They guard a huge amount of personal data, but many people are not doing everything they can to keep their passwords safe. Here are some tips to making yours as secure as possible.
Every person and business have their own personal kingdom protected by their passwords. These little words can hold the keys to bank accounts, administration systems and other applications which contain all sorts of highly sensitive information. The bad news is that cyber criminals are out hunting for them and that both businesses and people are extremely bad at choosing safe passwords.
According to data from NordPass Research, millions of people keep their accounts safe by using their own name, an approach which is a bit like locking your door but leaving the keys in the lock. Other popular names include favourite bands such as One Direction and football teams such as Liverpool, both of which registered high up in the list of popular passwords. This is one reason why you often see dodgy Facebook posts challenging you to come up with the names of your favourite team, you first pet or where you went to school. All these crop up commonly when it comes to passwords and answers to security questions.
At the same time, more than half of people routinely use the same passwords to secure multiple accounts. This includes the 51% of people who use the same passwords for their personal and work accounts. This could be incredibly dangerous as any breach of your employees’ accounts could also result in a breach of yours.
Cyber criminals know all this, and with the rise of remote work, with people logging into their work accounts offline, the world has opened up to them. Cracking people’s passwords can open up the door to a world of opportunity. If you haven’t done so already, it’s time to take a look at your passwords to make sure they are up to scratch.
This starts with assessing the common types of attack and working out how to defeat it.
The brute force attacks
The first approach is the cybercrime equivalent of rushing the barricades. Cyber criminals will simply try every possible combination to guess your password. In doing this they are helped by an increasingly sophisticated array of complex automated software which quickly scans through all the combinations it can think of.
These get more sophisticated as time goes on, with the most sophisticated running billions of combinations every second. In many cases, these will be able to crack most passwords within a few hours.
The only way to beat this attack is to go for length and complexity. The longer your password, the more difficult it will be for the hackers to crack. As you may have already spotted many systems are insisting on minimum character lengths and complexity – such as mixing in numbers and special characters. The more abstract and complex the password gets the more difficult it will be for those brute force attacks to guess. To be safe, it’s worth going much further than minimum requirements and aiming for at least 15 characters.
Dictionary attack
The next attack works in a similar way but relies on our tendency to just use single, easy to remember, words. It might be a word which for some reason has resonance – such as all those people using their favourite football team. Alternatively, some people may feel safer by using a random word which has no apparent connection to their real life.
Even so, hackers will be able to beat this approach by simply rolling through every word in the dictionary until they strike gold. If you’ve only used one word, it will be a matter of time before the hackers get in.
Ways to combat this are to use a combination of words, with varying cases and to add in numbers of special characters. You should be wary of using easily guessed substitutes such as using numbers to signify words such as Ative8 or D00rB811, for Doorbell. Hackers are wise to this approach and so too are the algorithms they design. You could also try mixing up different place names, verbs and languages. For example, a dictionary attack might guess someone using the word DustBin as a password but would struggle to guess DustBinQuagmireAttackMerciBeaucoup. This could have the benefit of being complicated enough to fox the hackers, but memorable enough that you don’t forget it.
Phishing attack
The fastest rising and perhaps most insidious approach is the phishing attack. This takes guess work out of the equation and attempts to persuade you to simply hand over the keys to everything. It works on a basic principle for criminals – it’s much easier to trick someone into handing over the keys to their car than it is to break in and steal them.
Essentially, this approach takes the form of an email, often containing a link, which claims to be from a source you trust – often a bank or another financial institution, asking you to log into your account. Often, they will be using guess work, claiming to be from a well-known company in the hope that they’ve matched an account you have. They may also have done some research using available information. For example, if you’ve ever shouted at your bank on Twitter to shame them into giving you better service, hackers might use this to tailor their phishing attacks to you.
These attacks are becoming much more sophisticated. Language is more convincing, and branding is developed to more closely resemble the organisations they are trying to mimic. These realistic looking emails get around our natural defences by persuading us that no hacker could be this sophisticated or have this much information about us. The reality is that they are, and they do.
The only way to guard against this approach is to not fall for it. That means educating yourself and using common sense to ensure you never click on a suspicious link.
This is becoming an increasingly complex process. Hackers are getting much better at attacking password protection logins. The best response is to upgrade your passwords. This can take time and you may fear you’ll struggle to remember them all, but in a world in which cyber threats are everywhere, spending time recovering forgotten passwords is a whole lot better than the alternative.