Part 1 – How secure is your P45sW0rd?

I’m difficult to remember and impossible to guess. I protect your identity and your money. I should never be written down or spoken aloud. I come in many variations but exist only for you. I am lettered and full of characters.

What am I?

A password, of course. You use them every day, and probably think you have a dozen or so. Actually, research by password manager NordPass shows that a typical user has around 100 passwords. No wonder we find them all impossible to remember.

Actually, you’re almost certainly safer if you can’t remember your password, as memorable words and phrases are all too easy to hack. Only strong passwords offer any security, but many of us still don’t use strong passwords.

Using a password that’s easy to remember or easy to guess is a bad idea. If one of your important passwords is hacked, cracked or stolen the consequences can be costly. An easy to remember password solves one problem – your login frustrations – yet causes another.

A better solution could be a password notebook. Yes, a real honest-to-goodness paper and pen notebook. It’s an analogue solution, so it’s un-hackable. What could go wrong? Well, you could lose it. Or worse, leave it in a public place. It could be stolen, or copied without your knowledge.

So just what is a strong password? Consider these two examples, each containing six numbers and five letters, with one capital letter. Are they equally strong? I’ll give you a clue – one is a date and name and one is a randomly generated sequence.

• 768071htimS
• 948582rzypQ

Both are examples of passwords that are difficult to hack with brute force (further description of brute hacks below). But the first is a name “Smith” and a date “17 08 67” typed backwards. It’s a fictional example, but let’s say that’s your mother’s maiden name and her date-of-birth. Easy for you to remember, so that’s good. But is your mother on Facebook? Is her account connected to yours? Then all that information is accessible to the public, potentially. Hackers, scammers, criminals and general ne’er-do-wells are on the lookout for this kind of information. They can use it to build a database of your information and try to hack your accounts remotely.

The second sequence was randomly generated online using a secure password generator. It’s not immune to hacking, but it’ll give the ne’er-do-wells a harder time.

Another option for random-yet-secure password generation is to use the wonderfully named Correct Horse Battery Staple. That name is based on an internet-famous comic by xkcd and the maths behind the idea is sound. Strings of random words are just as difficult to crack with brute force as strings of random letters – but they’re much, much easier to remember. Here’s one I generated: Wine-Tower-Whole-Explode-2. Better than 948582rzypQ for sure.

Now let us review some of the popular passwords used across the world and discuss some of the methods used to hack, crack and steal passwords. Then we’ll look at how you can secure your accounts.

The password manager NordPass performed a meta analysis with 4TB of data. The data was compiled from independent researchers specialising in Cyber Security. The top 5 passwords used are shockingly easy to hack. Without further ado I shall reveal the top 5 used worldwide:

1. 123456
2. 123456789
3. 12345
4. qwerty
5. password

It would take a hacker less than a second to crack these passwords. Before we get into methods of securing your accounts I think we should spend some time looking at the modus operandi of the internet ne’er-do-wells. Just how do ‘hackers’ crack passwords? Well, there are many ways, and I won’t go into the fine detail and I’ll try to avoid arcane technical jargon. This is just an overview of some of the nefarious methods in use today.

Brute Force

Perhaps the most common form of password ‘hacking’. The hacker uses a program that bombards the login field with username and password combinations. This bombardment is automated and can input a new combination many, many times a second.

They use an algorithm against encrypted passwords, letting the program (robot, or ‘bot) go to work automatically. If you’ve ever watched an episode of the excellent – and accurate – Mr. Robot you’ll know what I am talking about. If you have a secure password then this is a low risk to you as it can take hackers a lot of time – it can therefore be expensive for hackers.

Password Spraying

Another robot attack method – meaning it’s also automated and can also hit your login page a dizzying number of times per second. 

Hackers use a database of the most commonly used passwords against an account. Passwords like those ‘top 5’ listed above. It has been estimated that perhaps 16% of attacks on passwords come from password spraying. Again, a secure password goes a long way to mitigate this risk.

Social Hacking

Also known by the term ‘wet hack’, this method has two variations. Social engineering, or by building a database of potential words, phrases and dates meaningful to you and available online. Social engineering is a more typical scam. You may get a phone-call from someone claiming to be from a well-known company or organisation. During the call the scammer will try to get you to tell them sensitive information. It’s all too easy to fall for this as it will feel very genuine. 

My favourite example of a ‘wet hack’ is scattering USB drives on the pavement. It’s human nature to pick up a perfectly good USB drive and then wonder… what’s on this drive? Anyone who puts the USB drive into their computer gives the hackers access to the whole computer. The hackers then sit back and wait until you log in – and steal your password as you type it. Never input anything into your computer unless you know where it’s from.

Hackers also trawl social media accounts looking to build a database to use against your accounts. Names, dates, your first school, favourite pet’s name, mother’s maiden name – all these are examples that can be used. This is a targeted hack – where you, personally – are the target. They’ll know a shocking amount about you. This method is slower, but yields better results for the hackers.

Local Discover

This happens when you write down a password somewhere where it can be seen in plain text. Hackers can then gain access to your account; you may not even know that it’s been compromised. This is a relatively low risk, but be aware in public shared spaces. The notebook of passwords sounded like a good idea didn’t it? Don’t be so sure.

Well that’s all terrifying.

OK, so now we’re all terrified about our poor password security. And of the sophistication of the hackers. What now? Don’t despair, there are tried and tested methods available. Here are some recommendations for managing passwords, and securing accounts.

When should I change my password? 

1. When you believe an account has been compromised. If you believe one of your accounts (such as your email or social media) has been hacked then you must change your password immediately. Most social media platforms offer a ‘logout of everywhere’ feature. This makes it faster and easier to logout of your account if you have spotted unusual activity.
2. When there has been a data breach. If this has happened to you, then change your password immediately. Passwords saved in Google Chrome are checked against lists of known data-breaches, so you’ll get a notification. Some password manager companies also offer this service.
3. Periodically. No really. You should be changing your passwords regularly. The periodicity is a personal choice: 30, 60, 90 days. If there is a compromise or a data breach, you must change your password immediately.

Use 2FA (2-Factor Authentication)

2FA is an additional layer of security when protecting your accounts. If you use online banking and other important accounts you should be using 2FA. If using a password is factor one, then factor two is a second layer of security. Once you’ve entered your password the system will send a notification to your email address, or smartphone. You can’t get access without confirming the notification. This makes it much more difficult to hack.

Log into your accounts today and check to see if 2FA is available. I highly recommend this for any financial accounts.

Use a password manager

Password manager Dashlane says that 91% of people know that it’s wrong to reuse passwords, but 59% of people do just that. Even between personal and work accounts. You must never reuse passwords, as one breach may lead to other accounts being compromised.

Using a password manager can help you manage your accounts, and help by generating strong passwords. Your passwords are saved in a secure and encrypted online ‘vault’ and will be available to you through a browser or app. This way you can have hundreds of passwords, each as strong as the other, but you don’t need to worry about remembering them.

There are some free options available, and some will cost roughly £40-£60 per year, depending on which you choose. It’s a very good investment. Do note however that password management companies are not themselves immune to hacking and data breaches. You should still change your passwords regularly.

Use strong, unique p4s5W0rds! 

First things first. Don’t use the p4s5W0rds! idea above, it’s obviously rubbish. You’ll want a password to look like your cat has sat on your keyboard! 

The table below shows how long it may take a password to be cracked with brute force! Any password should contain at least a number, upper and lower case letters and a symbol (for good measure).

Perhaps you could use a famous phrase but with the characters changed. I could be one that means something to you, or something memorable such as: “one for all and all for one,” from The Three Musketeers, by Alexandre Dumas. This could be written as: 14A&A41dumaS!, which would take 2 Million years to crack – according to security.org. 

It is time to give your passwords an audit and see how secure they really are.

Recommendations

Taking these steps can help you protect your accounts being accessed without your permission. I don’t recommend using personal information in your passwords. Instead I would highly recommend using a password manager – which removes the need to memorise and allows you to use secure passwords everywhere. 

Sign up to a password manager and perform an audit of your current passwords. Now is the time to change your passwords and make sure your accounts are as secure as possible.

Use difficult passwords and we can make the hacker’s life difficult.