What is a Strong Password?
A strong password is 15 or more characters long and has a mixture of upper and lower-case letters, numbers and symbols. A strong password is also hard to guess and is easy to remember.
Some examples of strong passwords are:
an 3l3phant can B herd 2 h@ndle...
What is a Weak Password?
Weak passwords are short and easy to guess. Weak passwords are often single dictionary words followed by an incremented number, are runs on a keyboard, or consist of personal information.
Some examples of weak password are:
Winter78 (or any word followed by a number)
contraseña1 (in any language)
March 12, 2014 (or any dates)
13 Oak Drive, Hamilton, NY (or any addresses)
(anything with your company's or university's name in it)
(any swear word, in any language)
(anything with part of your name or username in it...)
How Do I Create Strong Passwords?
Strong passwords can be fun to create and easy to remember. Strong passwords are long and complex but can be created using non-sensical phrases and character substitution. For example:
This password is, "A slice of Apple Pie" Here, we do several things:
- We capitalize every word after the first word.
- We substitute a zero (0) for a capital O.
- We add a "_" as a special character.
- We do NOT use our name, dates or just one long word.
This password is, "The check is in the mail." Here, we do several things:
- We substitute certain letters with numbers, "3" looks like an "E".
- We do some word play, "male" and "mail".
- We add exclamation marks for characters at the and and the beginning.
an 3l3phant can B herd 2 h@ndle...
This password is, "An elephant can be hard to handle." Here, we do several things:
- We substitute certain letters with numbers, "3" looks like an "E".
- We substitute whole words, "to" is "2" and "be" is simply "B".
- We do some word play, "hard" with "herd".
- We use spaces as a character. (computers interpret the spacebar as a symbol)
This password represents, "My mother told me to pick the best one and you are not the one that I want!" Here we do several things:
- We take two common phrases and mix them up...
Start with the old childhood rhyming game ("My mother told me...")
End with a lyric from a song ("...the one that I want!")
- We take the first letter of each word and make the initial code, "mmtmtptboayrntotiw".
- We substitute some numbers for letters, "2" is "to", "1" is "one"...
- We substitute some simple words with letters, "you" is "U", "are" is "R"...
- We substitute letters for symbols, "t" looks like the "+"...
This last password is "A squared plus B squared doesn't equal pie". Here we start with a mathematical equation and end with something unexpected. We create a passphrase out of a non-sensical yet easy to remember sentence.
Where (and how) Should I Use Strong Passwords?
- Use strong passwords everywhere.
- The more sensitive the account, the stronger the password should be!
- Never use the same password on different accounts.
- Change your passwords often (and never reuse them).
Why Should I Use Strong Passwords?
Criminal hackers are relentless. They see getting access to things they shouldn't have access to as a challenge and they live for challenges. Hackers are smart, opportunistic, devious and tend to have a lot of time on their hands - they work while we sleep. Some are patient. Some hackers are even being paid by organized crime syndicates or governments. Every account they have access to gets them closer to a bigger target. Even if your account has nothing a hacker would want, they might use that account to get to something bigger. Your e-mail account(s) usually has tons of information in it that could lead to your identity or bank account being compromised. At least one of your e-mail accounts is probably linked to your online bank account which in turn may be linked to your favorite online shopping site which in turn could be linked to your favorite social networking site. Additionally, a hacker may use your e-mail or social networking account to propagate phishing attacks on your unsuspecting friends and strangers around the world.
Here is a scenario that is played-out every day around the world:
Tom is a student at AnyU. He has an e-mail account and his password is Cheech69. A hacker has read in the media that AnyU's endowment is fairly large and by looking at some public records (an old local newspaper article), she knows the University works with First Local Bank to help eligible foreign students create bank accounts while studying here in the US. Our hacker has decided to try and infiltrate this connection to transfer funds to an off-shore account. She obtains a list of valid e-mail addresses from an online black market for about $25. One night, from the comfort of her home half-way across the world from AnyU, she starts a program that tries to log in to each of the accounts in her list. Tom's account happens to be in that list.
Tom doesn't have much. He isn't rich, has no skeletons in his closet and keeps his head down. He works at the University to have some spending money on weekends. He's a typical young college student, he's smart, on the right path for a great career in business and has many friends. If you were to ask him, he'd say he had nothing in his e-mail account anyone would ever want and nothing to hide.
Our hacker sets up a tool that continuously tries to log in to Tom's account using a dictionary attack, eventually getting in. Because Tom's password was a single word and a number, it was cracked in several minutes. She then uses his account to send phishing e-mails to the AnyU community. The phishing e-mail is not blocked by AnyU's spam filters because it comes from inside their domain (Tom's account). It looks legit to most AnyU users as it comes from an @anyu.edu address. Very quickly, several users across campus log in to the phishing site and enter their credentials.
ITS is notified of the phishing attack by a vigilant employee. After ITS sends out a campus alert, most users reset their passwords. Some do not. Many users change their passwords by merely incrementing the number at the end. The hacker logs in to several of these accounts (trying incremented numbers) until she finds that one of them belongs to a user in the Bursar's office. Our hacker watches this account for several days, downloading information from it and learning how the Bursar's office works at AnyU.
Over the next several days, the hacker begins sending "bills" to users in the Bursar's mailing list. Along with this fake bill, she asks for bank account information stating that for convenience, AnyU can transfer the funds on their behalf. Several people fall victim to this crime.
All-the-while, Tom's account is still compromised. Even though ITS reset Tom's password, Tom decided to change his password back to something similar to his previous password (Cheech70). Our hacker sells Tom's account credentials to others on the black market. A new hacker takes hold of Tom's account and decides to gain access to his other accounts - his bank account in particular. Easily enough, the new hacker sees e-mails (sent by his bank) that Tom logs into his bank with his e-mail address as his username. The hacker tries using the "Cheech69" password to gain access and it works. The hacker opens a new profile on a different social media site and begins posting pictures from Tom's e-mail to that site - pictures of his family, friends, and his girlfriend (to yet a different kind of site...). Since Tom's name is attached to this new social media site, pictures from parties he's attended begin to get "tagged" for all his future potential employers to see. The hacker begins collecting enough information about Tom such as his home address, phone number and birthdate that he is able to open a credit card under Tom's name and shop for items online. Tom's identity has been stolen.
All of this damage, against Tom, against AnyU, against AnyU's families is all due to several factors - beginning with a single weak password. While Tom's account in and of itself was not a prime target, the first hacker was able to leverage Tom's affiliation with AnyU to gain access to AnyU's Bursar's office and steal money from AnyU's students, parents and alumni. Furthermore, the hackers were able to break into multiple accounts and are still in them, waiting, reading, learning and planning their next attempt to socially-engineer their way into the First Local Bank accounts!
Why Do I Ever Need to Change My Passwords?
Even strong passwords are not absolutely full-proof. Mathematically speaking, given enough time and computing power, all passwords can be cracked. If today it takes (up-to) 180 days to crack your password, and a hacker breaks into the database your password is stored in, they will eventually crack it. If you change your password every 90 days, the password will be useless to them by the time they do.
If your account is compromised or you fall victim to a phishing scam
, you should change your passwords immediately on a trusted computer.
Anything Else I Should Know?
- Never give out your password. If you do, all the time and effort it took to create a strong password will be useless.
- If you sign up for a site that requires your password to be shorter than 15 (14 or less) characters long, you may want to use a different service.
- If you sign up for an account and they send you a confirmation e-mail with your password written (even partially) in it, it means they did not encrypt your password. Cancel your account and use a different service.
- If you get an e-mail that asks you to verify your account by clicking a link and entering your username and password, it's probably a phishing attempt. Never give out your password to anyone.
- Don't capitalize the first letter or end your password with a simple punctuation just to reach 15 characters as hackers are expecting to see certain patterns such as sentence structure when cracking passwords.
- When changing your password, don't merely increment the current password or use dates such as Semester1 or March12,2014.
- If you can, audit your account on occasion, and check its login history. If your account was accessed from Wisconsin, USA and you've never been there, you may have been hacked!
- If the service you are using offers some form of "two-factor" or "two-step" authentication, sign-in or verification, use it! This can seriously deter hackers and prevent them from getting into your account even if they do crack your password!
- It is no longer considered good practice to answer those "security" questions with honest answers; especially the "Mother's Maiden Name" question. Many of these answers are either publicly available on the Internet, or, you may have posted them to a Facebook quiz the whole world can see.
- Never share your passwords with anyone, for any reason, ever! This includes your boss, professor, an ITS technician, etc. If someone needs to get into your account who has authority to do so, they can have your password reset by the system without ever having to know your password. No one and no company should ever ask you for your password or to verify your account credentials via e-mail! Unless you're being compelled by law (or by Customs at an international airport) or your life is in danger, never share your password.
Please Tell Me More!
Strong passwords are all about length and complexity. If a keyspace has only 26 possible characters (just lower-case letters) in it, and a password is 7 characters long, then all of the possible combinations of the password are 7^26. With yesterday's technology, passwords like this can be cracked in seconds!
Read on ...
By adding just one more character to its length, a password's strength doubles. By adding more possible combinations (upper-case, numbers and symbols), a password's strength grows exponentially. The difference being that a password can go from taking mere seconds to hours, days, weeks, months and years to crack.
Trying every possible combination to crack a password is known as brute-forcing. Theoretically, a brute-force attack will always be successful. However, if it takes years to crack a password, and a hacker wants access to the account sooner than that, then brute-force becomes a futile endeavor.
Hackers are opportunistic and intelligent. Over time, they develop new methods for cracking passwords. Two additional methods they have developed are dictionary and rainbow attacks. By using combinations of all three attacks, hackers are able to crack passwords at much faster rates. Hence the reason behind length, complexity, and eliminating / substitution / misspelling of words and characters (or versions of those words) to create strong passwords.
Other than through phishing scams and key-logging malware, hackers often break-in to servers and systems using several methods and are able to copy the database that stores a system's passwords. Often, they use something called SQL Injection (SQLi). Hackers copy the database of (hopefully encrypted, hashed and salted) passwords to their own computers where they can safely take their time trying to crack the passwords.
Some security experts predict that because any password can be cracked given enough time, CPU power and ingenuity our passwords are useless. However, nothing is ever 100% secure. Security and strong passwords is about mitigating risk. By using strong passwords, users increase the chance that when a hacker does steal a database, the hacker will move-on after cracking a large number of weak passwords, thus, never taking the time to crack the strong passwords.
In the end, taking a layered security approach is best. Use strong passwords, change them often, never use them twice, be vigilant and watch for phishing scams, and use two-factor authentication whenever possible.
I'm Still Hungry for More Information!
Information about password security can be found all over the Web. Check out these sites for other explanations and tips on how and why to create strong passwords!