The importance of strong passwords
Why should you care about creating strong passwords? The reality for most of us these days is that our digital life is as robust and saturated with personal information as the lives that we live offline. This applies to both our work lives and personal ones. That’s all well and good, but it also means that protecting our online information is increasingly important and a strong password is your first line of defense.
With the proliferation of information we store and access online, strong passwords are a part of the barrier protecting not only hyper-sensitive data like personal and company financial information, customer details and internal correspondence and protocols, but also key information about you that can be used to gain access to other parts of your life or commandeer your identity.
Check out ITeck CEO Paul King’s latest Tech Talks video blog on passwords! Article continues after video.
What IS a Good Password Strategy?
Password best practices evolve quickly as they try to keep up with hackers. But there are several key concepts to keep in mind when developing your password strategy. And more than likely such a strategy will require a change in your habits. Most of us have learned to use the same small selection of passwords across multiple sites. But this practice is no longer good enough. — security is only as strong as its weakest link and therefore your password choice is a cornerstone of the security chain.
- The best passwords combine both length and complexity. However, password length is the most surefire way to slow hackers down if they’re trying to use a brute-force attack to break in to your information. The difference between hacking an average 8-character alphanumerical random password and a 16-character comparable password is measured in years! In other words, it can take 3 hours to crack an all lowercase 8-character password. A 12-character password using letters, numbers, and symbols takes about three years to crack. Therefore, length = greater uncertainty and is exponentially harder to crack.
- This means that passphrases really are the way to go. A long string of easy-to-remember words or an unusual phrase can likely be more secure than a shorter collection of random characters. And in reality, you don’t actually need special characters and numbers if that inhibits how you apply your password strategy. A password that is 40 characters long and uses both upper- and lower-case alphabetical characters will take more than 1,000 years to crack.
- The other caveats to take into consideration here is if you’re using the same password across multiple sites, then your information is still vulnerable to penetration, no matter how long your password is. One of the most straightforward ways to address this challenge is to use a password manager. There are a lot of different solutions out there today at many different price points, so as long as you’re willing to invest a bit of time in setting up your password management solution, you’ll dramatically increase your digital security game.
- Similarly, if you fall victim to phishing attack, neither the length nor complexity of your password will matter one bit. So stay vigilant, follow good sense and your company’s email policies and check out our case study of a spear-phishing campaign to better understand how such hacking techniques might target you.
- A step you can take prior to jumping into the password manager game is to make use of your browser’s strong password suggestions. Most of the main browsers offer this service and will store your logins for various sites so you don’t have to remember a long list of abstract passphrases. In addition, there are other services out there to help you make sure you’re using strong passwords. For example, earlier this year, Google Chrome launched a browser extension called Password Checkup that can highlight potential risky passwords during your daily web browsing activity. Such tools reference databases of passwords that are already out there floating around on the internet and provide a warning if you try to use them.
Good digital security practices go beyond just the length and complexity of your password.
- Always enable multi-factor authentication when available.
- Use a password manager. As noted above, this really is one of the most comprehensive ways to address the challenge of using diverse passwords across all your different online logins. There are of course some downsides to this strategy, but we feel that the pros far outweigh the cons.
- Understand how your information may be targeted. There are two main ways that your information can be hacked; the kind of breach that you can prevent and the kind that you can’t. We put a lot of our information and our trust in the hands of companies and vendors that provide us the services that organize our lives in this day and age. And unfortunately, there’s not a lot we can do when our mobile phone company is hacked or a company that holds some of your financial information is compromised. The best thing you can do is to stay aware when these hacks happen and ensure that your password that is compromised in such a breach isn’t used on all your other accounts as well. However, as mentioned above, you can avoid phishing scams and limit the impact of larger breaches.
Additional Resources and Other News
With all the major data breaches over the past 10 years, it is incredibly likely that at least one of your passwords is out there floating around on the internet. The key is to make sure that password doesn’t unlock all your secure information on other sites as well. You can check and see if your email and/or passwords have been breached by plugging them into ‘;–have I been pawned?, a useful tool developed by Troy Hunt, cybersecurity researcher, writer and teacher who is also a Microsoft regional director. It can be a bit scary but is also excellent incentive to develop and implement a more secure password strategy.
There are also a few tools out there that you can use to test the strength of the passwords you already use. Both Kaspersky and PassFault offer good options. But do be forewarned, don’t just plug your password into any old website, unless of course you plan on changing it immediately. This is more of a fun tool to see why your new password strategy is so much more secure than your previous version of your cat’s name and spouse’s birthdate.
It’s also worth noting that there is a movement away from straight passwords as the keys to our online digital lives. Google and the FIDO Alliance (a consortium that develops authentication standards) recently collaborated to make using in-person authentication such as biometrics like the fingerprint reader on your phone for online authentication both more seamless and more secure. In the future this may of course present its own problems, but for now it’s an important step in preventing the prevalence of phishing attacks and makes secure web browsing so much easier.
Finally, If you want something in more depth that includes everything from password advice to threat modeling and what apps use the best encryption and share the least amount of your information, check out Vice Magazine’s Motherboard Guide to Not Getting Hacked 3.0.
This article is the third in an ITeck series on digital security. Check out the other pieces in the series and stay tuned for our next installment.
Paul King is the founder and CEO ITeck Solutions LLC, an IT and business consulting firm based in the DC Metro area. Paul has more than 20 years of experience in the design and implementation of cost-effective and high performance technical solutions that meet the challenging and evolving business and technology needs of clients in diverse industries.I