The Wall Street Journal recently wrote an article on “Password Hacking Forces Big Tech Companies to Act.” The article briefly touches on the recent breaches for social media accounts for Facebook, Twitter, and LinkedIn. If you fear that you may have been effected by this breaches, you can check here to see if your accounts have been compromised. A strong complex password is one of the best defenses against hackers looking to gain access to your identity and personal data. Last month we hosted a Security webinar that taught the listener critical facts and fundamentals about IT security that every business owner must know. We briefly discussed password managers and two factors authentication. Today I wanted to expand on password management and go over some do’s and don’ts when comes to the most important security layer to protect your information.
Bad passwords and password policies are the easiest way to compromise a network or personal information. Short character passwords can be easily hacked in a matter of seconds by using varies computer programs to go through a list of possible combinations of passwords. To demonstrate this concept check out the chart below that shows the relative time it takes to crack a password as it relates to the number of characters.
Password Length: Time to Crack*
6 characters: 11 hours
7 characters: 6 weeks
8 characters: 5 months
9 characters: 10 years
*assumes each character can be any ASCII character.
A 9 character password can be a strong password, many people will take any easy to remember 9 character word to use as a password. Hackers know this also, so they create and share dictionaries of common passwords. It is recommend to try and avoid using dictionary words, slang terms, common misspellings, or words spelled backward. Permutations of common words are in a typical password dictionary. By using these so called Dictionary Attacks, hackers can shorten the length of time it takes to crack passwords. This rule also applies to security questions as well; you know the questions you have to answer when you click the “forgot password” link within a webmail service or other sites. Many people use the first names of kids, spouses, relatives, or even pets as answers to these security questions. The answers can often be deduced with a little research of your social media profiles. When it comes to managing passwords we must shift our way of thinking.
Love him or hate him, Edward Snowden has a solid idea when it comes to passwords. John Oliver and Edward Snowden discussed password security on Last Week Tonight with John Oliver when the show aired on April 9, 2015. Snowden said “The best advice here is to shift your thinking from passWORDs to passPHRASES,” Snowden recommended. “Think about a common phrase that works for you. It’s too long to brute force and also make them unlikely to be in the dictionary.” This way of thinking isn’t new and it aligns with many security experts views on password creation, but this method must be used correctly in order to be effective. We have to remember that using common words as passwords can be easily exploited, this also applies to common phrases. Create passwords that are easy to remember but hard for others to guess. When possible, use a phrases to help you remember the actually password. A good example would be remembering the phrase “To be or not to be?” and using “2B-or-Not_2b?” for the password. It’s not advisable to write your passwords down, but a good alternative could be to have “tip sheet” which could give you a clue to remember your passwords. For example, in the example above, your “tip sheet” might read “To be, or not to be?” This is just one good practice when it comes to managing your passwords.
Some other best practices when dealing with passwords include:
- Using different passphrases for all accounts
- Changing passwords regularly; 90 days is a good rule of thumb
- Enable 2-factor authentication for applicable account
- Use a password manager or “tip sheet” so that you don’t use weak password that ease to remember.
- Use comprehensive security software and keep software up-to-date to prevent keyloggers and other malware types
- Always be sure to lock your PC/mobile devices when you are away from them
- Lastly, avoid entering passwords on Public PCs, like those in a library.
If you are interested any other security tips like this, subscribe to our monthly Newsletter. If you would like a second opinion business’s cybersecurity practices, contact us here. We offer free consultation for new clients.