Protecting your sensitive information from the wrong people is a major concern in the information age. That almost always, at some level, involves passwords.
You’ve seen those aggravating password policies that require certain characters, or length, or expiring every so often. Here, let’s reverse engineer what makes a good password, and determine how you can create consistently good passwords.
Ways to “hack” a password
To state the obvious, a password works if you know it. There may be additional authentication factors in a given system that verify one’s identity, but as we’re just looking at passwords, a system doesn’t care who enters the password: anyone who knows the password can authenticate with it. There are several ways the wrong people may come to know a password they shouldn’t.
This often originates via a fraudulent email, with the end goal of having the user type their actual password somewhere that allows the attacker to see or copy the password and use it themselves. They are hoping the user is either not aware of such scams or not paying attention to the warning signs (email sender, browser domain name, typos...) In my own experience, this is the most common cause of “getting hacked.”
This would be the Sherlock Holmes style of password cracking. The person trying to access the information would, usually through social engineering, learn details about their target (pet’s name, anniversary date, etc.) and try those. They are hoping their target chose something short and easy to remember. Or wrote it on a sticky note underneath their keyboard.
These lists can come from the data breaches that make headlines, or from smaller ones you never hear about, but the result is the same: actual passwords are obtained and shared. Responsibly organizations will force a password reset and notify their users as soon as they become aware of a breach, but attackers hope the victims use that same password on multiple systems and try it elsewhere.
This one lets computers do all the work. A fairly simple script cycles through either a dictionary of common passwords or every possible combination of characters until it finds one that works. The hope here is that the password is short enough that a computer can crack it in a reasonable amount of time, and they’re getting faster every day.
So to mitigate all those methods, we don’t want a password to be:
But it does need to be easy to remember...
Personally, I have passwords to ~300 websites. That doesn’t include all the passwords I use as an IT admin. Out of those, I could only tell you what two of them are: the one for my bank, and the one for my password manager.
Password managers remember all your passwords for you, so you don’t have to write them down. Decent ones store your passwords in a cryptographically secure way that only you can access, essentially making them “breach proof.” Good ones will work on all your devices, and can also generate long, random passwords for you, so you have no reason to reuse a password you used elsewhere. Great ones will even track all those breaches for you, so you can change any compromised passwords as soon as possible.
When you do need a password you can remember, like for your password manager: use a passphrase. Pick a favorite verse from a song, or quote, or line from a book... you already have a lot of phrases memorized, so use that! For example, the passphrase:
Welcome 2 the Jungle — we’ve got fun & games!
is long, I’m the only one who knows how I chose to spell, punctuate and capitalize it, and is super easy for me to remember. (I put passphrases after password managers because many sites don’t allow for lengthy passwords with all the symbols, so you’ll still need those randomly generated strings.)
Still have questions about how to protect your personal or business information online? We offer a full array of cyber security services and products, so reach out to us to set up a quick meeting or consultation!