“My password was hacked”: it’s the go-to excuse for people who post something regrettable on social media. Numerous celebrities, famous athletes and politicians have attempted to negate scandals by framing themselves as victims of a cyber attack. Perhaps some of them were telling the truth, but they’re hardly admonishing themselves of blame by admitting to being – or pretending to be – so bad at picking passwords that a criminal hacker could break into their accounts.
Yes, cyber criminals use machines that guess thousands of passwords each second, but the number of combinations on a standard keyboard is so vast that even a moderately strong password is almost impossible to crack. This blog provides some quick tips to help make your password impenetrable.
The received wisdom about passwords is that they should be a combination of at least eight letters, numbers and special characters. But you won’t fool criminal hackers by simply adding an ‘@’ symbol and two or three numbers to the end of your password, as it’s such a common technique. Anything more complicated, such as character substitutions (e.g. replacing an ‘o’ with a ‘0’), only plays to criminal hackers’ advantage, as your password becomes increasingly hard to remember and, ironically, comparatively easy for computers to crack.
But there’s another problem: even though How Secure Is My Password (HSIMP) claims that a substitution-dense phrase such as “Tr0ub4dor&3” would take a computer 400 years to crack – which seems secure enough – you’d do well to not have to write it down somewhere, immediately compromising its integrity.
A simpler and more secure technique is to create a mnemonic or cipher, such as taking the first character and punctuation from each word of a sentence. So ‘The 50-year-old man caught the 15:50 train’ becomes ‘T50-y-omct15:50t’, which HSIMP claims would take 41 trillion years to crack.
Alternatively, you might find that length alone is an effective method for security. Each character you add to a password creates one more element that a criminal hacker needs to correctly guess. A password such as ‘PurpleMonkeyDishwasher’ avoids predictable patterns by using a series of unrelated words and, according to HSIMP, would take 45 quintillion years to crack.
But no matter how secure your password is, if you write it down or share it, you invite access to your account.
Using the same password for multiple accounts compounds that risk. Once criminal hackers have your login credentials for one site, they’ll inevitably try it on other accounts – so a data breach at your social media site could soon turn into a breach of your online bank account or your work email.
Do you teach employees about password security?
Password security is perhaps the most important part of cyber security. An organisation can have the most robust mechanisms in place to prevent cyber attacks, but if an employee uses a weak password or leaves it written down and publicly available, it’s tantamount to leaving the door to your office unlocked overnight.
You might get lucky and avoid a break-in, but for how long? Cyber crime is an ever-present threat, and it’s only a matter of time before you come under attack. Fortunately, as we’ve explained here, it isn’t hard to create a strong password. All you need is a detailed password policy that your staff can follow.
You can learn more about password security, and spread the message throughout your organisation, by enrolling your employees on our Information Security Staff Awareness E-Learning Course.
This online course explains the dos and don’ts of password security, and details other essential security tips that your staff should be aware of, such as the threat of phishing and how to handle sensitive documents and portable devices. You can use the information to inform your security policies and ensure that your employees become an asset, rather than a liability, when it comes to the threat of cyber crime.