When choosing a password, most people don’t place much of an importance on the complexity or uniqueness of the password to ensure it’s secure. Unfortunately, hackers out there are continually scanning and attempting to remotely exploit your passwords to all of your accounts.
The damage and devastation they can cause can be significant, especially if they gain access to things such as your online banking, your business website or even all the files on your PC.
Think of it like your home or car, how often do you leave your door unlocked or use a very simple latch? It’d make it a great target for thieves to exploit since they don’t have to worry about breaking in. The same problem exists with computer passwords, hackers continually look for and try very weak passwords as an easy method of access.
Hackers use what’s called “dictionary attacks”, meaning they have a database of the most commonly used passwords in which they attempt to gain access with. Even those who think they have obfuscated their password by using something such as “Pa@ssW0rd” are very vulnerable to attack. Even worse, something as simple as “Password1” or “12345678” has been used by hundreds of thousands of others and therefore one of the most easily hacked. They then combine it with typically used English words as well as combinations of your username to attempt to brute force your passsword.
A recent study by TrustWave (one of the world leaders for online security) found that in a database of 3.1 million compromised passwords, only 33% were unique. That means on average, two out of the three passwords you’ve used have also been used by someone else. Would you feel safe knowing that your car or house keys were exactly the same as others? I know I certainly wouldn't!
Once a hacker has gained access to a system such as your email account, they can then do things such as request password resets for systems such as Facebook, eBay, PayPal, Dropbox and many, many other systems. If you have all of your emails online, it also means that they're able to read all of your emails. This information could then be used for identity theft to commit credit card fraud or used to further exploit and trick other people. It's not a nice situation to find yourself in, that's for sure.
How to ensure your passwords are secure
Now that you know why you need to secure your password, the next question is how. Here’s a quick checklist to reference:
Use a complex password
The easier the password is, the easier it is to crack or guess. The most effective way to prevent this is ensuring that your password isn’t based on something that’s easy to guess or generate. A basic 6 character password (no matter how complex) can be cracked in less than one minute with modern computing power.
Here’s a checklist:
Don’t use dictionary words, or passwords that contain your username, personal name or business name
Ensure that the password is at least 8 characters long (10 or more is recommended)
Ensure that you include at least one uppercase character, one non-alphanumeric character (eg !@#%^&*) and at least one numeric character
Where possible, go for a longer password as the length significantly contributes to how hard this is to crack. XKCD have a great comic based on this very scenario:
There are various online tools to help you generate secure passwords, here's a few we recommend:
Test the Complexity
Never use the same password twice
Regardless of how complex the password is, the moment it’s compromised (meaning someone has access to it) it means hackers have access to all of your other accounts. For example, if you set the same password for your Facebook account and your online banking, any security problem with Facebook would mean hackers could access your online banking.
Keep your passwords in a safe place
Treat your passwords just the same as you do your office or house key.
Don’t store your passwords in a word document or text file on your computer. Either use an encrypted password storage system (such as LastPass, 1Password or KeePass) or store a written copy of your passwords in your safe. Never leave them laying about in your office or home, someone may copy them without you even knowing!
Further security measures
Having a secure password is a good start, but you can take it further than this. Where possible, use Two Factor Authentication (TFA). This means that not only do you need to use a password, but you also need verification from a secondary system. This could be a code via an SMS message, an App on your phone like the Google Authenticator or a physical token generator like the RSA SecurID.
Having two-factor authentication in place ensures that even if your password has been compromised, you’re still protected through this secondary authentication method. Even if a hacker was able to get a copy of your password, they need the secondary authentication to be able to proceed. There's no easy way for them to bypass this, which is what makes the two-factor system much more secure.
There’s also fancy systems like Clef, which replace having to manually type in passwords with their unique phone camera based app. This still features pin code protection and therefore still provides TFA yet saves you having to type in passwords and security tokens. This makes it the perfect balance between ensuring you have a secure system and still remaining easy to use.
By ensuring you're using secure passwords, you protect one of the most commonly exploited methods of gaining information or access to your systems. Hackers are always looking at ways of improving their efficiency of attacks, so it's important to stay vigilant.
We also recommend that you investigate the use of a password manager (such as LastPass, 1Password or KeePass) as well as two-factor authentication for any critical systems. Conetix will be rolling out two-factor authentication in the near future and already support it for standalone VPS's with Plesk. You can view a list of which platforms support TFA here: https://twofactorauth.org/.
Lastly, always ensure that your anti-virus and anti-malware systems are up-to-date. If a keylogger is installed on your system, then your password will be compromised no matter how complex it is.