Are your passwords sophisticated? Do they use different character types, like uppercase and lowercase letters, numbers and punctuation? Do you use unique passwords for every site? If you can’t answer ‘yes’ to these questions, you’re not alone. But you’ve got yourself a problem.
Because, although we all know we need to use strong passwords, very few of us actually do. It can’t be that bad, can it?
Well, having an easy-to-guess password is like leaving your front door open, with your wallet open on the doormat, with a neon sign that’s visible from the street. You’re setting yourself up to get hacked.
Having a slightly more complex password means you’re at least turning off the neon, closing the front door, and hiding your wallet. It might take a hacker minutes—rather than seconds—to crack your password and breach your account(s).
Having the sense to read through this piece and implement our advice might mean you essentially put your wallet in a safe, behind a steel door, and a security guard. That way they don’t crack your password at all.
The take-home message is this: you need to change your passwords. Luckily, it’s a relatively easy fix. And I’m here to help.
But first, I want to delve into the world of the hacker. Before we fix the problem, let’s understand it. Let’s get to grips with exactly how easily someone can access your data, what they can do with it, and what that could mean to you.
Just like we tell kids about the danger of talking to strangers, this piece is designed to scare you a little… so you realise why this is really important.
How do companies store our data and passwords?
If you’ve ever shopped online, joined a social media platform, or downloaded an app, you’re trusting a company, somewhere, with your details.
That company will hopefully spend a good amount of time and money trying to hide those details from hackers – through encryption.
Using a process called a hashing algorithm—a one-way conversion step—site operators take your plain text password and transform it into a form of gibberish, of letters and numbers. When you try to log in to their site, they pass your details through the same process. If the gibberish matches, they let you in. Open sesame.
So, you think hashing your passwords make them safe?
The answer, unfortunately, is no.
There were over 2,000 confirmed data breaches in 2019. There are already hundreds in 2020, with big companies like Twitter, Last FM, LinkedIn, and Yahoo all falling foul to the hackers.
The problem is growing so quickly, governments are throwing billions of dollars into their attempts to disrupt cyber crime.
Once the data has been accessed, all the hashed passwords—the gibberish—including yours, often gets dumped on the internet. Now, hashed codes can’t be reversed, because they are just random nonsense, but hackers can get around this.
Using commonly available hashing cracking tools, hackers can scan the list of passwords. At speeds of up to 40 billion records per second they run your passwords through these sophisticated – yet scarily simple – systems:
Brute force mode: The first type of password cracking is the simplest process. This is when the system tries to simply guess your username and password using trial and error.
In its most basic form, this is every letter: A through Z, then AA through ZZ, and so on, This allows a hacker to try many different combinations of your login information.
Logically, the more combinations they have to try, the harder it is to crack the password.
- If you use a five character password of lowercase letters you can be cracked in seconds. In fact, make that nano-seconds, as the total number of possible passwords is 26^5 or 11,881,376 possible combinations. Pretty easy pickings when you’re running 40 billion record checks per second.
- If you choose an 11 character password, only using lowercase letters, the total number of possible passwords is 26 ^11, or 3,670,344,486,987,776 possible passwords.
As you can see, the shorter password is infinitely easier to crack. Add in combinations, special characters, upper case and numbers and the number of possible passwords increases further.
The longer and more complicated the specification, the longer the process – and the more impractical for the hacker.
Dictionary attack: This makes assumptions about the words we are using in the password. A systematic way of guessing passwords, it checks commonly used words and common variations like p@ssworD, trying all variations until it has exhausted them. This is an effective way of cracking most passwords, as we tend to use words we remember.
But it gets worse. When the dictionary lists are created from previously hacked lists which, incidentally, they are, it’s a bit of a game changer in the hacker world.
RockYou is a list of around 30 million actual passwords (from a company that wasn’t hashing the data) that are being used in real life. With every hack, more passwords are being added to the list.
How will a hacker use my password when it’s cracked?
As you can see, when hashed passwords go out onto the internet, within hours half of them have been cracked. Now the hackers really are in control.
In most cases, data theft is financially driven. Usernames and passwords are also often sold in bulk, on the dark web, to other hackers.
In a process called ‘credential stuffing’, hackers use increasingly sophisticated software checkers to determine if your email address is being used as a login on other sites. They then use your login credentials to transfer money from your bank account or make online purchases.
Scared? You should be.
In fact, there’s a good chance you are already listed on a website that has been compromised.
Making passwords more difficult to hack in three simple steps.
To start, you can check what data breaches your accounts have shown up in on a site such as: https://haveibeenpwned.com/
After that, there are a few key rules to make sure your details are as safe as possible.
- Use a password manager – with a strong master password. As annoying as it may be, you really do need to increase the length and complexity of your passwords. Now, memorising a complex password for each account is impossible for the human brain, but it’s exactly the sort of chore computers are good at. That’s why you should use a password manager. A password manager can help you to select complex passwords. It encrypts this information (local encryption is best) and securely stores each password in a digital vault, then automatically fills the passwords into login pages. This allows you to manage all passwords safely, with just one password to remember (to enter the password manager). This needs to be your strongest password of all.
- Never, ever use the same password on multiple logins. This is about damage limitation. The danger of reusing passwords in an interconnected web is now obvious. If hackers get a hold of your password on one site, they typically try to log into other sites using the same password. In many cases, they’re successful. They can often continue this cycle until they reach your bank account. This is called a chain breach. Every time you reuse a password on another site, you stand a higher risk of being a chain breach victim. The simplest way to avoid this is to make sure you use a different password every time.
- Use two step verification. As I explained at the start of this article, no matter how strong a password is, it’s just a matter of time before a talented hacker will find a way to access it. That’s why most security experts now recommend a belt-and-braces approach, with two-factor authentication. For most of us this means getting a text, call, an email or providing a thumbprint to verify our identity. I know it feels like a bit of a hassle, but when you consider the alternatives, it really is a small price to pay.
Just three simple steps – make your password hard to crack – make it impossible to reuse – and don’t rely on steps one and two. Use this to instantly increase your password security and lower your chances of becoming a victim of identity theft or fraud. That’s it. If you’re still reading, that means your passwords are safe, right? Ah, I see you’re getting up to leave…
* Please note. we are sharing knowledge gained from our own experiences on password security. The material and information contained in this article is for information purposes only. You should not rely on it wholly to make any business, legal or other decisions. Any reliance you place on such material is therefore strictly at your own risk.