Passwords or Passphrases?
When it comes to creating a secure password, there are countless, wrongly implemented misconceptions floating around the digital ether. For instance, many of us believe the old method of “making passwords complicated to avoid them getting cracked” is still effective. Particularly, as we (people), are poor at remembering them, so we tend to either use the same complicated password for everything, or write it down, or get it wrong so many times we get fed up and just use something simple. As a result, nowadays, it’s actually better to use longer “passphrases” as opposed to shorter passwords.
Passwords Can Be Guessed
Let’s face it, passwords can be guessed. Tell me your dog’s name, the street you grew up on, your year of birth and your mother’s maiden name and I’ll tell you the name of your perfect partner or job… How many of us have seen these seemingly innocuous quizzes on Facebook and answered them without thinking? They may seem like a bit of fun, but hackers use Facebook quizzes to access and steal your personal information.
Common Phishing Tactics…
The most common goal of phishing is tricking victims into providing their passwords or credentials without even being aware of it, known as “password harvesting”. Facebook quizzes, as mentioned above, is just one example of this. The term refers to the attacking technique of grabbing legitimate user ID and passwords to gain access to target systems for illegal purposes and is a commonly applied technique to gaining sensitive data. The most common methods of password harvesting occur via:
- Insecure sites; for example, the TalkTalk hack of 2015, which affected 157,000 customers, or the Ashley Madison coding blunder, which made 11 million passwords easy to crack
- Spoofed emails and faked login pages. This is where email and password re-use really hurts and can include anything from credit card to bank account hacks
With so many ways for hackers to gain sensitive data, and so many large-scale examples being publicised on a regular basis, it’s important to take password security seriously, in order to perfect the “art” of password creation.
Yet, when it comes to remembering multiple passwords in a bid to access day-to-day accounts and software, morning logins can become increasingly tedious and long-winded. That’s where many find writing their passwords down crucial to their success.
How to Protect your Password from Hackers…
Consider the amount of time it would take to hack your password, this is inevitably what you’re trying to do when creating a password. So, think beyond complex conundrums and the use of special characters; smarter solutions are required to outsmart prospective hackers.
Here are some of the most commonly used password-protection tactics used today, some admittedly are mediocre in the security that they provide (but are still commonly utilised today), while others include the ultimate levels of security…
What is password padding? Well, it’s a “security” method people use to make their passwords longer (usually between 15-20 characters), whilst also framing your core passwords with additional characters on both ends. The concept of doing so, many believe makes their password stronger.
So, if your normal password is Goldfish1 then you would add differences for each site to increase the length, e.g. FacebookGoldfish1, EmailGoldfish1, the downside of this is that it is easily guessable once the attacker has established a pattern.
Overall, it’s not recommended. We’ve included it as an option simply because it is a reasonably common practice. Unfortunately, that doesn’t make it the right option.
Many of us are under the impression that the use of capital letters, numbers and special characters can assist in creating a more secure password. For example, lots of people like to exchange the “p” for a “P”, the “a” for an “@” or the “o” for a “0”, so “password” becomes “P@ssw0rd”. The trouble is, hackers recognise most of the commonly used special character themes and search for them accordingly.
In fact, using supercomputer power – and this is readily available with Amazon Web Services and other providers of on-demand cloud computing platforms – it could take a mere 1.12 minutes to crack the password “P@ssw0rd”. On the other hand, “thisismyverylongandsecurepassword” would take 1.64 hundred billion trillion centuries using the same guess rate. We’d therefore advise that you only implement the special character tactic when combined with one of the other methods below…
Security experts agree that a password should have a minimum of 12-14 characters. Length is the method that gives you protection, not complexity. A combination of the two factors; length and complexity, is a good tactic in terms of protection but can be hard to recall. So, think of a favourite quote, song lyric, or perhaps your favourite phrase and give that a try.
Using a password manager in combination with long, complicated passwords is a reasonable security method. A password manager assists in generating and retrieving complex passwords, potentially storing such passwords in an encrypted database and calculating them on demand. It’s a practical method until the database corrupts, you forget the password manager login, or otherwise lose access.
Two Factor Authentication (2FA)
If you use online banking you will be using 2FA already. 2FA is a two-step process involving 3 elements; username, password and token. Firstly, you login, then you get the 2FA prompt – if you fail at 2FA, the final login is denied. Generally, the tokens are generated on your mobile phone and expire every 30 seconds, this means that even if a hacker gains knowledge of your username and password, without the code from your phone, they are unable to access your data.
Examples of different 2FA apps that you can use include Google Authenticator, which is free but tied to the device it is on, and Authy, which has some paid elements (but only at heavy use or high corporate level), and can be backed up to a cloud linked account, making it a great option should you lose your phone.
How Rio IT Can Help…
Rio IT makes extensive use of 2FA. Some of our staff have around 20 services configured with individual codes on their mobile devices. On platforms you use regularly the 2FA feature can be suspended (e.g. Facebook on a mobile device, or outlook email on your desktop) so you don’t have to keep typing the codes in, however it does prevent a malicious 3rd party from logging in on a different device.
If nothing else, we hope this article has given you a small insight into using 2FA where possible. This method after all is the best in terms of strength. We would however, advise that you combine the 2FA method with long passphrases (see point no.3), as a doubly secure tactic. For more information, contact us at Rio IT today, we’d be happy to help.