Passwords are the single most effective cyber security tool we have, and making good use of them requires no technical skill whatsoever. So why, then, do we so often use them so poorly?
Every year since 2010, the password management company SplashData has culled the web for leaked user passwords from breaches, and compiled the most outstanding data into a Top 100 Worst Passwords list. And every year, inevitably, the top two entries are “123456” and “password”. Almost three percent of all passwords they find are “123456”.
There are a few good reasons to use bad passwords. Maybe you’re part of a software engineering team, building a test account for an unpublished beta website. Maybe you’re the operator of a public WiFi hotspot. Maybe you’re the type of person who gets excited by living on the edge–getting rid of your smoke alarms, eating expired food, publishing your home address on Craigslist and Chat Roulette.
If you’re not an engineer, or a public WiFi host, and you value yourself and your sanctity, there is no good excuse for not using high-quality, diverse passwords. Whether it’s a web account, a laptop, a router, a smart home device, or any other technology item in your near orbit, setting good passwords is the most effective way to stay cyber-protected. And you can do it just as well as any pro can by following a few, easy steps:
1. Avoid common and easy-to-guess passwords
Having a simple password is like having no password at all. Variations on common passwords–like “passw0rd” or “123456789”–simple passwords–like “abc123” or “11111”–using your own name or the name of the service you’re signing up for, and other quick tricks of the sort should all be forbidden. As easy as they may be for you to remember, they’ll be orders of magnitude easier for a hacker to crack. Here’s how:
Any reputable website will store user passwords in hashed form. A “hash” is a long, complicated string of letters and numbers, determined by a hash algorithm. A hash algorithm will take your password, process it, and output its corresponding hash value. The final result might look a little something like this: e10adc3949ba59abbe56e057f20f883e. That’s the hash for the password “123456”, according to the MD5 algorithm. You’ll notice that hash has no observable connection with its input, but that’s just a trick. It’s not a random value at all. If you type 123456 into an MD5 hash generator, you’ll receive the same result.
Hackers have a tool at their disposal to address password hashing. A “rainbow table” is a list of hashes of common passwords, commonly available online. Anyone in possession of hashed passwords can reference a rainbow table to reverse engineer any common passwords in the bunch, however complicated their corresponding hash values may appear to the naked eye.
A rainbow table wouldn’t be useful if your password is simple, but not common–say, a combination of your last name and your birthday. But if you’re unlucky enough to be targeted by a hacker, there are other tools capable of cracking a password of this strength as well. Consider: if a hacker has hold of your hashed password, they likely also have leaked data in the form of your email, your name, your birthday, and any other information you provided this hypothetical breached website. Using such information, your hacker could write a program that checks for the hash values of strings containing key words and variations of key words, based on your other leaked information. In other words, if a hacker knows your name is Kelly and your birth year is 1984, they could check for hashes that return “Kelly1984”, “kelly1984”, “k311y1984”, et cetera.
The final tool available to hackers is called a “brute force” attack, where a computer literally runs through every conceivable combination of letters and numbers until it uncovers your password. This method is very resource-intensive and slow, but it can work against passwords that aren’t sufficiently long and complicated. Breaking “passw0rd” might only take a fraction of a second. Breaking “p@55w0rd” might take closer to a year. “p@55w0rdp@55w0rd” could probably never be broken, for the rest of your hacker’s life.
Hence, why you want to use complicated, difficult-to-guess passwords.
2. Use a unique password for every site
Using the same password for multiple digital accounts and devices is like being the landlord of an apartment building, and using the exact same-shaped key for every unit. If a malicious entity steals your key, they’ve functionally broken into every apartment. This is why it’s crucial to use varied passwords for your many online presences. You don’t want a hacker who broke into your old AOL account to then leverage that towards accessing your home security system.
3. Use a password manager
Password managers work like safes, for your passwords. All your passwords to all the various websites you use are stored within your manager account, which is unlocked by whatever master password you set for it. Now, you might ask yourself: why would this help? Wouldn’t establishing a single point of failure–that master password–induce even more risk than whatever I’ve been doing thus far?
If you’re worried about placing all your eggs in a single basket, recent news won’t help ease your mind. A study published earlier this year by ISE, a security consulting firm based in Baltimore, found vulnerabilities in five of the most popular password manager applications.
Now you have two reasons not to use a password manager. And yet, it’s still worth it.
Password managers fully encrypt the data you store within them, so a hacker would need your master key in order to access the contents of your account. And the most reputable companies store your master key locally, on your device, rather than in the cloud. What this means is that, even if a password manager company were hacked, your information would still be secure. The company itself doesn’t even know your master key, and because all the information in your account is encrypted, even leaking that data will be meaningless to anyone without that key. A hacker therefore needs both your key and your computer in order to break your account, which should be very difficult to accomplish together.
Depending on how you look at it, the strength of password managers is also their inherent flaw. By using one of these applications, your security is entirely in your own hands. That’s great, if you’re responsible. But we humans are notoriously incompetent when it comes to our own cyber security–reusing passwords, connecting to unsecured public WiFi, leaving our devices unencrypted, and generally failing to think ahead.
Password managers have their benefits and their drawbacks. They may be the most effective security tool you can use to maintain good and varied passwords. At the same time, the fact of putting all your eggs in one basket introduces all new concerns. No matter how you slice it, though, password managers beat using “123456”, or the same few passwords for all your accounts.
4. Change the default passwords on your devices
The default username and password for your devices are merely placeholders, awaiting your change. It’s information well-known to hackers, especially if you’re using popular brand products. By not setting your own password for your home network, for example, you open up the possibility that someone within range of your signal could hack in without any trouble.
5. Try a passphrase
You probably already have experience creating accounts on websites which require that your password pass certain conditions–combining uppercase and lowercase letters, numbers, symbols, etc. The goal, in setting such conditions, is to force users to not use too easy-to-guess passwords. The effect, too often, is that the passwords we do end up setting are rather difficult to memorize. Was it…u7!erDc#2…or U7!ERdC#3?
You might be surprised to learn that, as impossibly difficult as it is for a hacker to guess “u7!erDc#2”, it is even more difficult for them to hack a password more like this:
“harvard birthday belong cooling”.
Why is this? Recall in section one above, the discussion on hashes and password cracking. The qualities that made for a difficult-to-guess password were: not commonly used, not based on any real world information, not otherwise logical, complicated and long.
Websites ask for complicated passwords to discourage you from using one of those common passwords we so often opt for. But combining symbols with numbers and letters of different cases is more like a prompt, to entice you to get creative. Combining two different forms of characters is useful, but even more important is length. Brute force algorithms don’t understand English, they simply check hash values. As long as you didn’t go to Harvard, or work in the heating and cooling business, a passphrase like “harvard birthday belong cooling” is essentially un-crackable.
For help coming up with a sufficiently random passphrase, you can use the site where we got ours from: Use A Passphrase.
6. Use two-factor authentication for particularly sensitive accounts
Two-factor authentication (2FA) adds an extra layer of security to your online account, either by asking you for the answer to a security question, or by sending you a one-time code via text or email every time you log in. Most products and services do not offer two-factor authentication because, frankly, most products and services aren’t worth it. On the other hand, particularly sensitive websites and devices–online banking portals, for example–often require it.
2FA is an added step that will take an extra few seconds of your time to complete, each time you log in to your account. However, in exchange for those seconds, you’re making a potential hacker’s job exponentially more difficult. Breaking into a website or cracking a password is one thing. Doing so, and then having to pass a second level of authentication, makes the job near impossible. That’s why, as an added guard for your most valuable information, two-factor authentication is always worth it in the end.
By reaching this point of this article, you’ve positioned yourself (and your smart home) to be as internet-secure as any casual internet user can hope for. Still, the risk of hacks will always exist, and there will always be vulnerabilities out of your control. You can have the best passwords on the planet, but with the right hacker, or the wrong company, you might still fall victim to an attack. In fact, more people than are aware of it have already been exposed in multiple data breaches. HaveIBeenPwned is a website that compiles leaked data from major corporate hacks (the known ones, at least), and allows you to search for your personal email address within those records. Check it out–you may be using an online account right now that’s well-past compromised, without even knowing it. And if your account is compromised, your password probably is too.
Cyber security exists on a continuum. The only thing you can be sure of is that, if anyone’s going to get hacked, it’ll be your friends who use “123456” and “passw0rd” before you.