You’re creating an account on a website when you receive this all-too-common prompt: “Create a secure password.” You do what you always do — enter the same password you use for all of your other websites. Hey, if it ain’t broke, don’t fix it, right?
But reusing passwords creates a serious security risk. If a site has a security breach — which seems to happen on a daily basis — all of your accounts could be compromised.
We know, we know. You’ve heard all this before. Still, you keep reusing passwords for an obvious reason: You can remember them.
With a bit of practice, you can easily create unique passwords for every site you use. However, you’ll need to understand a few security basics to get started. Here’s what you need to know.
More Characters Means More Security…
The longer your password, the more difficult it is to crack. That’s pretty obvious, but the vast majority of computer users rely on passwords shorter than eight characters. An eight-character password composed of nothing but lowercase letters can be cracked in about one minute. Adding in capital letters lengthens that time…to five minutes.
A 12-character password comprised of lowercase characters would take about 11 days to crack. Add a single uppercase letter, and hackers would need to spend about 230,000 years to gain access.
…But Character Type Matters More.
The time frames above make an important assumption: The hacker is using a simple brute-force attack. That means that the hacker is trying every possible password, one at a time.
However, modern hackers rarely use brute-force techniques. Instead, they’ll try to guess the most common combinations of characters first — which is why you really shouldn’t use words in your password. A word basically carries the strength of a single character.
By using a mix of character types, you can drastically improve security. The password “dog” would take less than a second to crack, but “Dog234!” would take six hours. “Dog!@!@!@” would take about two years via brute-force.
Here’s One Way to Remember Extremely Secure Passwords.
This simple technique allows you to quickly create hacker-busting keywords in seconds (and next, we’ll look at an even easier method).
Start with a secure set of characters that you can memorize. For instance:
Obviously, you shouldn’t use those exact characters, but you get the idea; you’re starting with a chunk of characters that have no meaning whatsoever. Try to use a mix of uppercase letters, lowercase letters, numbers, and symbols. Commit this password to memory — that’s the only somewhat difficult part of this technique.
Once you’ve got your chunk of random characters, think of a word you’ll associate with the website in question. If you’re trying to remember a banking password, you might use the word “money.”
Adding that word to the password string will improve security — but not by much, since “money” essentially acts as a single character (remember, words aren’t really secure). However, by splitting the word on either side of the password “chunk,” you’ve got a fairly secure, memorable password:
You’ve now got a 12-character password with a healthy mix of characters, which would take about 500 million years to crack. You only had to memorize seven digits and one word.
Let’s say you need to make another password to access your favorite sports site:
The word “baseball” is on either side of the password chunk. Even if a hacker knows the chunk, they’re not going to be able to crack the other characters.
When In Doubt, Add Characters.
If that process is too difficult, simply add symbols (not numerals or letters) to a word. This isn’t quite as secure, but it provides plenty of protection from a simple brute-force attack, so it’s perfectly fine for most purposes.
Take a word like “dog,” then add some periods after it. The password “dog” would take less than a second to crack using brute-force methods. However, adding a few characters can quickly change the math:
That password would take several trillion years to crack using brute-force techniques alone. All you need to remember is the word “dog,” twelve periods, and an exclamation point.
You might vary the number of added characters depending on the website URL or any other variable that’s easily memorable. For instance, if you’re making a password for Datarecovery.com, you might use sixteen periods (one for each character in our URL).
No Password is Perfect.
Finally, remember that a strong password doesn’t completely protect you from online threats. If the website in question uses outdated security protocols, hackers could still gain access to your accounts. You can mitigate this risk by enabling two-factor authentication whenever possible. We’ll have another blog about the importance of two-factor authentication soon, but in the meantime, enjoy the peace of mind that comes with truly secure (and unique) passwords.
If you’ve forgotten a password, or if you’re trying to build better security practices for your business, contact us here or call us at 1-800-237-4200 to speak with a password recovery specialist.