Do You Have A Good Password?WordWorx
Today, the words “Data Breach” should not surprise anyone. Most if not all cybersecurity experts agree, it’s not a matter of if but when. We hear about one or two really big business names about once a year. The costs of data breaches are astronomical and negative effects linger for months and sometimes years.
Is It Worth Protecting?
How much of your personal information is entrusted to others for safekeeping? Your email, your online bank account, every website you ever bought anything from, social media… the list goes on. It is the responsibility of those companies to safeguard the data, that is true. However, there is absolutely nothing they can do if your password is so basic and predictable that those with malicious intent can easily access your information.
Let’s get the real basic stuff out of the way first. It is not a good idea to use publicly available information about yourself in your passwords. Even though it’s easy to remember, it is easy to guess too… and let’s agree “password” is the worst possible password.
- Birth dates
- Phone numbers
- Social Security Number fragments
- Street Address
- Pet Names
Longer Is Better
Not sophisticated but effective, brute force hacking is very commonplace. Consider that your password is a 6 digit number (a date?), each position has 10 distinct possibilities (0-9). Six digits, 10 possible values for each gives us 1,000,000 combinations. This sounds like a lot.
A powerful enough CPU can go through this list in minutes. Increase the length of that password to 10 digits and you are making it more difficult to play the guessing game. In reality, you are only prolonging the inevitable. The amount of on demand CPU required to crunch through lots of combinations is readily available for rent from Cloud Computing providers and supply is limited only by the depth of one’s pockets.
Letters, Numbers, Special Characters
So longer passwords are better, but not the best. If we combine special symbols, numbers, upper case and lower case letters in a password that’s 10 characters long for example, it will significantly increase the amount of time required to make a correct guess. To a hacker, it is just not worth while to wait for the winning combination for weeks.
Great! Now we know that longer, more complicated passwords are the way to go. Unfortunately, most of us have the ability to remember only a handful. Armed with our shiny new strong password, we use it on every website and for every account. It’s human nature and a common security misstep.
The Common Problem
It’s easy to remember a phrase that you know, sure! It is also easy to guess a common word or a phrase. A password like “Pa$$w()rd” is easy to remember. You are using upper and lower case characters and special symbols. You are following best practices guidance for passwords, it seems. However, it is a word that has just been altered slightly and that’s the issue, it’s too common. Hackers will apply a technique using rainbow tables to try and guess your password quicker. Rainbow tables are basically huge sets of pre-computed values that are matched to possible plaintext passwords. This password is in there somewhere.
The other common problem is that we tend to use the same password over and over on many different sites and services across the Internet. By doing so we become vulnerable to the toppling domino effect – if one of those services is compromised, your excellent hard-to-guess password unlocks too many proverbial doors. Bad idea!
I Want A Better Password
While we rely on secrets created by humans, other humans will likely come up with a way to uncover them. Our lives are increasingly more digital and there are a few ways to limit the exposure.
Use a Password Manager
Using a secure password manager service like LastPass allows you to remember one complex password to access the service. In turn, the service will apply best practices for passwords and generate long, random passwords for all of your digital accounts. It will make you more security aware and even change your passwords at a click of a button when you want to. This is a security minded company, so they make it their business to keep it that way.
Share Your Identity
Federated identity gained major support in recent years. It relies on commonly accepted standards based protocols like OAuth 2.0 and OpenID Connect to securely communicate/share your identity with others without asking you to create yet another password. You choose what to share by creating implicit trust between your centrally managed identity (account) and whatever merchant/service you are doing business with. This type of authentication is provided by Google, Facebook, LinkedIn, Twitter and many others; it is also accepted by many.
Use Multi-factor Authentication
Using multi-factor authentication adds an additional layer of security by requiring you to supply two or more pieces of evidence proving your identity. It is supported on most devices, runs as an app, sets up in seconds and provides an invaluable extra layer of protection for what’s important.