Cyberwarfare, cyber-attacks, and cybercriminals are all buzz words in our media. Nations are attacking nations in what could potentially be a cyber “world war III” as stated in a CNN article. With Cyber Security on a rise, all end users have to be mindful of keeping their data safe and secure from potential cybercriminals.
The most immediate medium of attacks comes from getting their hands on your passwords. Password security is an absolute necessity. Not just for organizations and company secrets but for the end-users own personal devices. Yes, I know, most persons don’t like having to input a password every time they have to get access to some files. It’s even worst for companies, especially when there are policies that say to change your password once every 30 days.
It becomes even more troublesome when we have to consider that there are passwords for just about everything nowadays. Passwords for subscriptions, emails, website access, reading articles, and the like. Just about everything on the web requires some login to gain full access, which interns require a password. Now having to create a password for each of those resources can seem a bit overwhelming. So most end-users use something that they can easily remember, like the high school they went to or the town they live in, or even their favorite sports team. But what consists of a good password? In this article, we will talk about what makes up a good password.
When a hacker hacks a server, the 2 primary ways this is done are by security holes through a web application like an addon/plugin or the hacker has guessed a password of a user on the server. Hence gaining access to that server and performing their malicious deed. When I say that the hacker has “guessed” the password, I do not mean that the hacker seats behind their computer and try to figure out what your password might be on a whim.
Most often they use softwares and tools that generate 100s of passwords per minute, what is knows as “Brute Force” hacking. If your system has a locking mechanism after a certain amount of passwords, there are systems that generate a list of most likely passwords based on some pre-determined criteria, like where the person lives, their date of birth, and the like. All of which are the prime starting point to hack your password.
What makes up a good password?
Before we look into a good password, let’s look into what you should never use as a password(The Ugly) and what is typically used as a password(The Bad). Then we will get into what should be used as a good password (The Good).
a. What You Should Never Use As a Password. (The Ugly)
So let’s start with the Ugly, what you should NEVER use as a password are:
- Default Passwords.
- Words associated with your person and/or organization.
So what are Default passwords? These are the passwords that come readily available on a package or a manufacturer password pre-determined. These kinds of passwords can be easily shared and made available on the web or by the company providing that service. For instance, most routers have a default log-in, that default log-in credential can be placed on a forum for troubleshooting purposes or by simply calling that company and asking for the default. Sometimes the default password is in the manual, readily available for use.
These sorts of passwords should never remain on your device in fact most devices with default passwords would ask you to change the password as soon as you boot up the device. Do NOT leave the default and think your device is safe and do not add a letter or number to the default password either. For instance, some default log-ins are username: admin, password: admin. Do not leave the username and then just change the password to admin1 or admins. These are not secure passwords and should be avoided at all costs.
WORDS ASSOCIATED WITH YOUR PERSON AND/OR ORGANIZATION
As mentioned earlier, when a hacker uses tools that generate passwords, they are typically based on preassumed notions, like where the person lives, the name of the individual, and the name of the individual organization. These passwords are typical in users because they are easy to remember and require little effort to generate on the fly. But these types of passwords are trivial to a hacker and should be avoided at all costs.
Most hackers gain information from unsuspected users by means of social engineering. Social engineering is a term used for a broad range of malicious activities accomplished through human interaction. Imperva.com states that it “uses psychological manipulation to trick users into making security mistakes or giving away sensitive information.” A common social engineering tactic is that of using emails.
An example of such an email might be one that describes a person that needs to send you some money and they are asking you for your address, your bank account number, your spouse’s name, and your date of birth verify that it is you when the money arrives. All of this information at the forefront may seem harmless, especially when the malicious person is offering to send a large sum of money. One might even ask how could it hurt to give them that information.
The fact is it does hurt, and it will hurt you if you do provide such information. What the hacker now has is a list of words associated with you as a person that they can use to try to hack into your system and your organization’s system. It could be your favorite sports team, your favorite show, your mother’s maiden name, or the date your graduated from high school or got married. Do not add any one of those words in your password because if a hacker gets access to that information then they can use it against you.
Most security questions used to recover passwords actually use questions like What is your mother’s maiden name? or What year you graduated from high school? All this information should also not be shared, because a potential hacker could use that information to initiate a password recovery and hijack your account.
b. What is typically used as a password? (The Bad)
Usually, most websites have password difficulty bars that show how difficult your password is and usually require some upper-case, digit, and special character. A special character is an exclamation point, a hast tag, or something like that. But these passwords, though they have varying characters, can be easily cracked by softwares. Here is a list of passwords and the amount of time they can be cracked by an average password cracker.
|Time to Crack
|7 characters password with 1 upper-case, 2 digits, and 1 special character.
|8 characters password with 1 upper-case, 2 digits, and 1 special character.
|10 characters password with 1 upper-case, 2 digits, and 1 special character.
The first kind of password with 7 characters can be cracked at 0.24 minutes, which is not very long. When password checkers ask you to enter passwords that is 7 characters in length, it is really the most basic kind of password one can have. The longer your password is, however, with the same 1 upper-case, 2 digits and 1 special character is much harder to crack.
By just adding one more character to your password you are increasing the time to crack to 1.11 Hours, that is a whole lot better than the previous password by just 1 character. But that time is still not that long. By adding 2 more characters making the password length 10 characters with the same criteria you bring the time to crack your password to 31.17 days. Now that’s a strong password!
With a password like that you are well on your way to having a secure environment. Now that might just be good enough for your needs. Depending on your environment, the organization/company would give your system administrators more than enough time to find out who or what is trying to get into your computer.
That’s why some companies have policies that require you to change your password every 30 days. It would give a potential hacker a very hard time to get into your system and make it nearly impossible if your password is changed every 30 days with that 10 character password difficulty using the same password scheme.
So if 10 characters make it difficult for your password to be crackers well over 30 days, then adding more characters would bring up that time even more. So let’s look at a good password.
c. What should be used for a good password? (The Good).
A good password is one that is not easily guessed or cracked. And by simply adding 1 more character to the mix we increase the time it would take to crack the password significantly.
|Time to Crack
|11 characters password with 1 upper-case, 2 digits, and 1 special character.
So as we can see, with 11 characters and the same password scheme, the chance of your password being crackers becomes nearly impossible. The first step in a good password is the password length. At least 11 characters long, with 1 upper chase, 2 digits, and 1 special character should be your go-to standard for all your passwords.
But how am I going to remember 11 characters? That’s a very good question. Most people don’t remember words with so many characters, let alone their passwords. So the 2nd step in creating a good password is to use passphrases instead of passwords to create sufficient length.
The passphrase could be a quote that you’ve memorized, or a nursery rhyme, or a phrase from a song you enjoy. Any phrase that you know well can be used for your passphrase, along with the before mention password criteria and you will have a full proof password. An example of this passphrase would be something simple like:
This phrase consists of 19 characters, 1 uppercase, 2 digits, and 1 special character and is fairly easy to remember. It simply reads “Daily events and facts!” But instead of an E, it is replaced with a 3, and an S it is replaced with a 5, along with a ! in the end. A password like that would be virtually impossible to crack. And to add even more security, one could simply exchange another letter with a number or add another special character.
By using phrases you can easily create passwords that are 11 characters and meet all the necessary requirements.
Password Security is of utmost importance in this digital age. We must remember to not leave any of our passwords at default. To not use personal information that is publicly available for our passwords. We should have at least 11 characters, 1 upper care, 2 digits, and 1 special character in our passwords. By following these steps your passwords will always be safe.