Password Security

If you’re like most people, you probably use the same password for most of your accounts. That password is easy to remember, and probably includes a person’s name or a word in the English language. If any of this sounds familiar, then you have a serious security problem. If one of your accounts hasn’t already been hacked, you should consider yourself extremely lucky. We recommend that you change all of your important accounts to use secure passwords before it is too late.

Passwords Are Only as Secure as Their Owner

If you open suspicious emails, visit untrusted websites without running a script blocker, or plug in USB drives you find in your parking lot, then password security is not your only problem. It’s like setting up a sophisticated alarm system for your house and leaving the spare key under the doormat. No matter how good your passwords are, everything is just as vulnerable if hackers already have another way into your system. Learn the basics of computer security and how to use and navigate the web safely. If you don’t take preventative measures, you could end up learning the hard way.

How Would Someone Hack My Account?

When someone is trying to hack into your account, they are not likely to be sitting in front of the login screen, scratching their head and guessing passwords. Hackers will use automated programs to systematically try all password combinations. This is known as a brute force attack. Sophisticated algorithms will try the more likely combinations first, such as the ones using words, just lowercase letters, or combinations of lowercase letters and numbers. They may even incorporate any data they may have about you, such as your birthdate or spouse’s name. Because these types of passwords are commonly used, hackers may be able to reduce the number of password combinations to try, which in turn reduces the average time to crack a password and increases the likelihood for hacking a given account.

Some of your accounts, such as the ones for financial institutions, may detect brute force attempts and either notify you or lock the account for a specified period of time. However, not all accounts are set up to do this, and some may require you to enable that setting manually. To be on the safe side, it’s best to use secure passwords for all of your accounts, regardless of the system’s security features.

So What Makes a Good Password?

Your objective in choosing a good password is not just to pick something that another person will not be able to guess. You also want to maximize the number of character combinations that would need to be tried. Doing this causes brute force attacks to take much longer to crack your password. Unfortunately, people gravitate towards using the easiest passwords that they can. If the minimum password length is 6 characters, most people will choose a 6 character password. If numbers, uppercase letters, and special characters are not required, most people will not use them. Because of this, a hacker will try the easiest combinations first, and possibly not even bother with the more difficult combinations.

Suppose your account requires a minimum of 6 characters in the password. Consider the following examples:

1. If you used 6 characters and only lowercase letters, then there are 26⁶≈ 309 million combinations.
2. If you used 6 characters and a combination of lowercase letters and numbers, then there are 36⁶≈ 2.2 billion combinations.
3. If you used 6 characters and a combination of lowercase letters, uppercase letters, and numbers, then there are 62⁶≈ 56.8 billion combinations.
4. If you used 6 characters and a combination of lowercase letters, uppercase letters, numbers, and special characters, then there are at least 94⁶≈ 689 billion combinations.

If someone had a program that could figure out a password meeting the requirements of #1 after an average of 1 day, then that same program would take an average of 6 years to to figure out a password meeting the requirements of #4. If you used more than the minimum of 6 characters, then the number of combinations, and average time required for figuring out the password, will increase even more.

Best Practices for Effective Password Security

• Use more than the minimum number of characters. Each additional character you have in your password makes it significantly harder for a program to crack your password through a brute force attack.
• Use a combination of lowercase letters, uppercase letters, numbers, and special characters. A variety of characters also makes it significantly harder for a program to crack your password through a brute force attack. You can close your eyes and hit random keys on your keyboard, or use a random password generator. If using a random password generator, we recommend as an added precaution that you change some of the characters from the password that is given to you.
• Use a different password for each account. This significantly reduces the risk of more than one account becoming compromised at the same time. When you do this, you will likely not be able to remember all of the passwords and you will need to store all of your passwords in one place. If you do, make sure that location is secure and of course safely password protected. Memorize the password to that account and make sure to keep a backup.
• Change your passwords from time to time. If someone gets into one of your accounts and does not change the password or otherwise does something to alert you to their presence, you never know what they could be doing or what they may plan to do. Changing your passwords can limit the damage that a hacker might do.
• Don’t give your passwords to other people, even those you trust, unless absolutely necessary. The more places a password is stored, the less secure that password becomes. If you give somebody one of your account passwords, and they write it down, or store it on their computer or email account, then you are just providing more ways for your password to get into the wrong hands.