Making strong passwords is hard work—but it’s worth it. Leaving your bank accounts, social media accounts, email accounts, and devices protected by insecure, easily-guessed, and easily-broken passwords in this day and age is a bit like leaving your front door unlocked every day. You’re taking a big risk with things that are valuable, important, and deserve to be kept safe. With a little help from the IT security and cybersecurity experts here at Gillware, you can easily make strong passwords and keep your life safer from the threat of all sorts of cyber-attacks and intrusions.
Cybersecurity is serious business. When your data is encrypted with 256 bits of entropy, breaking the encryption would take longer than the age of the universe. When it comes to the password you use to unlock that data, though, your data is only as safe as your password is strong. Not all passwords are created equal; some passwords put things like your email account, social media accounts, or bank account at risk.
Millions of us use weak, easily-guessable passwords—things like “12345”, “qwerty”, or that old standby, “password”. Worse, many of us are also guilty of re-using passwords as well. Password reuse puts multiple facets of our lives at risk in case of massive data breaches or phishing scams.
In our data-driven world, proper password protocols are more pertinent to our lives and well-being than ever—and will only become more important in the future. Following best practices to create strong and unique passwords will keep you safe from all sorts of online threats. With a little help from a good password manager, you can make truly strong passwords that will keep you safe from cybersecurity threats in the online era.
Password strength is measured in terms of information entropy. Each character in a password has a certain amount of entropy, which determines how hard it is to guess that character. The more characters a password has, the higher its password entropy.
In addition, the combination of characters also has an effect on how guessable a password is. The more random a password is, the higher its entropy is, and the more attempts it would take to guess. Passwords with real words, names, and common or predictable number sequences have comparatively lower entropy. Secure passwords use enough random, alphanumeric characters to make brute-force “guessing” a password nigh-impossible.
The weaker a password is, the easier it is to guess. Of course, when we say a password is “easy to guess”, what we’re saying is that it takes a couple hundred or thousand attempts instead of millions, billions, or trillions of attempts. The thing is, computers are very good at doing lots of things very quickly, such as guessing passwords, and they don’t get bored doing monotonous tasks.
Some passwords are easy to guess because they are so commonly used that a hacker can brute-force a list of the top 10 common passwords and get into your account within those 10 guesses. These are the passwords like “qwerty”, “password”, or “12345”, which we default to using when we don’t want to expend the mental energy to come up with a real password.
Even an uncommon password can be weak if its information entropy is low enough. Passwords involving personally-identifiable information such as birth dates, family members’ names, or pet’s names tend to be exceptionally vulnerable. A hacker looking to crack a password of yours can glean much of this information by trawling the internet, including social media platforms and online genealogy resources.
Let’s take a closer look at what makes weak passwords weak:
A single word that you’d find in the dictionary makes for a very poor password. One of the first methods a hacker could try to guess your password is a “dictionary attack”. The hacker—or, rather, the program the hacker uses to guess your password—uses the dictionary to try out words until it correctly guesses the right one.
The hacker doesn’t even need to use the whole dictionary. If they know the length requirements of your password—for example, between 6 and 18 characters—they can restrict their guesses to words within the requirements.
“What if I use more than one word, then?” you might say.
This will raise the length and, accordingly, the entropy of your password, of course, but you need to be careful. If you use a common or predictable phrase, you’ve only marginally increased the amount of work our hacker needs to do. Stringing four or more truly random words together will serve much better to flummox password crackers, as illustrated in XKCD creator Randall Munroe’s often-passed-around “correct horse battery staple” comic.
“Correct horse battery staple” is certainly a better password than “pa$5w0rd”, to be fair. But all the same, you’re only using the letters of the English alphabet—which limits your password’s strength quite a bit.
“I’ve got it! I’ll randomly capitalize letters and replace some of them with numbers, S0 mY p4sSw0rD w1ll lo0K l1k3 Th1s!” you might say.
Well… you’re still using real words—you’ve just substituted some letters for special characters. This makes it more time-consuming to guess a password, but only marginally so. A password cracking program can easily check for permutations of letters or common misspellings of words over the course of a dictionary attack.
By now you’ve probably figured out what makes a password truly secure…
A strong, secure password is as random as you can make it. You don’t use English words, or words in any other language. You don’t use personally identifiable information hackers could easily obtain online in your password, like your city or street name, the name of your business, your license plate number or date of birth, etc… And you use a string of letters and numbers with no easily-determined pattern—a random, truly secure password.
You can make a password both long and random, using both letters and numbers, and really ratchet up the entropy. For example, a seventeen-character random password, using both numbers and case-sensitive letters, has up to 96 bits of entropy. There are 296, or over 79 octillion (7.92×1028) possible password combinations. In addition, your would-be hacker won’t know how many characters your password has in the first place. They would have to incorrectly guess random passwords that are all shorter or longer than your password as well. The task of brute-force guessing your password (which they would have no choice but to do) quickly becomes unfeasible. It would take far more effort and computing time than your data is worth.
When digital ne’er-do-wells get a hold of people’s passwords, it usually isn’t because of a brute-force attack, though. Rather, your passwords—strong and weak alike—leak out in big data breaches like the ones Yahoo reported back in 2016 (both of which actually occurred in 2013 and 2014), or become compromised through phishing techniques.
Now, there might not be anything important on that Yahoo email account you stopped using in 2013. But if the password you used for that account matches the one you currently use for your bank account… you could be in trouble.
Here’s an example of a ransomware hack that succeeded due to careless password reuse. The victim had fallen for a phishing scam carried out through a friend’s hacked social media account. The hacker, using the account of a trusted friend, sent the victim a link to a fake login page for a popular file sharing service, which the victim filled out with his username and password.
Later on, the hacker remoted into the victim’s work computer (which should have been protected by a strong VPN with multi-factor authentication, but that’s another story) and tried the password for his file sharing service password on the computer. The victim had, in fact, reused the password for his computer. As a result, the hacker could easily slip inside and encrypt the victim’s data, holding it hostage.
As you can see, reusing passwords can have severe consequences. Hackers are craftier than ever and, in our digitally-dominant world, have more power to cause damage than ever before. A strong password is a unique password, and when you want to keep your data safe, you need strong passwords.
Any password you reuse is, by definition, insecure. The fact of the matter is that breaching one account with a reused password gets your hacker access to any other account that reuses that password. If the key for your bike lock also unlocks your front door, then the pickpocket who makes off with your bike lock’s key can get into your house, too.
As you can see, it’s not enough for a single password to be strong. You have to use unique passwords as well.
But there’s a problem here. Humans are bad at coming up with random strings of letters and numbers. Our brains are too good at pattern-recognition—trained over tens of millions of years of natural selection. Back when our ancient evolutionary ancestors lived in the jungle, it was better to see tiger strips in the jungle when there was no tiger at all than to not see the tiger and get eaten. Those survival instincts still live on in modern humans’ brains, even though our environment today has far less tigers in it. As a result, we can’t help but start seeing patterns and creating patterns. Our passwords can’t help but be, to some extent, predictable.
There’s another problem here. Truly random passwords are difficult to memorize. And we’re accumulating things that need passwords—social media, email, and financial accounts, for example—at a growing pace. One password is bad enough—and now you’re supposed to memorize dozens?
And to make matters worse, it seems everyone and their mother tells you to change all your passwords every couple months!
It may have been true in days of yore to regularly change your passwords. That, however, is no longer the case. Changing your passwords on a monthly basis no longer makes your data more secure. In fact, it may even have the opposite effect. Many IT and cybersecurity experts no longer recommend constantly or regularly changing your passwords. This is probably one of several bits of advice here that will make you breathe a sigh of relief.
In a blog post by the Federal Trade Commission in 2016, chief technologist Lorrie Cranor wrote that it was “time to rethink mandatory password changes.” Counter-intuitively, mandating people to regularly change passwords actually creates more security vulnerabilities. When forced to change passwords regularly, people are more likely to replace their old password with a weaker password, or just make all their passwords weak and predictable from the get-go. That said, plenty of people still say:
Passwords are like underwear: you don’t let people see it, you should change it very often, and you shouldn’t share it with strangers. — Chris Pirillo
However, while advice on regularly changing passwords is beginning to fall out of vogue, you should still change your passwords if word gets out that a service you rely on, like Yahoo (which has its own email service, and also owns some social media real estate such as Tumblr) or Cloudflare suffer big data breaches and there is a danger one or more of your passwords may have been compromised.
Instead of going through all your passwords four or five times a year, just keep an eye on the headlines. When a website or web service you use suffers a data breach, change your password for that site or service. As long as all of your passwords are unique, one compromised password isn’t going to be the end of the world.
Now, maybe all this advice has just made password creation sound scary, daunting, and extremely intimidating. Fortunately, there’s a solution that will make this plethora of password production problems practically pop out of existence. With the right tools, making strong, unique, and secure passwords (and keeping them all straight) is a snap.
Enter password managers:
Password managers make it a snap to make strong, unique passwords. With a good password manager, you can randomly generate a strong password at the click of a button. You can store your login credentials for any online account, the mobile passcode for your phone, or passwords for anything under the sun. We here at Gillware recommend Keepass to generate and store random, unique, and strong passwords.
Password managers make it easy to create passwords. They make changing passwords easy as well. With a few clicks, you can generate a new random password that’s just as strong as the old one.
A good password manager stores your passwords in an encrypted database file. The file itself requires a single master password. It’s like having a safety deposit box for all your passwords inside your computer. By using it, you’ve reduced the number of passwords you have to memorize from dozens (and counting) to just one!
Of course, if you don’t trust your memory, you could write that password down and keep it along with all your other important, frequently-needed things: in your wallet. You might want to put another copy of your master password in a safe or safety deposit box in your home and/or bank as well. After all, we all know wallets can go missing.
Making strong passwords sounds like a daunting task. But it’s never been more important to have strong passwords guarding your data. Fortunately, with the help of password manager software, it’s never been easier to keep your data safe.