For many, a password is just something simple to remember to get into an account. The most popular include “123456,” “password,” “qwerty,” and “letmein.” These are horrible passwords hackers will guess almost instantly. How can you create and remember passwords that will protect you or your company from hackers? Let’s look at some strategies and best practices for keeping your information safe and secure behind a strong password.
Keep Passwords Different
People tend to make one password up and use it for every account they have. This means, though, that access to one account equals access to all the other accounts with the same login credentials. It’s important to have different passwords for different accounts. Don’t write them all down, as someone could steal the paper. From there, they could, in theory, access your email and bank account, making identity theft disturbingly easy. From there, they can open new accounts, go on spending sprees, and not pay the bill your credit score will drop, making it harder for you to open your own accounts or buy a car or house. It’s a vicious downward spiral that can be stopped in its tracks by having multiple passwords that are completely different from each other.
Stop Being Predictable
Now that you know you have to have a variety of passwords, how can you come up with strong passwords? It’s easier than you think.
First, know that humans are predictable. You might think you are clever for substituting an “a” with a “4” or and “s” with “$,” but hackers have long since caught on to this. While Bill Burr, who created the original password recommendations, once said this was best, he no longer thinks so.
He once said a password should have a combination of upper- and lowercase letters, and special characters, as well as change passwords every 90 days. The first rule is too common, and something like “p4s$W0rd” looks like it would be hard to crack, but brute-force programs hackers use will still guess it fairly easily. With the second rule, people tend to use the same password with a minor modification, negating any benefit.
Use a Passphrase
Randall Munroe, a former NASA roboticist, found that having four random words — “correct horse battery staple” — ended up with 44 bits of entropy (which in this case means the “average information content” of the data). For reference, a single word from the dictionary, however long, is usually about 16 bits of entropy. A brute force attack at 1,000 guesses per second against 44 bits of entropy would take 550 years to guess. As a side note, because of the comic, “correcthorsebatterystaple” as a password no longer has any bits of entropy, as it now widely known to hackers.
Meanwhile, using Burr’s old method, “Tr0ub4dor&3” only had only 28 bits of entropy. At 1,000 guesses per second, it would take only 3 days to guess. It’s also harder to remember than four simple words. The longer the password, the longer it will take for a computer to guess.
While changing your password every 90 days can be a good idea, it’s better if you change it frequently and use a completely new password. This is especially important in business, as it could be more than just your information at risk.
Two-Step Verification
Where possible, also use two-step verification (2SV). This often means, when accessing your account from a new location, such as a new computer or phone, you will get an email or text message with an additional, one-time password you also have to put in. If you receive one out of the blue, you know you are being hacked. Using 2SV is part of a push for multi-layered authentication, where a single password is no longer enough to keep hackers at bay. Another type you might see is a pin number, much like a debit card, that you have to enter after correctly entering a username and password.
While 2SV and multi-layered authentication can be countered by hackers attempting to phish details from you, or by hacking into your Wi-Fi and sniffing the data that’s being sent to and from your computer, it’s still safer than having just a single password.
Password Manager
Finally, use a password manager. You won’t have to remember all these new passwords, as your computer will do it for you. The passwords will be automatically encrypted so they are much harder to steal. These can even be stored in the cloud, allowing you access to your accounts across devices. This is perfect if you are trying to protect a business’s account passwords, but need to give employees access. It will also allow you to change passwords and not update for every employee. It eliminates threats towards your server, customer data, and accounts receivable, for example.
Until we are advanced enough where AI can detect a hacker getting close to cracking your password and automatically change it, these are the best ways to develop a strong password to help keep your information safe and secure.