Update: PureVPN is celebrating World Password Day and hopes to educate Internet users regarding the importance of keeping secure passwords for all online accounts.
Password security isn’t just something you can ignore – it’s essential to protect your online accounts, and ultimately, your identity from being stolen. Think not? Well, the consequences of poor password security are bad enough. According to Verizon’s 2017 Data Breach Investigations Report, 81% of hacking incidents leveraged weak and/or stolen passwords!
While creating and remembering strong passwords can be a pain in the all the wrong places, these strings of characters still hold the master key to your digital life. But in spite of that, many people continue to use weak passwords that can easily be cracked. And to top that off, they also reuse them across multiple websites.
Though better alternatives exist like 2FA, for example – passwords are still the standard authentication method on the Internet. In this password security guide, you’ll find all the information you need to create and manage strong passwords as well as keep them safe. So, let’s get started:
What is Password Security?
Password security, though often overlooked, plays an extremely important role when it comes to protecting your identity on the Internet. After all, it keeps unauthorized users from breaking into your online accounts and stealing your personal information for their nefarious purposes like impersonating you to commit crimes in your name, for example.
Why is Password Security Important?
From shopping and emails to social media and what not, the average person spends around half of their day using the Internet. The vast majority of these sites hold your personal information, and more often than not, the only thing keeping them safe from the bad guys is a password set by the user.
A string of characters is all that it takes to prevent unauthorized access to your information. For this reason, it’s important that users avoid the most common password security mistakes and create strong passwords for every online account they use.
How Hackers Can Steal Your Passwords?
Have you ever wondered how hackers go about cracking your passwords? Well, here are some of the most common ways through which they can steal your passwords, and in turn, your personal information:
1. Brute-force Attack
One of the most common password cracking techniques out there, a brute-force attack involves checking all possible key combinations until the right one is found. Since hackers use complex algorithms to try multiple combinations at super-fast speeds, rest assured that your short passwords will be cracked in no time!
2. Password Sniffing Attack
A password sniffing attack is a technique used by hackers to collect your credentials on unencrypted connections. By using a combination of easily available tools on the Internet, they monitor all incoming and outgoing traffic on a network so they can intercept your usernames and passwords as they’re being transmitted.
3. Phishing Attack
Even though phishing is an old trick in the hacker’s playbook, it’s still going strong and doesn’t seem to be going away anytime soon. Typically, it entails sending an email to the victim by impersonating a legitimate entity and requesting that they provide sensitive information like usernames, passwords, and even credit card details.
4. Dictionary Attack
In a dictionary attack, a hacker tries hundreds – or sometimes even millions – of likely possibilities derived from a predefined list of words or dictionary in order to defeat an authentication mechanism like passwords.
5. Keystroke Logging
Keystroke logging, also known as keylogging, is a technique that involves the use of a program to record or log every keystroke so hackers can obtain confidential information like passwords without the knowledge of the unsuspecting user. One way to avoid this is by implementing various techniques of keylogger prevention to save oneself from keylogging.
6. Database Hacking
This is probably the only method that most people are familiar with, particularly because database hacking has become so commonplace in recent times. Basically, it consists of a hacker breaking into a company’s user database and walking away with all the login information. In 2018 alone, we’ve seen database hacks affecting many large corporations like Quora, Facebook, and Exactis.
A screen scraper or keylogger can be installed by malware to extract data during a login process or record every single keystroke, and then sends a copy of this file back to the hacker. Some malware also look for the web browser’s password file, which unless encrypted, can provide easy access to saved passwords from your browsing history.
8. Social Engineering
Social engineering, like phishing, relies heavily on human error and involves tricking people so that they give up their confidential data or allow access to systems. However, it takes the whole concept outside the inbox and into the real world. A social engineer’s favorite is to call the victim posing as a legitimate entity and just ask for the password. You’d be surprised to know how often this actually works.
How to Check Password Strength?
Generally, it’s easy for hackers to exploit online accounts with weak passwords. So if you want to know how long it would take to crack your password, we’d recommend that you use a password strength checker like How Secure Is My Password.
Password strength is important as it measures the resistance of a password against brute-force attacks or guessing. This will enable you to create passwords that aren’t only unpredictable, but also extremely difficult to guess!
5 Most Common Password Security Mistakes to Avoid
If you make some common mistakes when selecting passwords, you’re essentially leaving your personal information exposed to hackers. As you reset your passwords, make sure that you avoid these five most common password mistakes:
1. Using the Same Password for Multiple Accounts
A recent survey of 1,000 US consumers by PCMag revealed that 9% used the same passwords for all their online accounts. Sure, it’s easy to remember a password when you’re using only one across multiple accounts. This, however, can lead to disastrous consequences as you make it less difficult for the bad guys to get their hands on your personal information.
Katie Tierney, Senior Director of Global Sales Engineering at WhiteHat Security, stresses:
“Using the same password in general is a bad idea, as one breach on any of those sites can have a domino effect on your other logins.“
2. Writing Down Your Passwords in Plain Text
Do you store your passwords in plain text? If so, now would be a good time to stop as hackers are always on the lookout for such opportunities. All they’d have to do is break into your computer through ransomware or any other means, and find all the passwords to your online accounts saved in a notepad file. Easy peasy lemon squeezy, no?
3. Selecting a Simple Password
Even long-length passwords would do you no good if they’re something as common as “abcdefghijkl” or “123456789012”. Hackers can easily crack such passwords as they use password-guessing programs that come with a generated list of the most commonly used passwords and variations.
Take a look at this list of worst passwords of 2018 to make sure that you aren’t using any of them.
4. Picking Passwords That Are Too Short
If your password consists of five to six characters, you need to reset them right away as it hardly takes any effort for hackers to crack short-length passwords with brute-force attacks. Keep them long, but how long exactly? Find out more later on.
5. Changing Your Passwords Regularly
You may have heard the recommendation time and time again that you should change your password every month, 3 months, or 6 months. However, a study by the Federal Trade Commission (FTC) discovered that changing your passwords regularly isn’t exactly beneficial.
That said, if there are any passwords that you haven’t changed in years, you’re better off updating them as they could include some of the password security mistakes we’ve discussed above.
Password Safety: How to Make a Secure Password?
Now that you know the common password security mistakes you need to avoid, let’s discuss how to create strong passwords. The following are some password creation tips to prevent hackers from accessing your online accounts:
1. The longer Your Passwords, The Better
The passwords you decide to use should be at least 12 characters in length so that they’re difficult to break. The longer a password is, the more combinations a hacker would need to try in order to successfully crack it.
2. Aim for Complexity
Password length and complexity go hand-in-hand in the quest to creating proof-passwords, so make sure you include lowercase and uppercase letters along with numbers and symbols. Mix them up like you mix your cocktails on a Friday night!
3. Unpredictability is Key
According to a report, unpredictability is key when it comes to password strength. So it’s important to avoid predictable words, passwords based on dictionary words, as well as any references to popular TV shows, video games, and movies.
You should also avoid using passwords that contain personal information as it’s easily obtainable. 19% of respondents use their initials or name in their passwords, which is a big no-no in terms of security, the PCMag survey found.
Furthermore, 16% use their wedding date, 15% use the name of a family member, 12% use their birth year, 12% use their house address, while 8% use their spouse’s personal information. It’s time to do better than that!
4. Unique is The Way Forward
We’ve already highlighted this before, but its importance can’t be emphasized enough: Only use one password for one account.
5. Check Your Password Strength
Once you’ve finally come up with a password, it’s time to gauge its strength. Use a password strength checker – it will evaluate the strength of your password and tell you the time it would take to be cracked.
6. Use a Password Generator!
If you don’t like the hassle of creating random passwords, you can easily generate a secure password by using a free tool like LastPass Password Generator or Norton Identity Safe Password Generator. It’s much safer to have a computer generated password than to use a personalized password that can easily be hacked.
Tip: Learn more about Is LastPass Secure on not?
Just keep the aforementioned points in mind when you’re selecting the criteria for your passwords!
How to Secure Your Passwords?
Once you’ve set strong passwords for all your online accounts, the next step is to ensure they remain safe. Here’s how you can secure your passwords from hackers:
1. Use a Password Management Tool
The best way to store and remember your passwords safely is to use a password management tool. Used by just 13% of respondents as per PCMag’s survey, these programs save your list of credentials in a secure, encrypted form and require a master password to be accessed, thereby eliminating the need to remember all your passwords.
In fact, some even allow you to generate a strong, random password!
Colt Agar, Managing Director at TheTechReviewer.com, states:
“Use a password manager such as LastPass to create and store your passwords (it can also generate create unique, secure passwords that no one will be able to guess). All you’ll need to remember is your master password for LastPass and the rest will be stored within this encrypted database.”
2. Only Visit Websites with HTTPS
Make it a habit to check if the website has “https://” at the beginning of the address bar as it indicates that all communications between the site and your browser are encrypted using Transport Layer Security (TLS). This will protect you from attacks like eavesdropping when you enter your credentials or credit card details there.
3. Secure Your Web Browser from Hackers
If your web browser stores your usernames and passwords, anyone who gains control over your computer can access ALL your credentials within minutes. For this reason, you should take the necessary steps to secure your browser from hackers as they actively exploit flaws and vulnerabilities in these programs.
Stewrat Ryan, Writer at GamingInMyDNA.com, emphasizes:
“Do not save passwords in your browser unless it’s security settings are set as high. After all, they can easily be reverse engineered using simple HTML modifications.”
4. Update All Software Regularly
Every time you don’t install an update for your software, a hacker gets the chance to take advantage of a flaw or vulnerability left open. Keep in mind that updates not only bring additional functionality, but also security fixes. If you don’t have the time to do this, automating your software updates can save you the trouble.
5. Employ Two Factor Authentication on All Your Online Accounts
Two -factor authentication combines passwords with a second authentication factor, like asking for a one-time code after you sign in with your credentials. This makes it considerably harder for hackers to gain access to your online accounts, so it’s highly recommended that you enable it on all your accounts that support 2FA.
According to Gretel Egan, Cybersecurity Researcher and Writer at Wombat Security:
“This security safeguard is becoming more commonplace in business and personal settings. Some individuals are resistant to it because it adds an additional barrier to access and it can be perceived as a hassle. However, the additional barrier does offer another layer of security.”
6. Avoid Typing Passwords on Other Devices or Networks
Unless it’s absolutely necessary, you should avoid entering your password on someone else’s computer or mobile device – it can get stored without you even knowing about it. Similarly, if you’re connected to a public Wi-Fi network, don’t visit websites that ask you to log into your account, especially when it comes to online banking.
Wondering why? That’s because when you’re using an unsecured Wi-Fi connection, your Internet traffic can easily be intercepted by nearby eavesdroppers. To keep yourself secure from such threats, make sure to always use a VPN on a public Wi-Fi network.
7. Be Aware of Your Surroundings
You should also be mindful of the people around you. Besides, you never know when somebody may look over your shoulder to nab your personal information like passwords. So be aware of your surroundings when you’re both online and offline.
It’s Time to Update Your Facebook, GitHub and Twitter Passwords!
Update 4/30/2019: Talk about bad timing. Earlier in March 2019, Facebook disclosed that millions of users were affected as a result of Facebook passwords having been stored on its servers in plaintext. Truth be told, this had been the case for nearly seven years! This statement comes as no surprise after Facebook was found to be under a federal criminal investigation over their data sharing practices.
As further insights get publicized, Instagram users, thought to be affected in thousands, have been affected in the millions as well.
Update 5/4/2018: Speaking of timing. On World Password Day, Twitter admitted that it accidentally recorded users’ passwords to an internal log due to a bug in its system. GitHub also made a similar disclosure earlier this week after it faced a similar incident. In both cases, users’ passwords were stored unmasked in internal server logs.
Normally, Twitter and GitHub encrypt passwords using the bcrypt hashing algorithm – an industry standard – which replaces the numbers and letters in your password with a random-looking string of characters. This allows users to log into services without revealing their credentials to system admins or developers.
“Due to a bug, passwords were written to an internal log before completing the hashing process,” a spokesperson for Twitter stated. “We found this error ourselves, removed the passwords, and are implementing plans to prevent this bug from happening again.”
When GitHub experienced a similar flaw in its system, the code repository sent out password reset emails to all affected customers. They clarified that its servers weren’t hacked and user passwords weren’t accessible to anyone.
Twitter users haven’t received any such emails yet, but they are being asked to select a new password as a precautionary measure. Furthermore, a security advisory was also published by the company on its website.
According to Twitter, its systems weren’t breached and the exposed passwords may have been seen by only a handful of employees. “Our investigation shows no indication of breach or misuse by anyone,” Twitter stated.
We recently found a bug that stored passwords unmasked in an internal log. We fixed the bug and have no indication of a breach or misuse by anyone. As a precaution, consider changing your password on all services where you’ve used this password. https://t.co/RyEDvQOTaZ
— Twitter Support (@TwitterSupport) May 3, 2018
Some Frequently Asked Questions About Passwords
The following are answers to some of the most frequently asked questions about passwords:
Why is it important to use a password?
Passwords are used everywhere and play a key role in our digital lives. They are a common way to prove your identity and prevent unauthorized access of your accounts or computer. For this reason, strong passwords are essential to protect your identity and security.
How long should my password be?
When it comes to creating strong passwords, randomness is an important factor – but so is length! Therefore, your passwords should be a minimum of 12 characters, and preferably, 14 or more.
Which type of password would be considered secure?
Well, a secure password would be one that isn’t related to anything in your business or personal life. Also, it should include a random mix of numbers, characters as well as uppercase and lowercase letters.
Some strong password examples include:
How long will it take to crack a 12 character password?
According to BetterBuys, eight-character passwords can be cracked in 5 hours, nine-characters in 5 days, 10-characters in 4 months, and 11-characters in 10 years. However, if you make your passwords up to 12-characters long, it will take 200 whole years to break them!
Wrapping Things Up
Passwords will continue to be there for you when you need them the most. So, make sure you keep them healthy, strong, and uncrackable. Hopefully, the password security tips and tricks mentioned in this guide will help you do just that.