’s great if you’re responsible. But we humans are notoriously incompetent regarding our cyber security–reusing passwords, connecting to unsecured public WiFi, leaving our devices unencrypted, and generally failing to think ahead.
Password managers have their benefits and their drawbacks. They may be the most effective security tool for maintaining excellent and varied passwords. At the same time, putting all your eggs in one basket introduces all new concerns. No matter how you slice it, password managers beat using “123456” or the same few passwords for all your accounts.
4. Change the default passwords on your devices
Your device’s default username and password are merely placeholders awaiting your change. It’s information well-known to hackers, especially if you’re using popular brand products. By not setting your password for your home network, for example, you open up the possibility that someone within range of your signal could hack in without any trouble.
5. Try a passphrase
You probably already have experience creating accounts on websites which require that your password pass certain conditions–combining uppercase and lowercase letters, numbers, symbols, etc. Setting such conditions is to force users not to use too easy-to-guess passwords. The effect, too often, is that the passwords we set are somewhat challenging to memorize. Was it…u7!erDc#2…or U7!ERdC#3?
You might be surprised to learn that, as impossibly difficult as it is for a hacker to guess “u7!erDc#2”, it is even more difficult for them to hack a password more like “harvard birthday belong cooling”.
Why is this? Recall in section one above the discussion on hashes and password cracking. The qualities that made for a difficult-to-guess password were: not commonly used, not based on any real-world information, not otherwise logical, complicated and lengthy.
Websites ask for complicated passwords to discourage you from using one of those common passwords we so often opt for. But combining symbols with numbers and letters of different cases is more like a prompt to entice you to get creative. Combining two other forms of characters is useful, but even more important is length. Brute force algorithms don’t understand English; they simply check hash values. As long as you didn’t go to Harvard or work in the heating and cooling business, a passphrase like “harvard birthday belong cooling” is essentially un-crackable.
For help coming up with a sufficiently random passphrase, you can use the site where we got ours: Use A Passphrase.
6. Use two-factor authentication for particularly sensitive accounts
Two-factor authentication (2FA) adds an extra layer of security to your online account, either by asking you for the answer to a security question or by sending you a one-time code via text or email every time you log in. Most products and services do not offer two-factor authentication because, frankly, most products and services aren’t worth it. On the other hand, susceptible websites and devices–online banking portals, for example–often require it.
2FA is an added step that will take an extra few seconds of your time to complete each time you log in to your account. However, you’re making a potential hacker’s job exponentially more difficult in exchange for those seconds. Breaking into a website or cracking smart home passwords is one thing. Doing so and then passing a second level of authentication makes the job near impossible. That’s why, as an added guard for your most valuable information, two-factor authentication is always worthwhile.
By reaching this point of this article, you’ve positioned yourself (and your smart home) to be as internet-secure as any casual internet user can hope for. Still, the risk of hacks will always exist, and vulnerabilities will always be out of your control. You can have the best smart home passwords on the planet, but with the right hacker, or the wrong company, you might still fall victim to an attack. More people than are aware of it have already been exposed to multiple data breaches. HaveIBeenPwned is a website that compiles leaked data from major corporate hacks (the known ones, at least) and allows you to search for your email address within those records. Check it out–you may be using an online account right now that’s well-past compromised without even knowing it. And if your account is compromised, your password probably is too.
Cyber security exists on a continuum. The only thing you can be sure of is that if anyone’s going to get hacked, it’ll be your friends who use “123456” and “passw0rd” before you.