Passwords; we can't seem to get away without them, as they are currently the standard way of protecting our digital data. Even with passwords, personal data can still be at risk. There are two main ways that hackers can get past a password defence. Firstly, if you use a weak, or easily guessed password, a hacker can guess, or use brute force, to come up with your password. The other way is when attackers hack the computer system of a company or organization and steal all of the users' passwords.
To minimize the first type of attack, it is important to create and use strong passwords. While this does not guarantee that a determined hacker won't be able to break through, it helps to reduce the chances. For the second type of attack, there is not much an individual can do to prevent a hacker from stealing their password from an organization, but there are ways to limit the impact. The main thing is to ensure you don't use the same password for different sites or accounts. Once a hacker has stolen passwords for one site, they will try to use those same passwords on other sites. Another way to thwart hackers is to change your passwords regularly and if you hear of a site or organization being hacked, change your password immediately.
To help create Strong Passwords, use the following list of Do's and Don'ts
- Use a password with at least 8 to 10 characters. The more characters in the password, the more combinations there are, making it more difficult to hack it. For example, if a password only has upper case letters, a four-character password would have approximately 450,000 combinations, if it had six characters there would be approximately 31,000,000 combinations, and if you use 8 characters, there would be approximately 210,000,000,000 combinations.
- Use a combination of numbers and letters, and use a mix of UPPER and lower case letters. This also increases the number of combinations. For example, if a four characters password only uses upper case letters, there would be approximately 450,000 combinations, if it uses both upper and lower case letters, there would be approximately 7,000,000 combinations, and if numbers were included as well, then there would be approximately 15,000,000,000 combinations.
- Add a special character. This again increases the number of combinations and reduces the risk of a dictionary attack, where hackers attempt to use common words.
- Change your password every few months. This way, if your password has been discovered, it will eventually be changed and the hacker will again be out of luck.
- To help create passwords that you can remember, use a phrase you can remember, and then take the first letter of each word in the phrase, then append a number to it. For example, the phrase: This is a password phrase could give a password like Tiapp123.
- Use a Password Manager, like PWMinder Suite, to help you remember, and keep track of your passwords in a secure way.
- Don't use password or 1234 as your password (you'd be surprised how many people do that). See this cnet article for more examples.
- Don't write your passwords down, or store them unencrypted on your computer.
- Don't use a word or name that is personally associated with you, such as a family member's name, birth month, city born in, etc. If a hacker can find information about you, they will try to use that information to guess your password.
- Don't use common words. These are easily cracked using a dictionary attack, where hackers will attempt to find your passwords by trying all words in a dictionary list of common words.
- Don't use the same password for all of your accounts and websites. If one of your passwords were to be exposed, then the hacker would immediately know the password for all of your other accounts and websites.
Using strong passwords is a good start, but there is still a chance a hacker will get a hold of your password, either by guessing, using brute force or more likely by hacking the database of the website you log in to. To add an extra layer of protection, many prominent websites are now employing two-factor authentication. The basic idea of two-factor authentication is that in order to log in, a Web Site will ask for something you know and for something you have. Typically the something you know is your typical password. The something you have is often your mobile phone. After entering your password, the website will send a one-time use code to your mobile phone, often as a text message. If this code is not used within a short period of time, it will expire. In this way, someone trying to log in as you, will need to know your password and be able to receive a text message on your phone. Instead of using text messages many sites also offer integration with passcode generator apps such as Google Authenticator. These apps display passcodes that change every few seconds/minutes, which you then use to enter as your second form of authentication. Again, this protects you, because a hacker would need access to one of these passcodes from your phone.
Two-factor authentication can be tedious, but most sites have a setting that once you have logged in once, using two-factor authentication, you can set it to remember that computer as trusted, so you don't need to go through the process every time.
Not all Web Sites offer two-factor, but several major ones do, such as Google, Facebook, PayPal, Twitter, LinkedIn and Dropbox. If you use any of these sites I would highly recommend setting up two-factor authentication.