Password security is not in great shape at the moment. According to research, up to 86 percent of all hacked passwords have already been compromised. Reuse of compromised passwords is the reason behind 75 percent of attacks on corporate infrastructure. All too often, users choose easy-to-type combinations (such as “1234567” or “qwerty”). This makes things easy for attackers.
Here we will provide some tips on how to protect your passwords and accounts.
Check your accounts regularly to see if they have been hacked
There are sites where you can check whether a specific email address has been hacked. One such site is Have I Been Pwned. The site’s database stores information about accounts that have been compromised in various hacking attacks. If an account matching your email address is flagged as compromised, it’s time to change the password and consider additional security measures, such as two-factor authentication.
There are also special browser extensions that notify when a password is weak or compromised. Here is a screenshot of one available for Google Chrome, for instance.
Work on that password complexity
The stronger and more complex your password, the more time and effort it will take for attackers to compromise. To make a really strong password, you need to understand how bruteforcing programs work. Many people use a password that consists of a root and a suffix.
This root is probably a dictionary word (such as “password” or “qwerty”). Often but not always, the result is a pronounceable word or phrase, with suffixes or prefixes tacked on. Bruteforcing software uses dictionaries, both for English and other languages, and tries replacing letters with similar-looking characters (such as $ instead of S). This software can also make use of information from the address book, important dates, and other personal data.
Bruce Schneier, well-known cryptographer and information security author, says that when creating a strong password, the idea should be to make it as hard to bruteforce as you can. Schneier suggests turning whole sentences or phrases into passwords. For instance, the phrase “this little piggy went to market” could become “tlpWENT2m”. This nine-character password will not be found in any dictionary.
The main thing is to make a password that contains words, numbers, special characters, and uppercase and lowercase letters.
Convenient is not always good
Attackers take advantage of users’ desire for convenience. People don’t want to remember lengthy passwords, so they start using the same password on multiple sites. This means that a hacker who compromises just one account can obtain access to the user’s accounts on other sites too.
Remembering many different passwords can be difficult, so many people use a password manager program to store all the keys to all the kingdoms, as it were. Positive Technologies expert Dmitry Sklyarov points out that for people who use a password manager, if anything happens to the master password, all stored passwords are at risk. So users should keep this danger in mi
“There are lots of password managers these days with mobile versions that can be synced through the cloud. This is certainly convenient, but as a single point of failure, it comes with a tradeoff in security.”
Smart ways to write down your passwords
Many users prefer writing their passwords down on paper, the old-fashioned way. Security researcher Brian Krebs thinks that this approach can be workable. But instead of writing down the whole password, he recommends putting down just hints that will jog your memory when necessary.
For example, if you create a password with Schneier’s method (by using the first letter of each word in a phrase), you could write down the phrase itself or a related hint.
Use two-factor authentication when possible
Two-factor authentication is another way to slow down attackers. However, even this does not guarantee absolute security. Positive Technologies research indicates that one-time passwords sent via SMS can be intercepted.
When possible, it’s best to use two-factor authentication that doesn’t involve text messages. One better way is with special apps, such as Google Authenticator.