Want to Keep Your Passwords Safe & Your Accounts Protected? Here’s How
Passwords are the bane of modern existence. Most of us have dozens or hundreds of accounts with passwords to keep track of. Many people are probably also using the same easy passwords for each of these accounts. Don’t be ashamed if that’s you because many people do it. Just be prepared to listen.
If you use the same, simple passwords for all of your accounts, you are making yourself much more vulnerable to an attack. This means that threat actors can work their way into your personal or business accounts and wreak havoc on your life and your company. If you want to minimize the chances of this happening, then you need to know how passwords can be stolen and the best ways to protect them.
How Do Attackers Get People’s Passwords?
To understand the best ways to protect your passwords, you need to know how attackers acquire them in the first place. Their methods can be simple, such as looking at the Post-It notes on someone’s monitor, or they may work in a place where they have access to customer passwords (such as the operators you talk to when you call up your bank). If these individuals abuse their positions and save customer passwords, they can try to use them on other accounts owned by the same customer, which is why you should have separate passwords for each account.
There are also more technical methods. These include monitoring insecure connections to steal login credentials, so you should only log in to websites you trust over secure connections. Attackers can also hack company databases. If these include customer credentials in plaintext, hackers can use this information to infiltrate the customer accounts.
One of the key methods of entry is by guessing passwords. Cybercriminals employ brute force attacks, which are essentially an automated way of going through various password combinations. There are lists of the most common passwords, such as abc123, password, etc., and dictionary attacks, word substitution, and pattern checking mechanisms. These try each potential password until they find one that works.
With offline password cracking, attackers can take as many guesses as they have the computing power for. This can be billions of attempts per second or much higher. While these rates may seem worrying, the important takeaway is that you need to be developing passwords that are prohibitively expensive to crack.
Suppose there are 94 possible keyboard characters that you can construct a password from (upper case letters, lower case letters, numbers, and symbols). In that case, the number of possible combinations can be represented as 94n, where n is the length of the password. With a four-character password, there are 78,074,896 possible combinations. With a six-character password, there are 689,869,781,056. With an eight-character password, there are 6,095,689,385,410,816 possible combinations.
Each of these passwords could be cracked in a trivial amount of time if the hacker had enough motivation and computing power behind them. Despite this, you can see the dramatic difference in the number of combinations you get by making each password just two characters longer. This exponential effect means that making your password longer will make it significantly more difficult for them to be cracked.
How Should You Be Keeping Your Passwords Safe?
For a long time, the standard recommendations for passwords weren’t practical or particularly safe. You probably remember having to change your passwords every few months, and like many people, you may have only changed one character–how else would you have been able to remember it? You probably also had passwords that were only eight or so characters long that required capitalization and one symbol, but you could never remember which letter needed to be capitalized.
Thankfully, the 2017 NIST Guidelines came around and restored some sanity to the realm of password requirements. The National Institute of Standards and Technology develops the standards government departments must abide by, and many of their recommendations flow to private enterprises.
The 2017 regulations focused on usability and increasing security in a practical manner. They scrapped the need to change passwords frequently and to capitalize or use symbols in passwords. They also recommended using two-factor authentication and that passwords be able to be at least 64 characters long, among a host of other changes.
The general recommendation is to have long passwords that are easy to remember but hard for computers to guess. A good way of doing this is by using a series of unrelated words, such as force, separate, null, question, and fowl. Together, they become forceseparatenullquestionfowl, a password of 29 characters. To make it even more secure, you can incorporate symbols and numbers. To help remember a password like this, you can try to form a mental picture from the words.
It’s important not to use a sentence, a famous quote, or song lyrics because these will be much easier to crack. Ideally, it would be best to use an online random word generator, because our minds are pretty bad at coming up with genuinely random terms.
Trying to remember long passwords for each of your accounts can be a big issue. A great solution is to use a password manager, a program that encrypts separate long passwords for each of your accounts. You have to remember the one master password for the password manager, and the program inputs the password for each of your accounts. It’s a simple way to boost your security without the struggles of having to remember dozens of passwords.
Which Is the Best Password Manager for You?
When choosing the best password manager, the first thing that you should do is consider your risk profile. Do you have highly valuable information? Are you likely to be a target? Are you super paranoid and want to make sure that things are locked down tight? The reasoning behind this is that maximizing your security often comes with costs to usability and convenience.
Any of the password management solutions listed below will probably be fine for most people. Those who consider themselves at high risk may want to do more research to find a password management tool that best suits them.
KeePass is a popular password-management tool that provides reliable password encryption for free. The biggest downside is that the software can be more challenging to use, and it is not as slick and intuitive as the other options. It has been around since 2003, and because it is open-source, anyone can inspect the code. The KeePass 1.3.1 code was audited by the European Free and Open Source Software Auditing project (EU-FOSSA) in 2016 without any issues.
LastPass and Other Proprietary Password Managers
LastPass, 1Password, and Dashlane are some of the other popular password managers. They each offer a service that is easier to set up and use. LastPass and Dashlane both have free options and premium plans for a few dollars each month. 1Password only offers premium accounts, starting at similar prices. Each of these companies has been audited without any significant problems identified.
At LuxSci, we offer our WebAides Password solution, which creates password lists and encrypts them for use with PGP. It is excellent for both personal and shared company use. The tool enables you to track who has accessed passwords and when they did so. The passwords can be associated with links and notes and easily be shared with other users of your account. LuxSci’s WebAides also backup your passwords securely, and they can also be exported for offline archival.
Still Confused About Passwords?
There will always be some degree of complexity when it comes to account management and passwords. The ultimate aim is to secure sensitive data without making it too difficult for the user to access. If you want to make sure that you have the best of both worlds, the ideal setup is to use a password manager that stores your accounts’ unique passwords.
All that you have to remember is your one long master password. It shouldn’t be too hard to remember if you make sure that it is a series of words. For extra security, ensure that you are using two-factor authentication with every account that lets you. Above all, absolutely NO PASSWORDS ON POST-IT NOTES.
If you would like to discuss how LuxSci can keep your data and communications secure, request a Free Consultation.