With online security, a business’ biggest vulnerability is weak passwords. No matter how robust your network is, if anyone gets access to your passwords they can steal personal and business data, infect your files or delete your entire website.
Even if you are diligent and follow good practice, modern password cracking techniques are so sophisticated that no business is immune. Improvements in password cracking technology have enabled hackers to find the right sequence of characters, even for complex passwords, in just a few hours.
And new methods, using ‘dictionaries’ of frequently used character patterns found in previously hacked passwords now make this process even faster and easier to achieve.
So, how do you stay one step ahead of the hackers? In this article, we’ll explain how hackers continue to out manoeuvre password defences and what you will need to put in place to protect yourself.
Why short, complex passwords are no longer adequate
The advice most businesses follow is to create passwords of around 8-12 characters that contain a combination of lower and uppercase letters, numbers and symbols. However, there are problems with these.
1. People forget them
The human mind finds it very difficult to remember random strings of numbers and letters, especially when they contain capitals and lowercase characters and symbols. As a result, people get tired of being locked out and save the password somewhere it can be found. Easy pickings for a clever hacker.
2. They are easy to crack
Using a network of high-powered computers and sophisticated software, hackers can make up to 350 billion attempts at finding a password every second. At that speed, a brute force attack can crack every single 8 character combination in less than 2 ½ hours. That’s over 3,000 trillion different combinations.
As a defence against highly equipped and determined hackers, short, complex passwords are obsolete. If this is your current practice, you will need to make changes to your password management practices.
Unfortunately, even longer, complex passwords are vulnerable. This is due to the fact that, to help us remember them, we create ones which have meaning for us. Rather than use random combinations like [email protected]#24zP0 we prefer [email protected]=05-10 or iW0rkin$ale$d£pt.
It shows the sophistication of hackers, that they have analysed hundreds of millions of stolen passwords to produce ‘dictionaries’ of the most common strings of characters people use. They now have software that actively seeks these out and this has massively increased their ability to crack complex passwords quickly.
Why passphrases offer better protection
To significantly reduce the chances of your password being cracked, it’s safer to use a passphrase than a password. Passphrases are strings of words combined together which, because they are longer, are more difficult to crack.
Here are our top tips for choosing a secure passphrase.
1. Unrelated word sequence
Using this method, you create a sequence of four or five unrelated words.
It’s important that they are unrelated because if there is a connection, the hacker’s software will pick up on it. Do not use a well-known phrase, song lyrics or combinations like “shirt tie trousers jacket”. Instead, use random words, “vanilla flowerpot birthday engine”
To make the passphrase more secure add capitals, numbers and symbols – but make sure you can remember them, for example:
“vanilla flowerpot birthday engine”
2. Modified memorable phrase
The second method is to find a memorable sentence and adapt it in a way which only you understand. For example if your phrase was, “to boldly go where no man has gone before” you could do the following:
- Remove vowels: tbldlygwhrnmnhsgnbfr
- Change words that sound like numbers into numbers: 2bldlygwhrnmnhsgnb4
- Change every 5th letter into a capital: 2bldlYgwhrNmnhsGnb4
- Put the symbols above the numbers 1,2 and 3 on a keyboard after each capital: 2bldlY!gwhrN”mnhsG£nb4
What you are left with is a highly complex passphrase for a hacker to crack but, for the user, it is a memorable phrase that has been adapted in a way which can be easy to remember – especially if they can remember the methods they used to create it.
Other examples of this method could be:
- My favourite food is chicken tikka masala and rice: [email protected]+r
- I love 8 Out of 10 Cats does Countdown: il8/[email protected]
- I look like one of Santa’s elves: i[email protected]@s<(o,o)>s
Passphrases pose a much greater challenge to hackers than passwords because their uniqueness means their strings won’t be found in any hacking dictionary and their length will take hacking software much longer to find the right character combination.
However, that doesn’t mean they are invulnerable. As more companies begin to use passphrases, hackers will be forced to rise to the challenge and it will only be a matter of time before these, too, become much easier to crack.
Why long, complex passwords are the best option
The best option, by far, is to have very long and complex passwords made from random characters. This is because random characters make the use of cracking dictionaries redundant and significantly lengthening passwords massively increases the time and computational power needed to crack them.
The downside, of course, is that these passwords are almost impossible to remember. There is, however, a very easy solution: the password manager.
Why password managers offer the best security
The most secure method for protecting passwords that is currently available is to use a password manager. A password manager is an application that:
- Generates exceptionally strong passwords (30 – 50 random characters)
- Lets you create separate passwords for each user account you need to sign into
- Can be used on computers and mobile devices (and synced across them)
- Encrypts your passwords and stores them in a secure database
- Inputs the passwords for you so you do not need to remember them
All you need to do is create and remember one passphrase, which is needed to access the password manager’s database. The password manager then automates the login for you.
As your password manager stores all your passwords, it is essential that you do not forget the passphrase.
There are a variety of password managers available to download on the internet; some are free whilst others charge either for the software or an annual fee.
Popular password managers include:
Additional tips for password security
Here are some of our favorite tips for keeping our passwords secure:
1. Never use the same password for different accounts
Hackers know that many people use the same password on many different accounts. If they manage to crack your password on one account, one of the first things they will do is to try and access as many other accounts as they can – usually starting with your bank accounts.
2. Have a strong email password
For many accounts that you hold, in order to change your password, companies will ask for email verification. If a hacker gets hold of your email password they can lock you out of your email account and then, systematically, change passwords to all your other accounts too, as well as accessing all the sensitive information on your emails.
3. Never share your passwords
Sharing passwords makes them vulnerable. You cannot guarantee that the device on which it has been used or the environment in which you are passing the information is secure. If you have shared your password, you should change it immediately.
4. Never email anyone your password
Many people have a bad habit of leaving their email on show for everyone passing to see.
If you have sent your password in an email to someone who does this, it becomes exceptionally vulnerable. With website administration, it is sometimes necessary to give someone access to the admin panel if you have an issue.
Rather than give your own password, set up a new temporary account and with restricted access if possible. If you have to send a password by email, make sure the email is encrypted or sent using an encryption service.
5. Don’t save passwords in a web browser
Browsers don’t store the passwords securely. If your password appears as a row of dots in the input field, anyone can find the actual characters in less than a minute using the ‘Inspect Element’ tool.
6. Be safe on public computers
Never use the ‘Remember Me’ or ‘Save Password’ options on public computers.
This makes the password and account you logged into available for anyone else who uses the computer. You should also log out of any account and close all browsers when you are done.
7. Be careful signing into WiFi hotspots
Hackers have been known to set-up rogue free WiFi hotspots which require you to sign up to gain access – at which point they access your personal information.
They also use ‘sniffer software’ to intercept your password when you sign into genuine hot spots via WiFi.
8. Use two-factor authentication
If possible, use two-factor authentication to log in to an account. Two-factor authentication is where, besides using a username and password, you will be required to input a code into an app, telephone keypad or text message.
This level of security would mean a hacker would need to have access to your telephone as well as your password to break into your account. It makes it much more secure.