The easy way to better security
Many users are unaware of how far-reaching the consequences are when a single password is spied on or successfully guessed. Think of confidential business documents or additional passwords for other services that have been sent to you via email. This information, which an attacker can get hold of by looking through your private documents, can open doors and gateways to misuse. Of course, it can be tedious to make every password as secure as possible and to remember a separate one for each instance of use. We will show you how to set up secure, easy to remember passwords with the right strategy.
People speak of authentication when they need to be sure that somebody really is who they claim to be. This is a major challenge in the online world and the use of passwords has been a common way of achieving this for a long time. But all this is of little benefit if “weak” (easy to guess) passwords are used. Many attackers are aware of this, as are the malicious programs they have developed and use. They keep trying out passwords until they finally guessed the correct one (called “brute force” attacks).
Many users employ passwords that relate to personal information, such as their birthday, to make them easier to remember. Attackers know this as well. They can also work out other popular memory aids such as the names of pets or partners without too much effort.
If you use a powerful computer to hack a password that can test 1,000,000 passwords a second, an 8-character password consisting of capitals, lower case letters, numbers and special characters can take up to 29 years to work out (as of 2016). Under the same circumstances, a 5-character password is guaranteed to be hacked within 26 minutes!
A few hints and tips for creating strong passwords
Generating a good password is a science in itself. There are countless security factors and possibilities that have a bearing on this subject. At this point we should provide you with a couple of simple principles.
- The length of a password is a critical factor. Generally speaking, long passwords are more secure than short ones. HOWEVER: A long password consisting of just one or a few letters/numbers/special characters is of no use. If a 10-character password is required, “AAAAAAAAAA” won’t help. Also avoid sequences of numbers or whole keyboard rows such as QWERTYUIOP.
- It is not just about length but complexity. A successful combination of lower and upper case letters along with numbers and, if possible, special characters, can increase the security. BUT: The more specific the password guidelines are, the more likely an attacker is able to hack the password using automated systems. If the guideline states: “Use an 8-character password with at least one number, one upper case letter, one lower case letter and one special character”, the attackers already know the nature of 4 of the 8 characters.
- For a secure password, you could string together the first character of each word, the numbers and the punctuation marks from the following sentence: “Today on July 10th, I set up a secure password with at least 18 characters”. This gives the following password: “ToJ10,Isuaspwal18c”. To make such a password even easier to remember, you can also generate one with personal recognition value, e.g. from abbreviations regarding your favourite song: “The sound of silence by Simon & Garfunkel from 1966 is my favourite song” then gives “Tsos_bS&G_f1966imfs“. At least dictionary attacks won’t help attackers with such free-formed sentences.
- So-called “Leetspeak” can also be used, where characters are replaced with numbers and special characters that look similar: The sound of silence = 7h3_50und_0f_51l3nc3. Variants of this method might be to use phonetic spelling or backwards writing, for example, and much more. As you may already have guessed, there is also a “BUT” in this case: Attackers are aware of Leetspeak etc. as well. When they launch their automatic attacks, they use entire dictionaries in Leetspeak and fire the terms at the login form (a type of dictionary attack). Leetspeak and the like can still be a factor in your password of course.
- Generally speaking, the following applies: Do not use words as they appear in the dictionary. Attackers also have electronic dictionaries for terms of endearment, passwords, names etc. and simply run these past the login mask. Popular phrases in different languages are also listed in such dictionaries. A combination of apparently random words increases the security, as it increases the length and, in the majority of cases, the complexity as well. Such a combination of words is also called a passphrase.
Many applications enable the password to be stored for reasons of convenience. Avoid doing this where possible. It is not always guaranteed that the password is stored in a secure, encrypted form. Many programs store passwords on the system in plain text, unencrypted, making it easy for attackers to read them. Find out how the software you are using works before trusting it with the storage of your access data. As a rule, good password managers meet these minimum requirements.
If you understand and apply the above tips, you will meet the requirements for strong passwords. But the security of this access data is not only dependent upon that.
- Malware: The password may not now be guessed by people or hacked by an automated process in a finite amount of time. However, cyber criminals also use malware that has been especially designed to spy on passwords. This includes spyware in general, password stealers and keyloggers specifically, as well as banking Trojans. The latter often have the capability of reading and recording victims’ access data as well. Hence protecting the computer and mobile devices with a comprehensive security solution is crucial.
- Database hacking: When you generate access data for a service, you place this data in the hands of the service operators. You have to trust them to store the data securely. However, in the past database hacking was a common occurrence where personal data and logins were got hold of in plain text or with inadequate encryption. Probably one of the best-known cases in recent history was the attack on adultery website Ashley Madison, where complete datasets on millions of users were published.
You should check whether your data have been found during a cyber attack and were published on the web. The Hasso Plattner Institute offers a trustworthy service for this.
- be long enough and consist of more than one word!
- have a certain level of complexity!
- only be known to you!
- be easy to remember despite the complexity!
- be stored in a suitable password manager – if at all!
- be protected against malware by a comprehensive security solution!