What recent security breaches can teach us about creating strong passwords
When the words historic and security breach are used side by side in one sentence, you know you should start worrying about the security of your personal data. Well, those who have a credit report – which is, according to some estimates, roughly 44% of the American population – certainly have serious reasons to be concerned over this issue now. On September 7 this year, Equifax – one of the leading consumer credit reporting agencies – announced that their security had been breached and that personal data of about 145 million of its American clients had been stolen. As a result of what has been called “one of the biggest data breaches in history” and “very possibly (…) the most severe of all” such events, cybercriminals obtained complete sets of very sensitive personal information that included full names, Social Security numbers, birth dates, addresses, and, in some cases, driver license numbers. Although the Equifax breach is not exactly the biggest of its kind – attacks on Yahoo in 2013 and 2014 affected, in total, an estimated 1,5 billion users – it may likely turn out to be the most severe in the sense that it exposed most of the sensitive data that banks, insurance companies, and similar business use to confirm the identity of current clients and potential new consumers. This, in turn, means that for years to come, almost half of the American population will remain at a high risk of financial fraud and identity theft.
The security breach was made possible because, apparently, Equifax had failed to promptly patch a known web server vulnerability. This means that there was nothing individual clients could do, in this particular case, to protect their personal data and decrease the chance of being affected by the hackers’ malicious actions (which is one of the reasons why many victims are likely to sue – in fact, Equifax might be facing one of the biggest class actions suits in U.S. history, with one law firm reportedly seeking up to $70 billion in damages). Still, if there is one positive thing about security breaches, it’s that we can learn from them what an average user can do to ensure the security of their sensitive, personal information.
For example, earlier this year, a security firm Keeper published a report on the strength and reliability of most commonly used passwords based on the data made available in the aftermath of the major security breaches of 2016. Using external public data sources, the firm analyzed 10 million actual passwords. The results can be described by words such as alarming, dreadful, or depressing. The most popular password, chosen to protect the access to sensitive information and personal data by nearly 17% of users, is… 123456. That’s right, almost a fifth of all people who ever use a password are safeguarding their accounts with literally the first string of characters that comes to mind when you look at the keyboard.
The rest of the report is equally disquieting. Keeper goes on to point out that “four of the top 10 passwords on the list – and seven of the top 15 – are six characters or shorter”. This is a serious issue because modern brute-force cracking software – computer programs used by hackers to break passwords by trying all possible combinations – can decode passwords of such short length in mere seconds. Keeper also mentions that many “website operators are not enforcing password security best practices”, which means users are allowed to set passwords that are weak and they do so because short, uncomplicated passwords are simply easier to remember than long and random strings of characters.
But what exactly are some of those security best practices? What makes a difference between a weak password and a strong one? And how can you create a password that is both reliable and easy to remember? This week blog posts will offer a handful of practical advice on the issue.
Make it a Long One
The first characteristic of a good password is its length. As mentioned, six characters is way too few. On their “Account Help” page, Google advises users to set passwords that are “8 characters or longer”. The rule of thumb is, however, the longer – the better. According to some other sources as many as 12 to 14 characters is only a safe minimum.
Plain words are pretty good…
Which of the following passwords would you say is harder to crack: Tr0ub4dor&3 or correcthorsebatterystaple? You might be inclined to say – the former! After all, it seems so much more complicated. It uses an uncommon word as its base (troubadour), it features caps, letter-to-digit substitutions, a punctuation mark and a numeral; the other one is just four random words written without spaces. Yet, surprising though it may seem, a brute force password cracking software would take, on average, 3 days to guess the first one and 550 years to break the second one. In addition, if you use a mnemonic technique – like visualization or story-telling – the second one is much easier to remember than the first one. The only caveat is that the choice of words needs to be truly random. Those that come to your mind most readily probably won’t be random and are likely to be the same ones other people would think about too. This brings us to another piece of advice on password security:
…but don’t use a common phrase
A password based on a line from a famous movie, a poignant quote from your favorite novel or a Bible verse may seem like a good idea. After all, it’s relatively long and easy to remember. Unfortunately, it is not really your best shot at an uncrackable password. This is because a large number of users have been shown to use passwords of this sort which make it easier for hackers to crack them. Even if you add numbers or choose a variant that substitutes numbers for letters, such passwords can still be broken relatively fast. This is because hackers also use “dictionary attacks” where a password-guessing program relies on a dictionary of common words and phrases.
Don’t Reuse Your Passwords
Let’s say you have already come up with a strong, multi-character password that is easier to remember. You might be tempted to use the same password on all of the services that you use – from your Netflix account through email to your Internet banking service. However, you need to be aware that if only one of the web services you use ever gets hacked and your password becomes known to hackers, all of the other services protected by the same password are automatically compromised. For that reaso, each of your services should be protected by a unique password.
Use a Password Manager
A password manager is a computer program that helps you create strong passwords and securely store them in an encrypted database. If you use a password manager, instead of typing a different password in each service that requires it, you just type in the password to the manager which will then automatically fill your login information whenever it is needed.
Of course, password manager software and its database can also be compromised. Therefore, before making a decision whether to use a password manager or not, every user needs to personally analyze potential risks and benefits. Still, many experts agree that password managers are still one of the safest way to protect your sensitive information.
Use Two-Step Verification
If you enable two-step verification, whenever you log in to a service from a new device, a text message with a security code will be sent to your phone. You will be then prompted to enter that code after typing your password in order to obtain access to the service. Using two-step verification is one of the best ways to secure your personal data, sensitive information or money. If you have it enabled, even if hackers manage to get hold of your password, they won’t be able to make use of it if they don’t have access to your phone.
To conclude, we present the list of 15 most commonly used and, therefore, weakest passwords. If you use one of those on any of your services, you run a serious risk of having the security of your personal information and sensitive data compromised and you need to change it right away:
123456
123456789
qwerty
12345678
111111
1234567890
1234567
password
123123
987654321
qwertyuiop
mynoob
123321
666666
18atcskd2w
The post How to Create Unique and Individual Passwords That You’ll Actually Remember appeared first on Tom Kiley Personal Injury Lawyers of Boston.
No comments:
Post a Comment