The whole point of a password is to keep unauthorized people out of your accounts. But when not constructed and used properly, passwords can do just the opposite. In fact, you can think of a poor password as a key to let the wrong person in.
81% of hacking-related breaches leveraged weak, stolen, or default passwords, according to the 2017 Verizon Data Breach Investigations Report. With numbers like that, it’s clear that the password is a problematic way to protect accounts. But as it’s currently the protection measure that’s in use across the board, it’s important to use passwords smartly. Which isn’t hard to do, it just takes a little bit of effort.
What constitutes a weak password? That would be a password that’s easy for a human to guess, or an automated password cracker to crack. Ethical hacker Jan Wilkolm recently listed several common password patterns he often sees people using in order to meet requirements for upper and lowercase letters, numbers, and special characters. Here’s what he mentioned that he and his hacker colleagues see all the time:
Common password patterns
- Uppercase first letter: Password
- Two to four numbers at the end: Password123
- For a special character, exclamation point at the end: Password123!
- Mixing it up: P@55word123!
- Month + Year: September2018
- Car names: Porsche911
- Days of the week
- Birthdates and birth years
- Wedding dates
- Names of children
- Sports and teams
Wow. Anyone else think they were alone in adding an exclamation point at the end to add complexity? You can probably recognize some of your password habits in this list too.
In addition, shorter passwords are weaker. The shorter it is, the faster it can be cracked with an automated tool. So the longer the better – in fact, it’s better to go with a passphrase or even a pass-sentence.
No matter how great you are at coming up with long and strong passwords, it won’t do much good if it gets stolen. Stolen passwords are often derived from phishing campaigns. According to 2018’s Verizon DBIR, 4% of the targets in any given phishing campaign will click on it. It’s nice to hear the numbers are that low, but even 4% is still 4% too many.
Another way to avoid having your password stolen is to use a unique password for each service. According to a LogmeIn survey, 59% of respondents reuse passwords across multiple accounts, even though 91% say they understand the risks of doing so.
These habits may seem like small flaws. But if you or your company happens to be targeted, the risk is big. As Mark, the CEO of a company producing a groundbreaking product, found out, the very future of his company rode on a single re-used password:
Creating better passwords
Like I said, it’s not hard to do, but it does take a slight bit of effort – effort that’s well worth it when you don’t experience a breach to your accounts, or to your company network.
Use a password manager.
For a long, strong, unique password for each and every one of your accounts. Then you’ll only need to remember two passwords: The one to log in to your computer, and the one for your password manager. If your company provides a password manager, use it.
For your two master passwords, go long!
This post has some tips for creating long passphrases you can remember.
Protect your most sensitive accounts with two-factor authentication.
With two-factor authentication, a password alone is not enough to get in.
For case studies on how cyber attacks happen, and to test your company’s cyber security skills, visit www.f-secure.com/thehunt.
Leave a comment