Password basics

Passwords are the first line of defense for your online accounts. Unfortunately, many people still use weak or easily guessable passwords, putting themselves at risk for cyberattacks. In this post, we’ll cover the basics of password security and offer some tips on how to create and manage strong passwords.

why does password security matter

Passwords are the keys to your online accounts, and if they fall into the wrong hands, your personal information, finances, and even identity can be compromised. According to a recent report, over 80% of data breaches are caused by weak or stolen passwords. Cybercriminals use a variety of methods to crack passwords, including guessing, phishing, and brute force attacks. That’s why it’s crucial to use strong, unique passwords for each of your accounts.

If you’ve been using the same email for a while, odds are that your information has been exposed in a data breach. Check “Have I Been Pwned” and enter your email/phone number – you’ll get a report of how many known data breaches your info has been exposed in.

If your data is exposed in a breach or obtained by a threat actor, the good news is that most application developers today will protect your password by encrypting it before saving it in their database. Rather than having your plain text password – they’ll apply an algorithm to encrypt your password and then save the encrypted version. When you attempt to login, they’ll apply the same algorithm to the password your provide and compare the encrypted versions to determine a match.

Unfortunately, even if your leaked password was encrypted there are a plurality of tools like John The Ripper and Hashcat which hackers can use to crack your encrypted password. These tools are capable of detecting the type of encryption that was used to store your password, then applying that same encryption method against a list of common passwords to find a match.

One of the most common password lists is called rockyou.txt – which contains nearly 15 million unique common passwords. If you’re using a common password – you should realize that it will be cracked instantly! Even if you’ve chosen a unique password – you’re not out of the woods yet. You are still vulnerable to a brute force attack.

a brute-force attack consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly. The attacker systematically checks all possible passwords and passphrases until the correct one is found.

Wikipedia Brute-Force Attack

Creating secure passwords

Many users get frustrated when prompted to choose a new password and finding that they are required have a minimum length, upper and lowercase letters, numbers, and symbols. If you’re like most users, your passwords have evolved over time – gradually adding upper case letters, numbers, and symbols to your “core” password over time.

The reality is, these various password requirements dramatically increase your password’s complexity which makes it significantly more difficult to crack. Creating a strong password can be challenging, but it’s an essential step in protecting your online accounts. Here are some tips for creating a secure password:

1. Use a mix of uppercase and lowercase letters, numbers, and symbols.
2. Make it at least 12 characters long.
3. Avoid using personal information such as your name, birthdate, or phone number.
4. Use a passphrase instead of a password. A passphrase is a sentence or a string of words that are easy to remember but difficult to guess. For example, “My favorite color is blue” can be turned into “Mfcib!2023.”
5. Use a password generator tool to create a unique and complex password.

Take a look at Password Meter – this tool will show you the increase in complexity of a password based on the various types of character additions included.

Another resource for checking password complexity is Password Monster – this tool will actually tell you how long it will take a hacker to crack your password.

Password best practices and Most Common faults

Even if you create a strong password, there are still risks and faults to be aware of. Here are some best practices and common risks/faults to consider:

1. Don’t reuse passwords across multiple accounts. If one account is compromised, all of your other accounts will be at risk.
2. Change your passwords regularly, at least every three months.
3. Don’t share your passwords with anyone, including family and friends.
4. Avoid writing down your passwords or storing them in an unencrypted file on your computer.
5. Be aware of phishing scams and never click on links in suspicious emails.

Advanced Security tips

In addition to creating strong passwords and following best practices, there are some advanced security tips you can implement to further protect your accounts. These include:

1. Use a password manager to store and manage your passwords securely. Password managers generate and store strong passwords for you and can autofill them into login fields. Some popular password managers include KeePassXC and Bitwarden.
2. Enable two-factor authentication (2FA) on your accounts. 2FA adds an extra layer of security by requiring a second form of authentication, such as a code sent to your phone or a biometric scan. Many online services offer 2FA, including Google, Facebook, and Twitter.
3. Consider using a hardware security key, such as a YubiKey for even stronger authentication.

Password security is critical in protecting your online accounts from cyberattacks. By following these tips and best practices, you can create and manage strong passwords and reduce the risk of your accounts being compromised. For more information on password security, check out resources from the National Cyber Security Alliance, the Federal Trade Commission, and the Cybersecurity and Infrastructure Security Agency.