My cousin’s Facebook page was hacked again today…people were surprised and I’m sure that they, like myself, thought maybe he had finally learned his lesson about making a better password. However, he and the various family and friends of mine (as well as yours) get hacked all the time, brush it off and neglect to change their habits. The common thought is that if they just change their password, the threat is taken care of and it won’t happen again. Then a few months go by and they get hacked yet again. So, what’s the deal? Why do people get hacked so often despite changing their password?
Let’s talk about habits
Every three to six months like clockwork, IT makes you change your password at work. It’s always an exercise in “How hard do I have to try to keep my password so similar to my last one that I won’t forget it and yet beat IT’s stupid password policies at their own game?” You’ve been guilty at this thought and I’ve certainly been guilty at this thought. Even now, I still get annoyed when I have to change my password that I just got comfortable with. Let me guess what you do when this happens. You probably take a big sigh and push that “Remind me later” button until the very last day that you can change your password. Then that day comes and you curse yourself for not changing it before, because now you are going on vacation, a long weekend, or you won’t be back until after the holidays.
You and I know that when you get back, you will struggle to remember the new password, try what you think you did, try your old password with one character changed, and then realize you have one more attempt before you will be locked out and have to make a support call to IT. So, you take a big breath and try that password that you think you made, once again…50% of the time, you are lucky and swear to commit that sucker to memory before you leave for the day…the other 50% of the time, you get locked out, call IT, and have to prove that you are yourself, so that they can unlock it for you and give you a password that you will have to change when you log in. I’m going to take a guess that the password you create is similar to your last one and only differs by one character. That password is also probably the minimum length that is required by IT…8 characters, maybe 10 at the most. Its probably something simple like your dog’s name and your birthday mashed up together with an obligatory “!” for IT rules, or maybe its the make of your first car mashed up with your kid’s birthdate and a “$” for good measure. This is only if your IT is with it enough to enforce a password policy that uses security best practices, otherwise, you are forgoing all the best practices and you are just using your cat’s name as your password. I’m going to assume that if you are reading this, you are probably using a better password than “123456” or “password,” but your password just might not be cutting the mustard and I bet you use that same password (or a variation of it) for multiple accounts. I’m also going to guess that you probably don’t change your other multitude of passwords across your digital life on a basis as frequent as your company’s IT requires…or even in some cases since you first created the account.
This is what we call poor digital hygiene or at least an aspect of it. Digital hygiene consists of more than just passwords, but keeping up with password best practices helps keep your digital hygiene healthy. Don’t feel bad, most people have bad password habits and you can do something about it. Do you know what organization has the best password policies out there? It’s not the almighty Google, or really any Tech company out there. Most Tech companies (including Google) may adhere to best practices now, but I’m betting it was not always that way and they were certainly not leading the way in protecting digital information. The US Government has been leading the way in password policies, because they have so much information to protect. So, the guidance I give you here will reflect what password guidance NIST (National Institute of Standards and Technology) has released this year. Some of it may surprise you, because their guidance has changed in a way that puts less burden on the user and more burden on the verifiers of your passwords.
How to Construct Better Passwords
Better passwords are in your future and they don’t have to be impossible to remember, but the sheer amount of online accounts yield a fair amount of passwords to remember. You will want to use a unique password for each account you have. The theory behind this is that when hackers obtain a database of account information, they will sometimes publish the results. This allows other hackers to use the same account information to attempt to hack other services. If you use the same email/handle and password for every account you have online, you are increasing your odds of being hacked. Many popular online services have been hacked, had their account database lifted and published. A good way to see if you have your email and password on a published list is to check it against Have I Been Pwned. I would do this first if you haven’t changed your passwords in years, then you can focus your cleanup a little better (especially if you tend to use a few different email addresses or handles when signing up for online services).
Top 10 Passwords of 2016
Take a look at the top 10 most popular passwords of 2016 and steer clear of any password on that list, if you recognize some of them as similar to your own or identical, its time to make a change. These passwords can be cracked instantly by password crackers. There is a well known dictionary of them that is kept in password cracking software and these are the first passwords they look for. If you are unfamiliar with the phrase “Tango Down,” its a commonly used phrase among hacking communities like 4chan to indicate that the target has been acquired.
The longer your password is, the longer it will take for a password cracker software to guess your password. Most websites have a minimum length of 8 characters, this is simply not long enough. It will take 22 minutes for a password cracker to guess the correct password. Your new minimum should be 15 characters. Adding 7 more characters means it will take that same password cracker 44 million years to guess your password. Most online services can handle a 15 character password, some have trouble if you try to use 20 characters.
If you are limited to 10 characters, introduce some complexity to your password. Do not repeat characters (aaaa) or use sequential characters (1234abcd), instead mix it up. This is when those painful password policies will be better than nothing. Stick with 1 special character (if allowed), 1 number, 1 uppercase character and 1 lowercase character. Don’t do more than 2 numbers or more than 2 special characters, because you will not gain any more complexity benefits out of it when a password cracker is running. If you aren’t limited to 10 characters, password complexity is not nearly as important as password length. Make that password long and memorable. Use a pass phrase, they are more fun to use and more memorable. A pass phrase is when you use a phrase in place of a password. Pass phrases can consist of a favorite song lyric or the punchline of a joke you liked, the options are limitless. You also want to avoid sequential characters and repeat characters with long passwords, as these kinds of passwords are usually already in the password cracker’s dictionary of passwords to try.
Keep these things out of your passwords
Any information that you can get from an ID card, driver’s license, your facebook page, or a google search on yourself. You also don’t want to use your pet’s name or your child’s name, nor do you want to use their birthdays. Don’t use your company’s name, nor your job title, or your work phone number…all this can be grabbed from your email signature and will be the first thing an attacker would try to use if they were targeting your company. All of this information is easy to find, especially if someone you know is trying to hack your account. Hopefully, you aren’t in that kind of situation, but many women who are victims of domestic violence are in that kind of situation and should steer clear of using any identifiable information their abuser knows about them in the construction of their password.
Is your new password strong?
You can definitely find out. The site How Secure Is My Password? will test your password and see how long it will take a password cracker to guess it. It checks against the password cracker dictionaries and performs a computation based on length and good password policies. If you pass that test, I’d say you have a new password you can use.
How often should you change your passwords?
NIST is recommending that you don’t change your passwords until there is a need to change them. Meaning that you shouldn’t have to change your password unless the account database was breached for one of the services you use online, or in the case that your account was hacked. I’m going to throw one further, I would change passwords if you know that your password is less than 15 characters. I would also check and see if any of your emails show up on the Pwned lists, before you go on a password changing adventure across the web. Once you are certain that you have unique passwords for each online service you use and that they are all at least 15 characters long, I wouldn’t go on another password changing adventure unless you need to. However, I would periodically (every 6 months) check my email against the Pwned database if you don’t subscribe to their service that lets you automatically know when an account may have been compromised.
Unique passwords for each account are hard to keep track of
This is why I use a password manager if I can. Password managers allow you to store all of your passwords in their vault. They usually have a browser extension or plugin, where you can access the information you need as soon as you land on the site you want to log into. The only way to access the passwords in the database is by using a master password.
Some workplaces won’t let you install them or use them yet, but if your company does and they don’t make use of single sign on, it will save you a lot of time and brain space. I would definitely get one for your personal computer. Most of them also have an app for your phone that you can sync with your computer, so that even when you are away from your computer, you won’t be away from your passwords. 1Password has never steered me wrong and as far as I know, it has never been hacked. I would not store the database on the cloud though (clouds have been hacked before), you can store it locally on your computer and sync to it via Bluetooth when your phone is in range of your computer. LastPass is another popular one, but I know they have been hacked in the past, so I am a little cautious about using them.
Go Forth and Create Better Passwords
The US Government and Tech companies are currently looking for the “Password Solution,” this is the solution that gets us all away from having to use passwords to login to accounts. They realize that depending on users to keep up to speed on the latest in Password Security is pretty unrealistic without a massive campaign about it. Until then, these are the guidelines we have. Now, put some good tunes on, then go forth and create better passwords using pass phrases! Make those password crackers scream!