Want to Keep Your Passwords Safe & Your Accounts Protected? Here’s How
Passwords are the bane of modern existence. Most of us have dozens or hundreds of accounts with passwords to keep track of. A large amount of people are probably also using use the same, easy passwords for each of these accounts. Don’t be ashamed if that’s you, because lots of people do it. Just be prepared to listen.
If you are using the same, simple passwords for all of your accounts, you are making yourself much more vulnerable to an attack. This means that threat actors can work their way into your personal or business accounts, and wreak havoc to both your life and your company. If you want to minimize the chances of this happening, then you need to know about how passwords can be stolen and the best ways to protect them.
How Do Attackers Get People’s Passwords?
To understand the best ways to protect your passwords, you need to know how attackers acquire them in the first place. Their methods can be simple, such as looking at the Post-it notes on someone’s monitor, or they may work in a place where they have access to customer passwords (such as the operators you talk to when you call up your bank). If these individuals abuse their positions and save customer passwords, they can try to use them on other accounts owned by the same customer, which is one reason that you should have separate passwords for each account.
There are also more technical methods. These include monitoring insecure connections to steal login credentials, which is why you should only log in to websites that you trust over secure connections. Attackers can also hack company databases. If these include customer credentials in plaintext, hackers can then use this information to infiltrate the customer accounts.
One of the key methods of entry is by guessing passwords. Cyber criminals employ brute force attacks, which are essentially an automated way of going through various password combinations. There are lists of the most common passwords, such as abc123, password, etc., as well as dictionary attacks, word substitution and pattern checking mechanisms. These try each potential password until they find one that works.
With offline password cracking, attackers can take as many guesses as they have the computing power for. This can be billions of attempts per second or much higher. While these rates may seem worrying, the important takeaway is that you need to be developing passwords that are prohibitively expensive to crack.
If we assume that there are 94 possible keyboard characters that you can construct a password from (upper case letters, lower case letters, numbers and symbols), the number of possible combinations can be represented as 94n, where n is the length of the password. With a 4 character password, there are 78,074,896 possible combinations. With a 6 character password, there are 689,869,781,056. With an 8 character password, there are 6,095,689,385,410,816 possible combinations.
Each of these passwords could be cracked in a trivial amount of time if the hacker had enough motivation and computing power behind them. Despite this, you can see the dramatic difference in the number of combinations you get by making each password just two characters longer. This exponential effect means that making your password longer will make it significantly more difficult for them to be cracked.
How Should You Be Keeping Your Passwords Safe?
For a long time, the common recommendations for passwords weren’t practical or particularly safe. You probably remember having to change your passwords every few months, and like a lot of people, you may have only changed one character–how else would you have been able to remember it? You probably also had passwords that were only eight or so characters long that required capitalization and one symbol, but you could never remember which letter needed to be capitalized.
Thankfully, the 2017 NIST Guidelines came around and restored some sanity to the realm of password requirements. The National Institute of Standards and Technology develops the standards by which government departments must abide, and many of their recommendations flow on to private enterprise.
The 2017 regulations focused on usability and increasing security in a practical manner. They scrapped the need to frequently change passwords and to capitalize or use symbols in passwords. They also recommended the use of 2-factor authentication and that passwords be able to be at least 64 characters long, among a host of other changes.
The general recommendation is for you to have long passwords that are easy to remember, but hard for computers to guess. A good way of doing this is by using a series of unrelated words, such as force, separate, null, question and fowl. Together, they become forceseparatenullquestionfowl, a password of 29 characters. To make it even more secure, you can incorporate symbols and numbers. To help remember a password like this, you can try to form a mental picture from the words.
It’s important not to use a sentence, a famous quote or song lyrics, because these will be much easier to crack. Ideally, you should use an online random word generator, because our minds are pretty bad at coming up with truly random terms.
Trying to remember long passwords for each of your accounts can be a big issue. A great solution is to use a password manager, which is a program that encrypts separate long passwords for each of your accounts. All that you have to do is remember the one master password for the password manager, and the program inputs the password for each of your accounts. It’s a simple way to boost your security, without the struggles of having to remember dozens of passwords.
Which Is the Best Password Manager for You?
When choosing the best password manager, the first thing that you should do is consider your risk profile. Do you have highly valuable information? Are you likely to be a target? Are you super paranoid and want to make sure that things are locked down tight? The reasoning behind this, is that maximizing your security often comes with costs to usability and convenience.
For most people, any of the password management solutions listed below will probably be fine. Those who consider themselves at high risk may want to do some more research to find a password management tool that suits them best.
KeePass is a popular password-management tool that provides reliable password encryption for free. The biggest downside is that the software can be more difficult to use, and it is not as slick and intuitive as the other options. It has been around since 2003, and because it is open-source, the code can be inspected by anyone. The KeePass 1.3.1 code was audited by the European Free and Open Source Software Auditing project (EU-FOSSA) in 2016, without any issues being found.
LastPass and Other Proprietary Password Managers
LastPass, 1Password and Dashlane are some of the other popular password managers. They each offer a service that is much easier on the eyes than KeePass, and they can also be easier to set up and use. LastPass and Dashlane both have free options, as well as premium plans for a few dollars each month. 1Password only offers premium accounts, starting at similar prices. Each of these companies has been audited, without any major problems coming up.
At LuxSci, we offer our WebAides Password solution, which creates password lists and encrypts them for use with PGP. It is great for both personal and shared company use. The tool enables you to track who has accessed passwords, as well as when they did so. The passwords can be associated with links and notes, and also easily be shared with other users of your account. LuxSci’s WebAides also back up your passwords securely, and they can also be exported for offline archival.
Still Confused About Passwords?
There is always going to be some degree of complexity when it comes to account management and passwords. The ultimate aim is to make things secure without making it too difficult for the user. If you want to make sure that you have the best of both worlds, the ideal setup is to use a password manager that stores unique passwords for each of your accounts.
All that you have to remember is your one long master password. If you make sure that it is a series of words, it shouldn’t be too hard to remember. For extra security, make sure that you are using 2-factor authentication with every account that lets you. Above all, absolutely NO PASSWORDS ON POST-IT NOTES.
If you would like to discuss how LuxSci can keep your data and communications secure, request a Free Consultation